Chuck Leaver – Focussing On Detection After Compromise

Written By Dr Al Hartmann And Presented By Chuck Leaver CEO Ziften


If Prevention Has Stopped working Then Detection Is Important

The last scene in the well known Vietnam War film Platoon illustrates a North Vietnamese Army regiment in a surprise night time attack breaching the concertina wire perimeter of an American Army battalion, overrunning it, and slaughtering the stunned protectors. The desperate company commander, understanding their dire protective problem, orders his air support to strike his own position: “For the record, it’s my call – Discard everything you’ve got left on my position!” Moments later the battlefield is immolated in a napalm hellscape.

Although physical dispute, this illustrates 2 aspects of cybersecurity (1) You need to deal with unavoidable perimeter breaches, and (2) It can be absolute hell if you don’t discover early and react forcefully. MITRE Corporation has actually been leading the call for rebalancing cybersecurity priorities to place due focus on breach detection in the network interior instead of merely concentrating on penetration prevention at the network perimeter. Rather than defense in depth, the latter produces a flawed “tootsie pop” defense – hard, crispy shell, soft chewy center. Writing in a MITRE blog, “We might see that it would not be a question of if your network would be breached however when it will be breached,” explains Gary Gagnon, MITRE’s senior vice president, director of cyber security, and primary security officer. “Today, organizations are asking ‘How long have the trespassers been inside? How far have they gone?'”.

Some call this the “assumed breach” approach to cybersecurity, or as published to Twitter by F-Secure’s Chief Research Officer:.

Q: What number of the Fortune 500 are jeopardized – A: 500.

This is based upon the probability that any adequately complicated cyber environment has an existing compromise, and that Fortune 500 businesses are of superbly intricate scale.

Shift the Concern of Perfect Execution from the Defenders to the Hackers.

The traditional cybersecurity viewpoint, stemmed from the legacy perimeter defense design, has actually been that the hacker only has to be right one time, while the protector should be right each time. A sufficiently resourced and relentless enemy will ultimately attain penetration. And time to effective penetration reduces with increasing size and intricacy of the target enterprise.

A perimeter or prevention-reliant cyber-defense design basically demands ideal execution by the protector, while delivering success to any adequately continual attack – a plan for particular cyber disaster. For instance, a leading cyber security red team reports successful enterprise penetration in under three hours in greater than 90% of their client engagements – and these white hats are restricted to ethical methods. Your enterprise’s black hat assailants are not so constrained.

To be feasible, the cyber defense strategy needs to turn the tables on the assailants, moving to them the unachievable burden of perfect execution. That is the rationale for a strong detection capability that continuously keeps track of endpoint and network habits for any uncommon signs or observed enemy footprints inside the boundary. The more delicate the detection ability, the more caution and stealth the enemies must exercise in committing their kill chain sequence, and the more time and labor and talent they must invest. The protectors need but observe a single hacker tramp to reveal their foot tracks and loosen up the attack kill chain. Now the protectors become the hunter, the hackers the hunted.

The MITRE ATT&CK Design.

MITRE offers an in-depth taxonomy of attacker footprints, covering the post compromise sector of the kill chain, understood by the acronym ATT&CK, for Adversarial Tactics, Techniques, and Common Knowledge. ATT&CK project team leader Blake Strom states, “We chose to focus on the post attack duration [portion of kill chain lined in orange below], not just because of the strong probability of a breach and the scarcity of actionable details, however also because of the many chances and intervention points readily available for efficient defensive action that do not always depend on prior knowledge of enemy tools.”




As displayed in the MITRE figure above, the ATT&CK model provides extra granularity on the attack kill chain post-compromise phases, breaking these out into ten strategy categories as revealed. Each tactic classification is additionally detailed into a list of techniques an enemy may utilize in performing that method. The January 2017 model update of the ATT&CK matrix lists 127 strategies across its 10 strategy classifications. For example, Registry Run Keys/ Start Folder is a technique in the Determination classification, Brute Force is a method in the Qualifications classification, and Command Line Interface is a method in the Execution category.

Leveraging Endpoint Detection and Response (EDR) in the ATT&CK Model.

Endpoint Detection and Response (EDR) solutions, such as Ziften provides, use vital visibility into assailant use of techniques noted in the ATT&CK model. For instance, PC registry Run Keys/ Start Folder strategy use is reported, as is Command-Line Interface usage, because these both include easily observable endpoint habits. Brute Force usage in the Qualifications classification ought to be blocked by design in each authentication architecture and be viewable from the resulting account lockout. But even here the EDR solution can report events such as unsuccessful login attempts, where an attacker may have a few guesses to attempt this, while remaining under the account lockout attempt threshold.

For attentive protectors, any method use may be the attack giveaway that unravels the entire kill chain. EDR solutions compete based upon their method observation, reporting, and alerting capabilities, in addition to their analytics potential to perform more of the attack pattern detection and kill chain reconstruction, in support of safeguarding security analysts staffing the enterprise SOC. Here at Ziften we will outline more of EDR product abilities in support of the ATT&CK post-compromise detection model in future blog posts in this series.