Breached is not Defeated: Fix Your Blind Spot with Post Exploit Visibility
When facing today’s advanced threat landscape you have to assume your network will be breached. In fact, statistically it probably already is. Then what?
Layered defense in depth has long been a best practice of enterprise security. The first line of defense (other than solid training and system maintenance) is usually around the perimeter: AV, next generation firewalls, intrusion prevention systems (IPS), etc. Additional layers of defense may include security information and event management (SIEM) systems, data loss prevention (DLP) and newer endpoint detection and response (EDR) solutions.
But there is a blind-spot in these current layers of enterprise security: after an adversary has breached the perimeter but before they have compromised key systems and exfiltrated data. It is difficult today to quickly spot, track and thwart advanced malware and attack campaigns precisely at these stages. What is needed is real-time visibility on potential threat activity after the initial exploit, as adversaries recon your network, look for weaknesses and prepare to exfiltrate data.
Current Blind Spot
Perimeter defenses can alert on known threats but have no visibility on an adversary’s reconnaissance, lateral movement, privilege escalation, nor what other systems might be compromised. DLP and EDR systems alert on suspicious access to and/or theft of critical assets, but are not designed to spot, let alone track, related attack behavior occurring across the network.
SIEM systems can provide more visibility, yet are defensive in nature, reactive to known indicators; not optimal when looking to proactively investigate suspicious lateral movement or new/unknown malware related activity. Any SOC operator can tell you filtering out and effectively prioritizing real Indicators of Compromise (IoC) from the overwhelming number of alerts is a serious challenge. Even then, using what is essentially an alert engine to get a complete picture of an entire attack campaign working across the network is tough, and time-consuming.
The most dangerous threats today are not just malware but human orchestrated attack campaigns. The malware component itself is designed to be stealthy, to circumvent your layers of security undetected. (And they have been successful; many breaches go undetected until a third party alerts the victim.) But these human orchestrated attack campaigns must traverse the network, repeatedly.
Better Post Exploit Visibility
What is needed is fast and flexible visibility on the tradecraft of the attacker, after the initial exploit (detected or not) and before data or systems are further compromised: the internal reconnaissance, the lateral movement, external communications, escalated or stolen credentials, etc. With better post exploit visibility you can:
- Proactively hunt for human-guided campaigns; investigate to see if currently active threats might be lurking within your network. When speed is of the essence, you can better connect the dots across alerts, systems, and behavior;
- Optimize existing SOC operations and investments in current security tools, e.g. faster recognition of false positives and prioritization of real threats;
- Stop exfiltration and thwart attack campaigns in their entirety. Track the lateral movement of adversaries, systems they’ve touched or payloads dropped, and eliminate all attack components before the damage is done.
The scope, quantity of data and speed of the threat environment requires post exploit visibility be automated as much as possible. As more is learned about threat behavior and the processes to spot, track and defeat them automation becomes more practicable – and critical. This is evolving quickly but can already be put into three categories.
- Workflow Automation: automation of the day-to-day SOC workflow, where disparate processes, sometimes manual phone and email communications, or the use of spreadsheets is integrated and automated. This is analogous to what occurred with IT help desk automation in the 1990s.
- Automated Analysis: integrated more context aware threat intelligence for automated-assisted analysis. From context aware searching, to faster weeding out false positives with automatic correlation of data from different systems. Automatically populating SOC investigations with contextual threat intelligence: along with specific indicator display the user, destination IP (with reputation data), port it was using, etc. Here automation can not only reduce manual tasks, but enable more effective, timely alert triage.
- Automated Threat Response: automated countermeasures on endpoints and networks to respond to threats before data is exfiltrated. Development of security playbooks and “out of the box” countermeasures, e.g., confirmed malware attack means quarantine host and block IP at firewall, etc.
Layered security is still the best strategy. There is no reason to jettison perimeter defenses. But the real battle with advanced attack campaigns starts after you are breached. What becomes critical after your perimeter or endpoints have been exploited is real-time visibility on attacker tradecraft. Post exploit visibility makes it harder for adversaries to hide, and easier for you to defeat their attacks.
To learn more about the overcoming security blind-spots 451 Research has written a fascinating paper, Tech Industry Doppelgangers: Campaign Innovation in the World of Cybercrime.