Threat hunting using a post breach detection solution fills gaps in a Swiss cheese perimeter
The continued escalation of malware, cyber-criminal activity, geopolitical noise and enterprise confusion on how to best protect assets, have caused IT and security pros to seek answers to the question, ‘What is most effective approach to cyber-security?’
Complicating matters is the variety of security approaches to consider, including network packet analysis, endpoint monitoring, behavior analysis and forensic state analysis. It’s no wonder there’s chaos throughout the enterprise, from the C-suite to IT to front line security operators.
As a result, insufficient security strategies have lingered longer than they should. Just as attack strategies have evolved, enterprise security strategies need to follow suit to keep pace.
Defense in Depth: Tried and True, but is it Enough?
The Defense in Depth model, first developed by the NSA, originates from a military mindset of how to defend a network. Defined as, “a concept in which multiple layers of security controls are placed throughout a system,” its intent was to provide redundancy in the event a security control fails or a vulnerability is exploited. In short, the NSA was creating a best practice strategy for achieving information assurance.
Today, cyber-crime is even more intricate. Two dominant categories of attacks involve crimes that steal money or data for profit, and crimes that pilfer intellectual property. Both destroy businesses, markets and economic spirits.
Solving the problem starts with acknowledging three facts:
- Threats will bypass security defenses;
- Can remain undetected for long periods of time (six months or more), and;
- Are difficult to track once a breach has surfaced.
Historically, the shield against cyber-crime has revolved around strengthening a network’s perimeter in an attempt to keep attackers out, while endpoints were defended by automated, but diminishing, anti-virus software. The layering of network and endpoint defenses was quick to take off as a way to implement Defense in Depth, but this “network architecture viewpoint” of depth has significant flaws.
Beyond the obvious runaway costs of Defense in Depth, the model itself does not take into account attacker kill chain models and the complexity of a modern network. Across on-premises, cloud or hybrid environments, and the multitude of entry vectors into a network, Defense in Depth isn’t enough: it leaves a Swiss-cheese like attack surface that allows attackers to remain undetected and companies/data/people/nations vulnerable.
Once a hacker breaches the perimeter, they open the gateway to an entire network. It doesn’t take much to dig a bit deeper into the host to wreak havoc on an application and access its data. Not only is unauthorized entry an issue, but so is attacker dwell time (how long an adversary lingers undetected).
The Defense in Depth model also falls short in its ability to scale across global IT environments: it attempts to stop attacks at the network and/or host layer by focusing on prevention. For example, when network hosts tap into multiple cloud applications (e.g. social media, shared drives, etc.) that allow the transfer of files and messages, the perimeter becomes porous. Some companies, like Google, are addressing this by adopting a zero trust network approach—where the perimeter isn’t the sole source for defense, but rather devices and users.
Even that type of forward thinking requires an advanced approach that must extend beyond prevention layering. Infocyte has seen IT teams too often rely on false security measures, such as overlapping multiple solutions from a single vendor that end up using the same signature set/techniques to find adversaries. From an interoperability standpoint that might makes sense, but from an attacker standpoint, it’s a home-run. Once they get through one layer, they’ve basically gained entry to the others, as well.
Defense in Depth 2.0
As the current Defense in Depth model ignores the possibility that defenses will be breached, and almost exclusively focuses on attack prevention. The need for proactive hunting to improve response time/action has never been more apparent.
Advanced cyber strategies embrace the temporal kill chain perspective with a more holistic approach that layers defenses in line with attacker objectives, rather than merely trying to build an impenetrable wall. Defense in Depth 2.0 starts with prevention and monitoring, adds threat hunting and post-compromise detection (along with the assumption that prevention will fail), and wraps it up with response capabilities to eliminate adversaries and risk once detected.
The MITRE ATT&CK model, launched in 2015, provides a good example of a next-gen defensive strategy. It characterizes post compromise adversary behavior and tactics, techniques and procedures that advanced persistent threats use to execute various objectives while operating inside a network. By mapping “depth” to adversary objectives along the kill chain, we avoid the trap of relying on architectural depth of network and endpoint security, and can ultimately achieve true security.
The MITRE model offers an effective way to measure the effectiveness of a hunt team.
Improve your cyber-security strategy
Regardless of financial or human resources, changing our security operations mindset is required to protect critical assets, reduce dwell time and limit risk.
- Review overlapping capabilities and monitoring tools, and replace them with advanced Defense in Depth 2.0 strategies that address various portions of the kill chain.
- Consider the MITRE ATT&CK Model a baseline standard for operation.
- Don’t wait for alerts: assume breach and endpoint compromise, then mitigate.
- Be proactive with agentless, scalable volatile memory analysis, compromise assessment and threat hunting solutions.
Finally, hunt, or be hunted!
About the Author
Retired US Air Force officer, Chris Gerritz (@gerritzc), is a pioneer in US defensive cyberspace operations. He had a significant role in developing the Air Force’s first interactive Defensive Counter Cyberspace practice and is now Founder of Infocyte, a post breach detection technology leader. Infocyte’s unique approach to security reduces attacker dwell time to help organizations defend networks and critical information. www.infocyte.com | @InfocyteInc