Succeed by Preparing to Fail – A Detection and Response Paradigm Shift
Author: Fanis Drosos, Principal Threat Analyst, Encode
Speed is of the Essence, Constantly
Since the concept of Cyber Detection and Response came into being, whether as a service or as a suite of products, a lot has changed in the threat environment in terms of the quantity of attacks and the sophistication of readily-available hacking tools.
The one factor that has not changed is timing: the faster you detect and respond, the less exposed you are to the implications of a breach. Prevention (although it will always play an important part) will ultimately fail – only your readiness for this scenario will keep you ahead of the game.
The Perimeter has Changed
From a Cyber-threat perspective, this means that every potential data breach point is expanding exponentially: global user bases and employee networks are commonly expected to deal with an endless array of BYOD devices. IoT and industrial systems with default admin credentials are doubling in number every year. Standardized document formats such as PDF, which are certifiably easy to corrupt are so prevalent that their use cannot be discontinued without hurting business performance. The bandwidth for threats is also widened by the most basic parameters such as top-level domains multiplying to meet demand for digital presence and operations.
Every Security Executive Feels the Heat
Organizations rightfully seek to provide their customers, partners and employees with the best possible data protection and require a solution that identifies breaches and reacts swiftly before business is hurt. Business leaders are aware of this exposure and the Security team is rightfully the target of all this pressure to deliver.
Fanis Drosos, Encode’s Principal Threat Analyst, explains: “Very often we engage with organizations that have invested in all the right tools, on paper. The pressure to prevent any incident from even happening blinds the security staff from monitoring the most obvious loopholes such as leaving default credentials for key systems, failing to train employees on basic security practices, and not updating the internal network about known threats. Any set of tools is eventually vulnerable. Without these kinds of measures, the amount of incidents to filter and investigate can become unmanageable”.
Moving From Reactive to Proactive Compliance
But what does compliance really mean? If compliance is reactive then it does little besides diverting blame. A lot of the time security executives or consultants will form a team with scarce resources and limited experience, to manage a variety of prevention technologies that, as stated, will eventually fail. Although the selected solutions may meet compliance guidelines, they are not optimally set to truly defend the business.
For Detection and Response, hiring and retaining notoriously scarce, highly-paid Cyber Security staff to run disparate technologies is an expensive endeavour which does not guarantee the required skill level or capacity.
Outsourcing to traditional MSSPs, who rarely have the required skillset to provide MDR, Managed SOC, or knowledge of hacking techniques currently in use, usually reaches the same impasse.
Succeed by Preparing to Fail
A study for IBM in 2018 uncovered that more than three-quarters of organizations do not have a formal process for responding to a breach and the remaining quarter is rarely backed by a formal process or consistent implementation of incident response processes. Every organization should develop a written plan that identifies cyber-attack scenarios and sets out appropriate responses.
“Our experience shows that companies who had a Cyber Incident Response Plan in place for the unavoidable breach, even having a most simple internal document with action items and clearly defined ownership, were much more resilient to crippling damage” says Drosos.
There’s an upside: this landscape means that literally any move you make, starting by putting management in a boardroom and discussing the necessary steps, puts you ahead of the game.
The Cyber Kill Chain’s Weakest Links are the Ones That Cannot Break
Start by coming to terms with this fact: the kill zone has moved up from the endpoints to the entrails. Based on a Ponemon Study for IBM in 2017 it was estimated that on average, a large organization with thousands of users will detect a breach after nearly 200 days, and contain it only within an additional 66 days. Numbers have improved slightly since, but even at half the number of days, this provides a lot of opportunity-hunting possibilities for attackers.
Figure 1: The Cyber Kill Chain©
Don’t Look Where There’s Light. Uncover the Dark.
Early Breach detection is critical in order to reduce dwell time and corresponding incident response costs and business impacts. The problem lies with the fact that mechanisms focusing on detecting threats during the “Delivery” stage are easily evaded, while others focusing on attack escalation in the environment are rather late and not conclusive.
The best phase for early detection to take place is during the “Exploitation” – C2 (Command and Control) and primary post-exploitation activities.
Make the Attackers Waste Their Energy!
After accepting that your prevention tools and practices – effective as they may be – will at some point be by-passed or exploited, you can match the scale of possible breaches with automation-assisted investigation, hunting and response.
Assisted is a key term here: sure Machine Learning, AI and similar technologies play an important part but the human analyst factor is still the most efficient tool, afforded that incidents are properly filtered and presented.
Figure 2: Incident Management Lifecycle
Follow the 3 Golden Rules: Integrate, Collaborate and Optimize
- Integrate: Validate that the solutions you acquire cut investigation duration by promoting your integration capabilities to 3rd party systems to increase the coverage during response. Invest in tools that can easily translate history into context and insights for the analyst, while also providing ready-to-use response options, at the click of a button.
- Collaborate: Effective communication between teams and within teams is key. Meet this both by supplying easy to use platforms and by promoting communication and sharing as a key value. Open repositories for incidents, and log every action taken.
- Optimize: Streamline your incident management lifecycle by setting up pre-defined response guidelines and linking recommended actions to repository items. Run periodical evaluations of your threat priorities and incident response cases to identify places for improvement.
Start by doing something versus nothing
As more companies explore Security Monitoring and Detection and Response solutions and services, more service providers want to be able to provide such services, but barriers to entry are high: talent acquisition and retention is expensive, the operational maturity for effective results require time, and the cost structure of a tech operation does not always fit the DNA of an organization.
What to Watch out for in the (Very) Near Future
The time span between powerful surges of successful exploits is shortening. In summary, we would advise to focus your energies in 2019 on detection and response for these trends:
- State-sponsored groups are running “side projects” for their own benefit.
- Cyber-criminals are adopting ‘nation-state’ tactics, techniques and procedures. The same technologies can be leveraged for financial purposes, especially vs large organizations with multiple user access.
- Stronger push for ‘APT-style’ breaches, so attackers can exploit multiple times and for longer periods.
- Focus shift from espionage to operational disruption. It’s a money thing: disruption is more profitable.
- Focus shift from fraud to ransom. Again, this is because of a much better effort to profit ratio for ransom. Amounts may be potentially smaller but rewards are reaped faster because of the victim’s urgency to regain the data or operational control.
- A growing dark ecosystem. Repositories of attack tools are growing faster than defence tools. The creators answer to no one, are not restricted by regulations and legal or financial red tape, the marginal cost of trying anything new is practically non-existent.
Keep the Paradigm Shift in High Gear
Always remember: In Cyber Defence, as in any digital environment, new is the new old. No number of reports, announcements and alerts will make up for the pre-disposition to face a new challenge on a daily basis. Then, no matter which tools and services you choose, your guiding light will shine on the darkest corners.
Fanis Drosos is the Principal Threat Analyst at Encode, and has spent the last decade converting knowledge from red-teaming, analysing and consulting to hundreds of organizations into the dedicated suite of solutions known today as the Enorasys Platform for SOC teams.