As cyber incidents continue, security focus has shifted from prevention toward resilience and a broader set of capabilities including timely detection and the ability to respond to live incidents. In light of increased budgets, it is important for CISOs to establish a capability that detects modern attacks while demonstrating a return on investment. Furthermore, as attacker techniques, tactics and procedures (TTPs) evolve, an adaptive detection capability that can continuously improve is required. Technology alone is not the solution. As Gartner (2017) contends, “[t]he shift to detection and response approaches spans people, process and technology elements.” The implementation of – and ongoing improvements to – overall capability is therefore challenging particularly in the context of the global skills shortage.
In our previous article (https://www.mwrinfosecurity.com/our-thinking/challenges-of-cyber-attack-detection/), the necessary combination of trained human insight with technology was highlighted. Perhaps as a result of the global cyber skills shortage, organizations commonly place too much reliance on the many “blinky boxes” swamping the market. Shrewd marketing makes it easy to believe that once implemented, a given technology will detect the right attacks 100% of the time. However, most often is this not the case. Reliable detection is more of an engineering problem: it requires careful deployment and tuning, benefiting from environmental context and an understanding of the latest attack methods.
In light of these challenges, this article provides useful advice on how to ensure your security monitoring function provides an effective detection capability that is practically aligned to the following, interrelated factors:
- An understanding of your organization’s environment
- The techniques, tactics and procedures of your most likely adversaries
- Continuous incremental improvement
Too often we see security monitoring teams failing to develop a meaningful detection capability, perhaps due to an overreliance on signature based detection, or alerts and playbooks that bear no relation to modern attack techniques. An effective security monitoring team will analyze the correct data sources and detect the attack techniques it needs to, resulting in reduced risk to your business. Building a reliable detection capability is based on several factors, each of which relate to what MWR’s consultants see on a regular basis when working with security teams.
Security monitoring teams need to know what it is they should be protecting. At the highest level, this may take the form of a threat assessment, or business risk assessment, where the business identifies its critical assets, and opines on the relative priority of foreseeable events. And yet, so often is this process poorly implemented or bypassed completely due to factors such as a lack of collaboration or understanding of what could go wrong. Neglecting this step causes inaccuracies when designing, implementing and managing security monitoring structures as the risks it aims to mitigate may be incorrectly prioritized. While it is good to undertake an assessment as early as possible, a monitoring team can also take this step at any point to assess whether they are protecting the right assets from priority threats.
A security monitoring team should also spend time considering and understanding the intricacies of their environment; the battlefield on which a cyber-attack will play out. Although a daunting challenge, knowing the layout, design, strengths and weaknesses of an organization’s IT infrastructure will place the defender in the unique position of being able to predict an attacker’s most likely path/s of entry. This will allow for the implementation of preventive measures and monitoring in strategic locations.
Furthermore, the defense team can use an understanding of the attacker’s mind-set to their advantage. If defenders can anticipate attacker actions within their environment, they can increase the chances of detection by pushing the enemy unknowingly along a specific but “trip wired” path that leads to their strategic ambush. Exploiting such opportunities requires a combination of technology and procedures commonly referred to as Use Cases.
Use Cases constitute a set of rules that, when broken, notify the detection team regarding a security incident. They are used to monitor various log sources and range in complexity, from simple signature-based alerts relating to known-bad actions or malware, to the collation and analysis of multiple logs to identify a user performing anomalous activities. Too often security teams rely on out of the box Use Cases provided with monitoring technologies, and increasingly on alerts driven by statistically anomalous behavior. Well-designed, tailored Use Cases can not only reliably detect attacker actions with a low signal to noise ratio, but also drive investigation and containment.
To ensure the implementation of effective Use Cases (those that alert the security team to incidents that require further investigation or immediate intervention), an understanding of the particular threats facing an organization is essential. Identifying the most likely adversaries in terms of their motivations and tactics, techniques and procedures (TTPs) will inform the Use Case design and documentation, providing analysts with valuable insights to drive further investigation and effective containment. For example, a good Use Case will situate the alert in the lifecycle of an attack, helping an analyst anticipate what might happen next, and how to uncover prior actions which may present further avenues of investigation.
Applying context to Use Cases also assists in determining the extent of an alert. For example, if an alert triggers on an attempt to disable Anti-Virus, the same alert’s meaning will differ vastly based on the host it pertains to. If it came from a domain controller it is likely to be more serious than if it emerged from a developer’s regularly tinkered with machine.
When it comes to deciding which of the many detection technologies to deploy, the “where” is as important as the “what.” For example, if controls are placed only at the perimeter of your estate, the extent of an attack may not be realized as a sophisticated attacker could quite easily bypass the perimeter without triggering an alert. This will make detecting and ultimately containing an attack difficult for the analysts and defenders. Ensuring a complementary deployment of detective and preventive controls throughout the estate better reflects the lifecycle of a modern attack. Lockheed Martin’s cyber kill chain acts as an effective guide when mapping controls to an attacker’s methodology, a point to be discussed in a future article. What is clear, given modern attack techniques, is that most organizations will require a combination of endpoint detection (usually a software agent), network level monitoring and logging from a range of preventive controls.
Ultimately, regardless of the decision made, a technology’s effectiveness will depend greatly on the human insight and experience employed to collaborate and investigate the generated alerts and information.
Lastly, regular testing simulating modern attack techniques will help maintain the alignment of an organization’s defense measures to the changing threat landscape. Outcome-based testing emulating the attacks you want to detect will be most conducive to the development of an effective detection capability, while also demonstrating a return on investment. Once Use Cases have been proven to alert on the actions you realistically expect an attacker to perform, testing can be automated and repeated regularly to ensure a consistent level of detection over time. This will free up time for analysts, engineers and testers to develop new Use Cases that detect attacker actions beyond existing automated alerts.