Tips for success when building a detection capability
Security focus has shifted from prevention toward resilience and a broader set of capabilities including timely detection and the ability to respond to live incidents.
+ read more
Given the maturing cyber security industry and increasingly sophisticated threat landscape, it is now widely accepted that detecting and responding to attacks is as important as preventing them. This has driven rising demand for sophisticated detection controls, which – compounded by the much-discussed skills shortage – has caused many to rely on the capabilities of technology alone.
But building an effective detection capability is not straightforward. Coupled with the right technology, effective detection requires expert knowledge of attacker techniques, tactics and procedures, all of which are continuously evolving according to different attacker objectives and levels of sophistication. Dependence on technology won’t help you obtain crucial contextual insight regarding a given attack or threat actor. What’s more, the type of attacks detected by automated tools tend to be small fry when compared to the types of serious attacks executed by sophisticated adversaries.
Over-reliance on technology has provided many organizations with a false sense of detective capability. As a result, many businesses under-perform in simulated offensive exercises and real incidents. MWR’s red teams routinely go undetected in environments that are well instrumented. While some attacker activities carefully evade detective controls, and monitoring coverage is typically limited, all too often it’s a lack of comprehension that leads to the overall failure to detect attacks. So, what can be done to improve knowledge and understanding?
The skills shortage remains a top concern for the cyber security industry. Organizations are hard-pressed when it comes to finding and keeping talented cyber security professionals, in this case those able to search intelligently for attacker evidence while getting the most out of tooling. As such, rapidly upskilling staff and providing them with ongoing learning opportunities are popular – and recommended – initiatives to develop and maintain talent.
In response to skills development requirements, independent cyber security firms are formulating adaptable ways in which to share their knowledge. There is now an array of training and development programs available to analysts of all experience levels to consider. Although by no means a complete list, the below table outlines several methods of learning currently observed in the industry:
In our experience, those sessions that include the dissemination of theoretical knowledge together with simulating attacks in a controlled environment will result in real, measurable improvements on the part of participating security monitoring teams. When executed in a way that is tailored to an organization’s infrastructure, assets and people, the benefits of such engagements are both tangible and relevant.
Moreover, rather than learning in the middle of a crisis, security personnel are given the opportunity to understand how specific attack methods could disrupt their organization. This knowledge gained will also assist with the implementation of correct use cases that are aligned to the given organization’s capabilities (internal) and threats (external). Increased resilience will result and can be reflected measurably by means of purple team assessments which provide a comprehensive overview of defensive capability, coupled with baselines for measuring improvement over time.
In addition to generating tangible results, training programmes should always promote an understanding of the techniques, tactics and procedures (TTPs) of modern attackers. Knowledge of attacker TTPs can help drive effective investigations, improve post-incident remediation and importantly, promote a threat hunting culture.
To protect business assets as quickly as possible, technology solutions are often brought into organizations without sufficient on-boarding processes or knowledgeable staff to manage them, resulting in the misinterpretation and/or neglect of critical information. For example, while many machine learning tools promise to detect and alert on anomalies that indicate genuine threats, the vast amount of data generated is often too much or too complex for most personnel to correlate and understand.
This points again to the importance of human insight and skill – detecting an attack on a single endpoint is no longer the real challenge. Rather, an analyst must determine the extent and motivation of a campaign across multiple endpoints in an environment. The technology’s functionality and data generated must be understood and considered in the context of a number of additional factors, such as the organization’s infrastructure and threat profile. Such knowledge is gained over time and as a result of extensive training, practice and dedication. Therefore, while immense value can be derived from technology, substantial learned knowledge on the part of the analyst is a vital pre-requisite.
The scramble to implement detection controls can also result in deployment without prioritization based on threat profile and real world attacks. As a result, we often see biases such as large numbers of controls on the perimeters of IT infrastructure only. In a previous article, we highlighted how most organizations struggle to detect an attack once it has breached their perimeter. Often, this is due to a lack of appropriate detection controls and contextual insight inside the estate. Moreover, heavy investment in perimeter controls commonly results in gaps in analysts’ knowledge towards the latter stages of an attack. When an attack escalates beyond the perimeter, these knowledge gaps combined with insufficient technology to make detection and response almost impossible.
Figure 1: The Cyber Kill Chain
The familiar Lockheed Martin Cyber Kill Chain, or a derivation thereof, is an effective framework for planning, implementation and testing of detection capabilities. Analysts aware of the organization’s detection capability across the full breadth of Kill Chain will have a clear understanding of where the areas of strengths and limitations exist. Such understanding can guide specific stages of the Kill Chain to focus further investment, whether it be collection of logging data for improved visibility, introduction of technologies or additional use case development for automated alerting.
When mapped to the goals of an organization’s most likely threat actor (for example, an organized crime syndicate or nation state), the Kill Chain can also help to identify the areas of greater vulnerability in an organization. Training and attack simulations of varying difficulty levels across all stages of the Kill Chain will further improve the skills of analysts.