Written By Dr Al Hartmann And Presented By Chuck Leaver CEO Ziften
If Prevention Has Stopped working Then Detection Is Essential
The final scene in the well known Vietnam War film Platoon portrays a North Vietnamese Army regiment in a surprise night time attack breaching the concertina wire boundary of an American Army battalion, overrunning it, and butchering the stunned defenders. The desperate company leader, comprehending their dire defensive issue, orders his air support to strike his own position: “For the record, it’s my call – Dispose everything you have actually got left on my position!” Minutes later on the battleground is immolated in a napalm hellscape.
Although physical conflict, this illustrates 2 elements of cyber security (1) You have to deal with inevitable perimeter breaches, and (2) It can be absolute hell if you do not find early and respond forcefully. MITRE Corporation has been leading the call for re-balancing cybersecurity priorities to position due emphasis on detecting breaches in the network interior instead of simply focusing on penetration prevention at the network perimeter. Instead of defense in depth, the latter produces a flawed “tootsie pop” defense – hard, crunchy shell, soft chewy center. Writing in a MITRE blog, “We might see that it wouldn’t be a question of if your network will be breached however when it would be breached,” discusses Gary Gagnon, MITRE’s senior vice president, director of cyber security, and chief security officer. “Today, companies are asking ‘For how long have the trespassers been within? How far have they gone?'”.
Some call this the “presumed breach” approach to cybersecurity, or as published to Twitter by F-Secure’s Chief Research study Officer:.
Question: How many of the Fortune 500 are jeopardized – Response: 500.
This is based upon the likelihood that any sufficiently complicated cyber environment has an existing compromise, and that Fortune 500 enterprises are of magnificently complex scale.
Shift the Problem of Perfect Execution from the Protectors to the Hackers.
The traditional cyber security perspective, originated from the legacy boundary defense design, has been that the hacker only has to be right once, while the defender should be right each time. An adequately resourced and persistent hacker will eventually accomplish penetration. And time to successful penetration decreases with increasing size and intricacy of the target business.
A border or prevention reliant cyber defense model basically requires the best execution by the protector, while ceding success to any adequately sustained attack – a plan for specific cyber disaster. For instance, a leading cyber security red group reports effective enterprise penetration in under three hours in more than 90% of their customer engagements – and these white hats are limited to ethical methods. Your business’s black hat hackers are not so constrained.
To be feasible, the cyber defense strategy needs to turn the tables on the attackers, moving to them the unreachable problem of best execution. That is the rationale for a strong detection capability that constantly monitors endpoint and network behavior for any unusual signs or observed enemy footprints inside the boundary. The more delicate the detection capability, the more caution and stealth the enemies must exercise in committing their kill chain series, and the more time and labor and talent they should invest. The protectors require but observe a single attacker footfall to discover their foot tracks and unwind the attack kill chain. Now the defenders end up being the hunter, the opponents the hunted.
The MITRE ATT&CK Design.
MITRE supplies an in-depth taxonomy of opponent footprints, covering the post compromise segment of the kill chain, known by the acronym ATT&CK, for Adversarial Tactics, Techniques, and Common Knowledge. ATT&CK task team leader Blake Strom states, “We chose to concentrate on the post-attack duration [part of kill chain lined in orange below], not just because of the strong likelihood of a breach and the scarcity of actionable info, but also because of the many opportunities and intervention points readily available for efficient defensive action that do not always depend on prior knowledge of adversary tools.”
As displayed in the MITRE figure above, the ATT&CK design provides additional granularity on the attack kill chain post compromise phases, breaking these out into ten strategy classifications as revealed. Each tactic category is additionally detailed into a list of methods an opponent might use in carrying out that technique. The January 2017 design update of the ATT&CK matrix lists 127 strategies throughout its ten strategy categories. For example, Computer registry Run Keys/ Start Folder is a strategy in the Determination classification, Brute Force is a technique in the Qualifications category, and Command Line Interface is a method in the Execution classification.
Leveraging Endpoint Detection and Response (EDR) in the ATT&CK Design.
Endpoint Detection and Response (EDR) products, such as Ziften supplies, use crucial visibility into attacker usage of methods noted in the ATT&CK model. For example, Registry Run Keys/ Start Folder strategy use is reported, as is Command Line Interface use, given that these both involve easily observable endpoint behavior. Strength usage in the Qualifications category must be blocked by design in each authentication architecture and be observable from the resulting account lockout. But even here the EDR solution can report occasions such as unsuccessful login attempts, where an opponent may have a few guesses to try, while remaining under the account lockout attempt limit.
For mindful defenders, any strategy use may be the attack giveaway that deciphers the whole kill chain. EDR solutions contend based upon their method observation, reporting, and informing abilities, as well as their analytics potential to carry out more of the attack pattern detection and kill chain restoration, in support of safeguarding security experts staffing the business SOC. Here at Ziften we will lay out more of EDR solution capabilities in support of the ATT&CK post compromise detection model in future blogs in this series.