Alfie Champion, Security Consultant
November, 2017 (updated October, 2020)
13 mins read
Effective detection is an important factor in any organization’s cyber resilience, because responding to and recovering from an attack is largely contingent on the timely and targeted detection of threats. Research, purple team engagements, and live attacks show patterns in the challenges facing organizations and highlight the most effective ways to meet them.
Phishing remains the go to technique for attackers, and they are routinely successful at bypassing perimeter controls. 2020 has also been a year of perimeter vulnerabilities, with many high-profile enterprise VPN clients and remote access platforms disclosing critical issues. If these attacks aren’t detected at the perimeter, organizations may struggle to prevent an attacker’s subsequent actions.
Organizations that recognize excessive perimeter-based controls can shift their focus to attackers’ post-exploitation behaviors and the role of internet-facing assets, such as applications. Web applications are an organization’s most visible assets, but organizations rarely introduce detection and response at the application level. Compared to other critical assets such as their Windows domain, apps, as an example increase the opportunity to identify early signs of an attack. If applications are built to log users’ interactions and alert security analysts to attack indicators within those logs, they can respond proactively to prevent a breach. This gives organizations a better awareness of the attacks they face.
Though no small feat, cloud adoption, and other modern approaches to infrastructure offer other intelligent, attack-aware systems to remove the reliance on perimeter security.
While attention shifts from the perimeter to network-level detection, and then to endpoint visibility, there has been a growing over-reliance on automated technology. Tools may be purchased and deployed under the assumption that they will detect all threats and serve alerts using increasingly sophisticated analysis techniques, from event correlation and heuristics, to machine learning. This is not the case, however, especially with out-of-the-box configurations.
Even the most advanced tooling is only effective when those using it have the skills to search for and identify malicious activity. Correctly trained security analysts can better configure their technology with alerts specific to their estate and to the behaviors of relevant, high-risk threat actors. Added to this, security analysts must implement team-wide processes to ensure everyone stays ahead of sophisticated threat actors and that tools are configured appropriately.
Many organizations have codified procedures for detecting attacks against their infrastructure, based on a narrow list of expected attack activity. However, the threat landscape and the actors within it evolve at such a rapid pace that many detection processes quickly become obsolete. Sophisticated offensive techniques that were once the prize of an APT’s arsenal are now accessible to unskilled actors. Organizations can continually improve their detection measures by utilizing threat intelligence and a range of testing exercises. Both will help them stay abreast of threat actors’ goals and the attack techniques they employ.
Skill shortages are the norm, but there are still opportunities to improve the detection of advanced threats. Below, we outline two solutions to do so. Though the list is not exhaustive, it contains recommended best practices based on client engagements.
Opportunities to comprehensively assess detection capability are limited. Clearly, organizations can't wait for incidents to discover control failures.
Red team exercises provide a safe learning opportunity, yet they focus on a narrow set of attacker activities and lack a broad appraisal of detection capability. Conventional assessments of security monitoring teams tend to focus on operational efficiency over effectiveness, i.e. the functionality of tasks, not their suitability.
Post-exploitation, one needs to understand the stage an attacker is at, and crucially what their next move might be. This allows you as a defender to anticipate, intervene, and further go back to search in the right places for further information. Decisive action based on a clear understanding of the situation is likely to yield better results.
Organizations are warming to this approach and integrating an attacker mindset into their monitoring teams, either through automated red teaming, or purple team exercises, where red teamers (offensive specialists) collaborate with blue teamers (defensive specialists). The point of both is to expose the monitoring team in the security operations center (SOC) to more attacker tactics, techniques, and procedures (TTPS), including post-exploitation strategies. Maximizing the learning opportunities here is key for development.
One method for learning and development within a SOC (which encourages security analysts to adopt an attacker mindset) is to build a safe “lab” environment. Here, analysts can create their own infrastructure in which to perform attacks and identify scope for detection. These labs can be made to replicate environments the analysts are familiar with, allowing them to test TTPs in a context relevant to their own estate, and continually re-assess their own detection capability.
Consultant technical research has resulted in attack simulation tools for use in real engagements. These provide an unlimited demonstration of the attacks that could be deployed against your estate, revealing your SOC’s ability to detect malicious activities across the attack lifecycle. You may then equip your team with the additional people, processes, and tools required to resolve blind spots.
As with all tools, automated red teaming needs suitable tuning to be effective. As an artificial emulation of human behavior, it can't mirror the psychology and unpredictability of a real attack. However, by supplementing your human, offensively-trained staff with automated tools, you broaden your view of potential vulnerabilities within your estate.
Rather than starting with the question of whether your estate can be infiltrated, consider all the ways an attacker will do so, and evaluate whether you could detect them.
There are two key questions to ask yourself about possible attacks and your ability to detect them:
Do you have the right telemetry to detect a potential attack?
Do you have the right skills and resources to use that telemetry to understand what is happening on your estate?
To accurately detect and respond to attacks, your processes and technology must come together as a cohesive function. Only with these interdependent elements working together can you achieve true visibility across your estate.
A broad view of your detection capability is beneficial. However, leveraging opportunities presented by automation is not always beneficial; it is unwise to think that automation alone can solve all detection challenges. Automation provides excellent opportunities for augmenting and testing your detection capability, but skilled human intervention is still indispensable to effective detection and response