Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften
If Avoidance Has Stopped working Then Detection Is Vital
The last scene in the well known Vietnam War film Platoon depicts a North Vietnamese Army regiment in a surprise night attack breaching the concertina wire border of an American Army battalion, overrunning it, and slaughtering the shocked protectors. The desperate company commander, comprehending their dire protective dilemma, orders his air support to strike his own position: “For the record, it’s my call – Dispose whatever you have actually got left on my position!” Minutes later on the battleground is immolated in a napalm hellscape.
Although physical dispute, this highlights 2 aspects of cybersecurity (1) You need to deal with inevitable perimeter breaches, and (2) It can be bloody hell if you do not discover early and react powerfully. MITRE Corporation has been leading the call for rebalancing cybersecurity priorities to place due focus on breach detection in the network interior instead of merely focusing on penetration prevention at the network perimeter. Instead of defense in depth, the latter produces a flawed “tootsie pop” defense – hard, crispy shell, soft chewy center. Writing in a MITRE blog, “We could see that it would not be a question of if your network will be breached however when it will be breached,” explains Gary Gagnon, MITRE’s senior vice president, director of cybersecurity, and primary security officer. “Today, organizations are asking ‘What length of time have the trespassers been within? How far have they gone?'”.
Some call this the “assumed breach” approach to cybersecurity, or as posted to Twitter by F-Secure’s Chief Research Officer:.
Q: How many of the Fortune 500 are compromised – Answer: 500.
This is based upon the likelihood that any sufficiently complicated cyber environment has an existing compromise, and that Fortune 500 enterprises are of magnificently complex scale.
Shift the Burden of Perfect Execution from the Defenders to the Attackers.
The standard cybersecurity viewpoint, originated from the legacy border defense model, has actually been that the assailant just has to be right one time, while the defender needs to be right all the time. An adequately resourced and relentless attacker will eventually achieve penetration. And time to successful penetration decreases with increasing size and complexity of the target business.
A border or prevention reliant cyber defense model basically demands ideal execution by the protector, while ceding success to any adequately sustained attack – a plan for particular cyber catastrophe. For example, a leading cybersecurity red team reports successful enterprise penetration in under 3 hours in greater than 90% of their client engagements – and these white hats are restricted to ethical ways. Your enterprise’s black hat opponents are not so constrained.
To be feasible, the cyber defense technique must turn the tables on the hackers, moving to them the unattainable burden of ideal execution. That is the reasoning for a strong detection capability that constantly monitors endpoint and network habits for any unusual indications or observed enemy footprints inside the boundary. The more sensitive the detection ability, the more care and stealth the hackers should exercise in committing their kill chain sequence, and the more time and labor and skill they must invest. The protectors need but observe a single assailant tramp to uncover their foot tracks and loosen up the attack kill chain. Now the protectors end up being the hunter, the hackers the hunted.
The MITRE ATT&CK Design.
MITRE provides a detailed taxonomy of hacker footprints, covering the post-compromise section of the kill chain, understood by the acronym ATT&CK, for Adversarial Tactics, Techniques, and Common Knowledge. ATT&CK project group leader Blake Strom says, “We chose to focus on the post attack period [portion of kill chain lined in orange below], not just because of the strong likelihood of a breach and the dearth of actionable information, but also because of the many opportunities and intervention points offered for efficient protective action that do not always rely on anticipation of adversary tools.”
As displayed in the MITRE figure above, the ATT&CK model offers additional granularity on the attack kill chain post compromise phases, breaking these out into 10 strategy classifications as shown. Each strategy classification is additionally detailed into a list of methods an attacker might utilize in carrying out that tactic. The January 2017 design update of the ATT&CK matrix lists 127 techniques throughout its ten strategy categories. For instance, Computer registry Run Keys/ Start Folder is a method in the Perseverance classification, Brute Force is a technique in the Credentials category, and Command-Line Interface is a technique in the Execution category.
Leveraging Endpoint Detection and Response (EDR) in the ATT&CK Design.
Endpoint Detection and Response (EDR) solutions, such as Ziften supplies, use vital visibility into attacker usage of strategies noted in the ATT&CK design. For instance, Computer system registry Run Keys/ Start Folder method use is reported, as is Command-Line Interface usage, since these both include easily observable endpoint behavior. Strength usage in the Qualifications classification must be blocked by design in each authentication architecture and be observable from the resulting account lockout. But even here the EDR product can report events such as failed login attempts, where an attacker might have a couple of guesses to attempt this, while staying under the account lockout attempt limit.
For mindful protectors, any method usage might be the attack giveaway that unravels the entire kill chain. EDR solutions compete based on their method observation, reporting, and signaling capabilities, in addition to their analytics capability to perform more of the attack pattern detection and kill chain reconstruction, in support of protecting security analysts staffing the enterprise SOC. Here at Ziften we will detail more of EDR solution capabilities in support of the ATT&CK post compromise detection design in future blog posts in this series.