Advanced Defense Posture Assessment

Advanced Defense Posture Assessment: Analytical Tradecraft to Evolve Detection Capability and Precision

NG-OPS Advanced Defense
Defensible Security Posture
APT Detection Framework

Multi-dimensional Targeted Threats continue to evolve and exploit vulnerabilities that lead to significant loss of data and resources for organizations of all regions and sizes. These attacks are very much today’s news. They represent a danger to an organization’s intellectual property, financial assets and reputation.

Advanced Defense Posture
The era of advanced threats calls for a new approach to information security. When dedicated cyber adversaries have the means and methods to elude commonly used defenses, such as signature based detection, it is clear that conventional approaches are no longer sufficient.

“Breaches happen in hours but often go un-detected for weeks or even months.”

Advanced targeted threats present challenges that are distinct from traditional security risks. There are too many entry points in today’s virtual enterprise, too many individual endpoint security solutions triggering alerts, too much security threat intelligence to process in real-time. More importantly, there are too few trained personnel who can spot and respond to advanced threats.

The pain points all cry out for a common holistic solution: Advanced Defense based upon Actionable Intelligence and ever evolving Analytical Tradecraft to continually improve detection capability and precision.

Detection Precision versus Cost

This blog is a part of the new Smart Practices Series complemented by the NG-OPS Advanced Security Series which will drill into greater details on the methodology and concepts used by these proposed advanced best-practices. Advanced Defense takes your organization to the next-level of detection capability.

Potential Benefits

  • Baseline and Validate Defensible Security Posture
  • Benchmark against Advanced Defense Reference Architecture (see NG-OPS Advanced Defense series)
  • Identify Gaps in Detection Capability, Visibility, Precision
  • Develop Advanced Defense Strategy & Roadmap with Continuous Analytical Improvement

Features

  • Leverage Intrusion Kill Chain
  • Advanced Defense Reference Architecture
  • APT Detection Framework
  • Defensible Actions Matrix
  • Develop Advanced Defense Strategy & Roadmap

Advanced Defense

Today’s cyber security paradigm is a reactive cycle: when a threat is exposed, it is analyzed and a counter-solution is designed with response times varying from weeks to years. The trouble is that attackers can easily reuse pieces of previous malware, modify them, and create a brand new threat, bypassing the newly updated security measures.

In today’s threat environment the only constant is change. In fact, everything is changing – the way our users work, the types of adversaries we face, and the techniques hackers use to infiltrate our networks. Such threats have become even more sophisticated than ever, bringing new risks and uncertainties that require more visibility in operations.

Attack vs Defense

The Attacker versus Defender View

The need for an Advanced Defense mindset is evident across the industry. Technologies will continue to improve but in parallel we do need to ensure that we also evolve and improve our security detection capability and precision, processes as well as invaluable resources and skills.

“Attackers are constantly evaluating their methods and improvising new techniques.
Defenders must think in those same fluid terms to keep pace.”

Advanced Defense Posture (ADP) Assessment

An ADP assessment evaluates your organization’s evolving ability to detect, contain, investigate and respond to a targeted or advanced threat. The assessment methodology is designed to help organizations to, as follows:

  • Understand defensible security posture
  • Benchmark and validate ability to address stealthy targeted threats
  • Take proactive actions to continually improve detection capability and precision
  • Use a set of indicators or behaviors to enhance situational awareness.

Leveraging the Intrusion Kill Chain

The Advanced Defense Posture assessment makes use of the Intrusion Kill Chain. In any targeted attack there are typically a pre-defined set of phases that act as a ‘signature’. The importance is not that this is a linear flow – some phases may occur in parallel, and the order of earlier phases can be interchanged – but rather how far along an adversary has progressed in order to be able to quickly detect, contain and, respond.

Intrusion Kill Chain

Simplified View of Intrusion Kill Chain

The intrusion kill chain becomes a model for actionable intelligence to help align organizational defensive capabilities to the specific processes an adversary undertakes to target your organization.

The end goal of this is to analyze the data for patterns of attack methods, behaviors of distinct hostile actors, and other indicators which can inform the development of unique adaptive and agile responses. The assessment addresses key questions, for example:

  • What scenarios do we need to be able to detect?
  • What are our options for detecting them?
  • What are the strengths and weaknesses of our detection program today?
  • What is our detection stance against specific actors?
  • What is our overall plan for detection across our enterprise?

