The More Details You Extract from Security Incidents, the Better You Can Architect Your Defense to Prevent Similar Attacks
Traditional approaches to security are typically “spray-and-pray”: they provide controls that block known bad activity, usually with limited follow-up or additional investigation after a breach.
More sophisticated organizations are deploying technologies such as sandboxing that can detect and block unknown attacks which haven’t been seen before. In the moments after a breach, security teams will often focus on the event itself, but not draw additional insight from the attack, or analyze the events surrounding it.
These approaches can miss a fundamental truth of advanced attacks: they are not “point-in-time” activities, but sets of events that could occur over weeks, or potentially months or years. Advanced attackers will conduct a wide range of activity, such as in-depth recognizance, initial probes, small-scale infections to deliver second- or third-stage malware, and much more. The breach itself is the culmination of a continuous set of activities conducted over an extended period of time. Each and every step in this process, often referred to as the cyber attack lifecycle, represents another chance to detect and prevent the adversary.
When you simply try to remediate the results of a successful attack, or block that specific activity from occurring in the future, you are missing a priceless opportunity to gain context around that incident, such as “who,” “how,” and “why.” To put it clearly: the more information you extract from these events, the better you can architect your security posture to prevent a similar event from occurring again.
Malicious actors can easily change the malware they use, but it is much harder for them to augment their tools, tactics and procedures (TTPs), which can be used to detect activity from that group in the future.
For example, let’s compare two scenarios:
1. You detect that an unknown piece of malware has infected one of your machines. You re-image that device, and ensure a signature exists for that malware in the future.
2. You detect that unknown piece of malware and do additional research to piece together a series of events that led up until that infection. You discover that the methods used in this attack are similar to those used by a well-funded and persistent group operating out of a foreign county.
In the first scenario, you’ve fixed the immediate problem and added a rule to prevent the exact same activity from happening again. But in the second scenario you have not only fixed the immediate problem but also determined who is after you, how they operate, and what specific steps beyond deploying a signature you can take to protect your network. This kicks-off a series of intelligence-driven actions that could lead to identifying additional infected machines and backdoors that have been planted by the adversary. Applying the intelligence you’ve obtained, you can look for the specific RATs used by the group, or a set of indicators you would not have known to look for before.
You are also making more efficient use of the limited time your security team has to spend on analyzing events. For instance, a low-level cyber-crime group would require a vastly different response than state-sponsored cyber-espionage, as the sophistication levels will vary greatly between the two and your security team knows what to prioritize.
The good thing is you are not alone in this battle. There are a variety of public sources, information sharing organizations, vendor research releases, and analytics services to help boot-strap your adversary intelligence. The more information you gain and the better you get at analyzing it, the more you can craft your security policy to prevent the specific adversaries that are likely to go after your organizations. When a breach occurs, take it as an opportunity to step back and examine the wider context of who is attempting to breach your network and what you can do to prevent it in the future.
Credit: Scott Simkin