Detection Capabilities Essential Post Compromise – Charles Leaver

By | March 10, 2017

Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften


If Prevention Has Stopped working Then Detection Is Important

The final scene in the popular Vietnam War film Platoon depicts a North Vietnamese Army regiment in a surprise night time attack breaching the concertina wire perimeter of an American Army battalion, overrunning it, and butchering the shocked protectors. The desperate company commander, grasping their alarming protective dilemma, orders his air support to strike his own position: “For the record, it’s my call – Dump whatever you’ve got left on my position!” Moments later on the battleground is immolated in a napalm hellscape.

Although physical dispute, this illustrates 2 aspects of cybersecurity (1) You need to deal with unavoidable perimeter breaches, and (2) It can be absolute hell if you do not detect early and respond powerfully. MITRE Corporation has been leading the call for rebalancing cyber security priorities to position due focus on breach detection in the network interior instead of just concentrating on penetration avoidance at the network border. Rather than defense in depth, the latter produces a flawed “tootsie pop” defense – hard, crispy shell, soft chewy center. Writing in a MITRE blog, “We could see that it would not be a question of if your network will be breached however when it will be breached,” explains Gary Gagnon, MITRE’s senior vice president, director of cybersecurity, and chief gatekeeper. “Today, companies are asking ‘What length of time have the hackers been inside? How far have they got?'”.

Some call this the “assumed breach” method to cyber security, or as published to Twitter by F-Secure’s Chief Research study Officer:.

Question: What number of the Fortune 500 are jeopardized – Response: 500.

This is based upon the possibility that any sufficiently complicated cyber environment has an existing compromise, and that Fortune 500 enterprises are of magnificently complicated scale.

Shift the Burden of Perfect Execution from the Defenders to the Attackers.

The traditional cyber security viewpoint, derived from the legacy perimeter defense model, has actually been that the enemy only needs to be right once, while the defender should be right all the time. An adequately resourced and consistent hacker will eventually achieve penetration. And time to successful penetration reduces with increasing size and intricacy of the target business.

A boundary or prevention reliant cyber defense model essentially requires perfect execution by the defender, while delivering success to any sufficiently sustained attack – a plan for particular cyber disaster. For instance, a leading cyber security red team reports successful business penetration in under three hours in more than 90% of their client engagements – and these white hats are restricted to ethical means. Your business’s black hat assailants are not so constrained.

To be practical, the cyber defense strategy should turn the tables on the assailants, moving to them the unachievable problem of ideal execution. That is the rationale for a strong detection ability that constantly keeps track of endpoint and network habits for any uncommon indications or observed attacker footprints inside the border. The more delicate the detection capability, the more care and stealth the enemies should work out in perpetrating their kill chain series, and the more time and labor and skill they need to invest. The protectors require but observe a single opponent tramp to uncover their foot tracks and unwind the attack kill chain. Now the protectors become the hunter, the enemies the hunted.

The MITRE ATT&CK Design.

MITRE provides a detailed taxonomy of opponent footprints, covering the post compromise sector of the kill chain, understood by the acronym ATT&CK, for Adversarial Tactics, Techniques, and Common Knowledge. ATT&CK task team leader Blake Strom says, “We decided to focus on the post-attack duration [portion of kill chain lined in orange listed below], not only because of the strong possibility of a breach and the dearth of actionable details, but also because of the many opportunities and intervention points available for reliable defensive action that do not necessarily count on anticipation of enemy tools.”




As displayed in the MITRE figure above, the ATT&CK design supplies extra granularity on the attack kill chain post-compromise phases, breaking these out into ten tactic classifications as revealed. Each tactic classification is further detailed into a list of methods a hacker may employ in carrying out that method. The January 2017 model update of the ATT&CK matrix lists 127 methods across its 10 strategy categories. For instance, Computer system registry Run Keys/ Start Folder is a technique in the Determination classification, Strength is a technique in the Qualifications classification, and Command-Line Interface is a method in the Execution category.

Leveraging Endpoint Detection and Response (EDR) in the ATT&CK Design.

Endpoint Detection and Response (EDR) solutions, such as Ziften supplies, use vital visibility into assailant usage of techniques noted in the ATT&CK model. For instance, Windows registry Run Keys/ Start Folder method usage is reported, as is Command-Line Interface use, since these both include readily observable endpoint habits. Strength usage in the Qualifications category need to be obstructed by design in each authentication architecture and be observable from the resulting account lockout. However even here the EDR product can report occasions such as unsuccessful login efforts, where an attacker may have a couple of guesses to attempt this, while staying under the account lockout attempt threshold.

For mindful protectors, any strategy use may be the attack giveaway that deciphers the whole kill chain. EDR products compete based on their technique observation, reporting, and notifying abilities, along with their analytics potential to carry out more of the attack pattern detection and kill chain restoration, in support of protecting security analysts staffing the business SOC. Here at Ziften we will lay out more of EDR solution abilities in support of the ATT&CK post compromise detection model in future blog posts in this series.

Leave a Reply

Your email address will not be published. Required fields are marked *