Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften
If Prevention Has Stopped working Then Detection Is Crucial
The final scene in the well known Vietnam War film Platoon depicts a North Vietnamese Army regiment in a surprise night time attack breaching the concertina wire perimeter of an American Army battalion, overrunning it, and butchering the startled protectors. The desperate company leader, understanding their dire defensive predicament, orders his air support to strike his own position: “For the record, it’s my call – Dump whatever you have actually got left on my position!” Moments later the battleground is immolated in a napalm hellscape.
Although physical dispute, this shows two aspects of cybersecurity (1) You have to handle inevitable border breaches, and (2) It can be bloody hell if you do not identify early and respond powerfully. MITRE Corporation has actually been leading the call for rebalancing cyber security priorities to position due focus on detecting breaches in the network interior rather than simply focusing on penetration prevention at the network perimeter. Rather than defense in depth, the latter produces a flawed “tootsie pop” defense – hard, crispy shell, soft chewy center. Writing in a MITRE blog, “We could see that it wouldn’t be a question of if your network will be breached however when it will be breached,” explains Gary Gagnon, MITRE’s senior vice president, director of cybersecurity, and primary gatekeeper. “Today, companies are asking ‘How long have the hackers been within? How far have they got?'”.
Some call this the “presumed breach” technique to cyber security, or as posted to Twitter by F-Secure’s Chief Research Officer:.
Q: How many of the Fortune 500 are jeopardized – Response: 500.
This is based upon the possibility that any sufficiently intricate cyber environment has an existing compromise, and that Fortune 500 businesses are of magnificently intricate scale.
Shift the Problem of Perfect Execution from the Defenders to the Attackers.
The standard cybersecurity viewpoint, originated from the legacy perimeter defense design, has been that the opponent just has to be right one time, while the protector should be right each time. An adequately resourced and relentless hacker will eventually achieve penetration. And time to effective penetration reduces with increasing size and intricacy of the target business.
A border or prevention-reliant cyber defense design essentially demands the best execution by the defender, while delivering success to any sufficiently continual attack – a plan for particular cyber disaster. For example, a leading cybersecurity red team reports successful enterprise penetration in under 3 hours in more than 90% of their customer engagements – and these white hats are limited to ethical methods. Your business’s black hat hackers are not so constrained.
To be viable, the cyber defense strategy must turn the tables on the assailants, moving to them the unreachable problem of ideal execution. That is the reasoning for a strong detection ability that constantly keeps track of endpoint and network behavior for any uncommon signs or observed assailant footprints inside the boundary. The more sensitive the detection ability, the more care and stealth the opponents need to work out in perpetrating their kill chain sequence, and the more time and labor and talent they must invest. The defenders require but observe a single attacker tramp to uncover their foot tracks and unwind the attack kill chain. Now the protectors become the hunter, the attackers the hunted.
The MITRE ATT&CK Design.
MITRE offers a comprehensive taxonomy of assailant footprints, covering the post compromise sector of the kill chain, known by the acronym ATT&CK, for Adversarial Tactics, Techniques, and Common Knowledge. ATT&CK project group leader Blake Strom states, “We chose to concentrate on the post-attack period [part of kill chain lined in orange listed below], not just because of the strong probability of a breach and the dearth of actionable information, however also because of the many chances and intervention points readily available for efficient protective action that do not always count on anticipation of adversary tools.”
As shown in the MITRE figure above, the ATT&CK model offers extra granularity on the attack kill chain post-compromise phases, breaking these out into 10 strategy classifications as shown. Each tactic category is further detailed into a list of techniques an enemy might employ in carrying out that technique. The January 2017 model upgrade of the ATT&CK matrix lists 127 methods throughout its 10 tactic categories. For example, Computer system registry Run Keys/ Start Folder is a technique in the Perseverance category, Brute Force is a technique in the Qualifications classification, and Command Line Interface is a technique in the Execution classification.
Leveraging Endpoint Detection and Response (EDR) in the ATT&CK Model.
Endpoint Detection and Response (EDR) products, such as Ziften supplies, offer crucial visibility into opponent use of techniques noted in the ATT&CK design. For instance, PC registry Run Keys/ Start Folder strategy use is reported, as is Command Line Interface use, because these both include easily observable endpoint habits. Strength usage in the Qualifications classification ought to be obstructed by design in each authentication architecture and be viewable from the resulting account lockout. But even here the EDR product can report occasions such as unsuccessful login efforts, where an opponent might have a few guesses to try, while staying under the account lockout attempt limit.
For attentive protectors, any technique usage may be the attack giveaway that unravels the whole kill chain. EDR solutions contend based on their strategy observation, reporting, and informing capabilities, in addition to their analytics capability to carry out more of the attack pattern detection and kill chain reconstruction, in support of safeguarding security experts staffing the business SOC. Here at Ziften we will outline more of EDR product abilities in support of the ATT&CK post-compromise detection design in future blog posts in this series.