When facing today’s advanced threat landscape, in-depth layered defence has long been best practice. The first line of defence (other than solid training and system maintenance) is usually around the perimeter: AV, next-generation firewalls and intrusion prevention systems (IPS). Additional layers of defence may include security information and event management (SIEM) systems, data loss prevention (DLP) and newer endpoint detection and response (EDR) solutions.
But there is a blind-spot in these layers: after an adversary has breached the perimeter, but before they have compromised key systems and exfiltrated data. It is difficult today to quickly spot, track and thwart advanced malware and attack campaigns precisely at these stages. What is needed is real-time visibility on potential threat activity after the initial exploit, as adversaries recon your network, look for weaknesses and prepare to exfiltrate data.
Current blind spot
The problem is that perimeter defences can alert on known threats, but have no visibility on an adversary’s reconnaissance, lateral movement, privilege escalation, nor what other systems might be compromised. The reason for this is that Data Loss Prevention (DLP) and Endpoint Detection and Response (EDR) systems alert on suspicious access to and/or theft of critical assets. Unfortunately, they are not designed to spot, let alone track, related attack behaviour occurring across the network.
SIEM systems can provide more visibility, yet are defensive in nature, reactive to known indicators; not optimal when looking to proactively investigate suspicious lateral movement or new/unknown malware related activity. Filtering out and prioritising real Indicators of Compromise (IoC) from the overwhelming number of alerts can be a serious challenge. In addition, getting a complete picture of an entire attack campaign working across the network is tough, and time-consuming.
The most dangerous threats today are not just malware but human orchestrated attack campaigns. The malware component itself is designed to be stealthy, to circumvent layers of security undetected. And they have been successful; many breaches go undetected until a third party alerts the victim.
Better post exploit visibility
What is needed is fast and flexible visibility on the tradecraft of the attacker, after the initial exploit (detected or not) and before data or systems are further compromised: the internal reconnaissance, the lateral movement, external communications, escalated or stolen credentials. With better post exploit visibility businesses can:
- Proactively hunt for human-guided campaigns; investigate to see if currently active threats might be lurking within their network. When speed is of the essence, IT teams can better connect the dots across alerts, systems, and behaviour;
- Optimise existing SOC operations and investments in current security tools, for example faster recognition of false positives and prioritisation of real threats;
- Stop exfiltration and thwart attack campaigns in their entirety. Track the lateral movement of adversaries, systems they’ve touched or payloads dropped, and eliminate all attack components before the damage is done.
Leveraging automation to enhance human capabilities
The scope, quantity of data and speed of the threat environment requires post exploit visibility to be automated as much as possible. However complex attack campaigns are waged by human attackers and as our experience AI already demonstrates, there is no analytics machine more complex and sophisticated than the human mind. Automation can never replace the human defenders behind the front lines but rather assist and ehance their capabilities.
As more is understood about threat behaviour and the processes to spot, automation becomes more practicable – and critical. This is evolving quickly but can already be put into three categories.
- Workflow Automation: automation of the day-to-day SOC workflow, where disparate processes, sometimes manual phone and email communications, or the use of spreadsheets is integrated and automated. This is similar to what occurred with IT help desk automation in the 1990s.
- Automated Analysis: integrated more context aware threat intelligence for automated-assisted analysis. From context aware searching, to faster weeding out false positives with automatic correlation of data from different systems. Automatically populating SOC investigations with contextual threat intelligence: along with specific indicator display the user, destination IP (with reputation data), port it was using. Here automation can not only reduce manual tasks, but enable more effective, timely alert triage.
- Automated Threat Response: automated countermeasures on endpoints and networks to respond to threats before data is exfiltrated. Development of security playbooks and “out of the box” countermeasures, for example confirmed malware attack means quarantine host and block IP at firewall.
The real battle with advanced attack campaigns occurs after a breach has already happened. What becomes critical is real-time visibility on attacker tradecraft. Post exploit visibility makes it harder for adversaries to hide, and easier for you to defeat their attacks. It’s time for organisations to fix their cybersecurity blind spot.
Arabella Hallawell, Senior Director, Product Marketing for Advanced Threats, Arbor Networks