First, read Jack's post, Don't wait for an intrusion to find you.
Next, read this post (The Blue Team Myth).
Notice any similarities...not in content, but in the basic thought behind them?
Yeah, me, too. Great minds, eh? Okay, maybe not...but
So, you're probably wondering what this has to do with Ghostbusters...well, to many, an intruder within the infrastructure may seem like a ghost, moving between systems and through firewalls, apparently like an apparition. One thing I've seen time and again during incident response is that an intruder is not encumbered by the artificialities of an infrastructure, where someone shouldn't be able to access systems, due either to policies and roles, or to local laws (European privacy laws, etc.). Yeah, that doesn't stop an adversary.
Jack's right about a number of things. First, the old adage about an intruder needing to be right once, and a network defender needing to be right all the time is...well...wrong. Consider this...prevention, by itself, is ineffective. In defending a network, you need to include prevention, detection, and response in your security plan. Given that, what is the adversary's definition of success? What is their goal? Once you arrive at what you believe to be the adversary's goal, you'll realize that there are plenty of opportunities for defenders and responders to "win", to get inside the adversary's OODA loop and disrupt/hamper/impede their activities.
Jack is exactly right...an intruder needs to accomplish five stages in order to succeed, and all five of those stages require one thing in common...execution of commands. Something has to run on the systems. Doesn't it then make sense to have some sort of process creation monitoring in place, such as Bit9's Carbon Black, or MS's Sysmon?
Here's another way to look at it...in the beginning of my blog post, I mention two annual security/threat reports, and describe what some of the statistics mean. In short, one metric that the investigators report on is dwell time...how long (as far as they can tell based on the artifacts) a targeted actor was embedded within the infrastructure before being detected. What this means is that when investigators look at the available data, they're able to determine (at least up to a point) the earliest indicators of the adversary's activities, be it early indicators (use of web shells), or the actual initial infection vector (IIV), such as a strategic web compromise, or an email with a link to a malicious site, or with a weaponized document attached. The point is that the investigators are able to find indicators...Registry keys/values, Windows Event Log records, etc...of the adversaries activities. And all of these are indicators that could have been used to detect the adversaries activities much sooner.
Finally, one other thought...Jack's steps 4 and 5 are cyclic. Wait...what? What I mean by that is that following credential theft and establishing persistence, the adversary needs to orient to where they are and begin taking steps to locate data. What are they looking for, what are they interested in, and where is located? Is the data that the adversary is interested in on a server someplace (file server, database server), or are there bits of the data that they're interested in located on workstations, in emails, reports, spreadsheets, etc.? So, what you may see (assuming you have the instrumentation to observe it) is the adversary collecting data for analysis in order to assist them in targeting the specific information they're interested in; this might be directory listings, emails, etc. You may see this data exfiltrated so that the adversary can determine what it is they want.
OK, so I tweeted this post as great. Actually it is very good. It becomes great when you take it in combination with the two blog posts referenced and some honest thought. Most Corporate Security dollars seem to be spent on the Prevention element mentioned here. The powers that be think we can a or should be able to, prevent intruders from our environments. They willingly (or begrudgingly) plunk down money to buy FWs and IDS. But little or no thought or money goes to the detection and response to intrusions. How well equipped are our labs, and how much time freedom do we have to detect and identify artifacts and evidence of an intruder. Our leadership want us to do OODA backwards, we are pressured to Act first, then they decide if our actions were correct and warranted. The opportunity to Observe and orient our work is rare.The real failure is that we as practitioners get accustomed to operating this way and have become resigned and do not challenge myths. We have to start in even small ways to reinforce reality not myth. A great post doesn't have to be earth shattering or break new techno ground, it just needs like these three to generate thought and conversation among those who undertake these tasks.
ReplyDelete...generate thought and conversation...
ReplyDeleteI greatly appreciate the comment.
Bill, I think you hit the nail on the head when you said time and freedom. Many people are of the opinion that simply deploying technology will put them in a position to identify bad in their network and that is good enough. This simply isn't the case. It takes a lot of time and effort to first identify what you are concerned about, researching those use cases so that you know what it looks like and if you can currently detect those things. If a company is lacking the detection then time is needed to develop ways that they can so that they are confident they will be able to find it *when* it happens. This is time consuming, but needed if a company truly want's to identify intrusions. It's also a never ending cycle. Someone should never be done.
ReplyDeleteI totally agree, security analysts and engineers need freedom and time to explore and understand. Prevention technologies are important but so is information gathering and correlation leading to detection. We as defenders will have to do a better job to be proactive and get intimate with our environment, which requires patience and time.
ReplyDeleteThanks
Mazin