This content was originally presented as a webinar. This blog post will highlight some of the key points. For a deeper dive, please view the webinar recording.
In my experience working on both the Binary Defense side from the blue team or defender’s perspective, and with TrustedSec, from a red team or attacker’s perspective, I have seen organizations on every level of maturity in terms of security. One thing they all seem to struggle with, no matter where they are in maturity, is going from commodity to behavioral detections. In this blog post, we will look at what this means.
Organizations have unique security challenges
Organizations are all facing unique challenges and have unique infrastructures. They could be cloud-based, on-premise or a hybrid; they have a different mix of technologies and legacy systems. There are a lot of complexities that make up our technology footprint, and the risks that come with this mix.
When it comes to defending against a cyberattack, many organizations are still not aware of their controls and how effective their posture is, particularly against emerging threats and capabilities of threat actors. The focus for these organizations should be on attack prevention. But more particularly, on identifying threats at an earlier attack stage to be in a better position to reduce the amount of damage an attack can do.
Commodity level protections
Most companies have at least some of the basics in terms of protection. They could have firewalls, antivirus, MDR, SIEM, maybe they’ve gone through a penetration test. This is what I’m referring to as “commodity level.” These tools give you a basic level of understanding around security, your organization and what’s actually occurring in your environment. But, it takes more than implementing a product or a piece of technology to get to get to a point to where you actually have a functional monitoring and detection program that can actually respond to specific threats, identify and remove the attackers. That’s where behavioral detections come in.
Deciding what’s normal and what’s not for your organization depends on understanding behavior, as well as who your adversaries are. With your commodity solutions, you’re going to hope that something hits a signature so that you can respond effectively to a specific threat. But, there’s no validation occurring for how well you’re doing against specific types of attacks, particularly when the attacks themselves are evolving.
Using MITRE ATT&CK for emulation exercises
One way to test your security posture is through an exercise called emulation. Emulation is going through the tactics, techniques and procedures of an attacker to mimic those attacks to see how effective your defenses are against them.
I like using the MITRE ATT&CK framework. They break down multiple phases of an attack and identify what initial access looks like, what privilege escalation looks like, where a lateral move occurs, where acceleration happens, etc. Then you can start to build an understanding around what controls your organization has in place, which can allow you to move beyond commodity and respond much more effectively.
As an example, in MITRE ATT&CK, you can go to the “group” section and select all the ransomware groups. From there you can define the TTPs that they use, map those to your specific technologies to see if your defenses are effective. Doing an emulation exercise like this can help you validate the controls you have in your environment.
Understand recent attacks and define your threat model
Use some data from some recent attacks, like the Colonial Pipeline and JBS attacks. Take a look at the analysis of these attacks from your threat intelligence sources, or from public information. See how good you are when compared to these types of attacks, and how fast you could get new detections put into place so that your organization has good coverage and effectiveness over those different areas. Organizations need a very fast workflow of being able to conduct emulations and get detections into production to stay on top of these attacks.
Once detections are built, you need to build a test case to ensure that all of your detections are continuously working over time. Bring your learnings to your team to share the impact and decide what to focus on in your environment to continue to get better.
Gain an understanding of your organization’s threat model. Who are the attackers that want to have access to your infrastructure? And what are their capabilities from an adversary perspective? Do you have coverage and effectiveness in those different areas to build those out?
Our whole function as cybersecurity professionals is to validate and reduce our risk so that we are protected, confirm that we’re doing the right things, and to minimize the amount of damage an attacker can do.
By implementing a product or a piece of technology, it doesn’t necessarily reduce that risk simply by being there. It actually introduces complexity. Therefore, we need to be continuously testing our environments, with emulation and eventually simulation, which is an evolution of emulation where you’re actually simulating specific adversaries and trying to get around your detections.
Defending beyond the first entry point
Adversaries are getting much better at finding an entry point, whether it be through compromising one user through a phishing email, getting in through a web application or a misconfiguration. Once they have that initial access, they start to grow their access to other systems. As defenders, we need to identify when a breach occurs on that initial entry point, and as the other stages of an attack occur. We know that the Colonial Pipeline attackers used a methodical approach of enumerating users. They looked at data, data breach data, compared notes, did credential stuffing, tried to authenticate to various systems, and finally they found a VPN concentrator that didn’t have MFA. From there, once they got in, they moved laterally across the environment to maximize the amount of damage.
This is probably the most important aspect of an information security program that I can emphasize to most organizations, because this is literally what will make or break your company. You have to have something in place to be able to respond, and it’s not just about that initial entry point. What happens after an attacker gets access to your environment is ultimately where your defenses should kick in. That’s what’s going to minimize your damage and that’s what’s can keep you out of the news. And that takes time. That takes people. That takes an understanding of adversarial landscape. Your need internal staff or use external parties for to be able to get to a position to be able to do that.
Companies rely too heavily on the commodity technologies they have that were built for the masses, not just for your organization. We have to get better at making them our own. Then we have a much better chance of surviving the types of attacks that we’re seeing today and will continue to see.
The importance of threat hunting
One final piece of advice I can offer is to establish a threat hunting team if you are able to. I really view threat hunting as one of the largest and biggest missing links for organizations. Once you have a base level understanding of your environment, the next piece is to have a team looking at similar attacks happening in your industry and providing you with the latest research that you can write detections for your own environment.
Without that piece, how are you going to understand what the next attack is going to be, or what attackers are currently doing? If you’re not able to build your own internal team, work with a group like the Binary Defense Threat Hunters who do this day in and day out for many clients.
I get into much more detail and give many more examples in the webinar I recorded on this topic. Check it out here:
Good luck, and let’s continue to kick our adversary’s butts!