ADP Assessment Methodology

The ADP assessment process should include:

ADP-A Methodology

Advanced Defense Posture Assessment Methodology
  • Baseline Current Defensive Posture
    • Conduct discovery sessions to clearly identify defensible architecture, key assets/services and, posture
    • Document baseline across Intrusion Kill Chain using APT Detection Framework
  • Reference Architecture Analysis
    • Identify tools, tactics, techniques  gaps and improvements in detection capability/precision using Advanced Defense Reference Architecture to establish goal  (see NG-OPS Advanced Defense series)
  • Identify Defensible Actions Matrix
    • Determine detection toolset, i.e., tactics, techniques and, procedures to Detect, Deny, Contain, Disrupt Eradicate, Deceive or, Recover
  • Develop Advanced Defense Strategy & Roadmap
    • Develop Advanced Defense Strategy & Roadmap to remediate gaps, deploy improvements and, leverage continuous improvement  (see NG-OPS Advanced Defense series)

Conclusion

Recent incidents clearly demonstrate that cybercriminals can conduct operations that involve intrusion, lateral movement, and data exfiltration in complex networks secured to current best-practices. Attackers can adapt their attack techniques to the unique circumstances of targeted environment.

This level of resourcefulness points to the realization that current best-practices and regulatory compliance are a necessary minimum baseline but are not sufficient alone. Today there is an increasing need for organizations to progressively evolve and advance from current security posture to a more defensible and advanced defense program with visibility, validation and, vigilance.

My solutions include the adoption of a security architectural and design foundation approach that compartmentalizes breaches into managed zones on networks and on endpoints. To strategically leverage the Adaptive Zone Defense series of blogs to develop an innovative architecture foundation with well-organized applications and services, managed communications and – good visibility to flows and logs that can actually detect the cyber kill chain activity and stop the breach.

This requires an ongoing lifecycle process with evolving actionable intelligence and analytical tradecraft to take the now legacy, rapidly deployed and complex infrastructure to consolidate it into a new core foundation based on the architecture/design blueprint, while continually evolving the blueprint based on new business requirements, technology solutions and, regulatory requirements, for more information see: Adaptive Security Lifecycle.

Coming Soon

  • APT Detection Indicators – Part 4: Behavioral Indicators Lifecycle
  • APT Threat Analytics – Part 3: Targets, Threat Actors, Scenarios & Modeling
  • NG-OPS Advanced Defense – Part 2: Analytical Tradecraft Practices
  • NG-OPS Advanced Defense – Part 3: Network Profiling and Validation

Thanks for your interest!

Nige the Security Guy.

NG-OPS Advanced Defense – Part 1

NG-OPS Advanced Defense – Part 1: Identifying Defense Gaps & Improving Visibility

NG-OPS Strategy Guide
Advanced Defense Posture Assessment
NG-OPS Advanced Defense – Part 2

Today’s cyber security paradigm is a reactive cycle: when a threat is exposed, it is analyzed and a counter-solution is designed. The trouble is that attackers can easily reuse pieces of previous malware, modify them, and create a brand new threat, bypassing the newly updated security measures [1].

NG-OPS Advanced Defense

There are too many APT entry points in today’s virtual enterprise, too many individual endpoint security solutions triggering alerts, too much security threat intelligence to process in real-time. More importantly, there are too few trained personnel who can spot and respond to advanced threats. The pain points all cry out for a common holistic solution: NG-OPS Advanced Defense.

APT Prevalent Dangerous

The APT Conundrum and Challenges

Many organizations suffer from a lack of detection capability and precision, holistic situational awareness and behavioral anomaly detection, i.e., visibility. There is  too broad an attack surface, gaps in defense and, integration issues that together lead to reduction in the ability to detect, contain and respond to targeted attacks.

The typical challenges include, as follows:

  • Focus on prevention approach to address threat landscape
    • Fails to address increasing attack complexity and persistence with enough efficacy
  • Investments in protection model out of balance with today’s threat landscape
    • Technologies that don’t work together
  • Uncoordinated monitoring and compilation of security events & threats
    • Flood of unmanageable data = “Loss of visibility”
  • Organizations lack visibility into defense gaps, to enhance detection capability and precision
  • Organizations have not fully leveraged the kill chain life cycle approach
    • Reason why attackers are continuing to be so successful.
  • Common security architectures and compliance regimes are not prioritizing methods to address the kill chain

Reallocate Security Spend

Re-allocate Budget to Advanced Security Capabilities

The Changing Threat Environment

There is a growing need and urgency to evolve towards Advanced Security with a continually improving Detection, Containment and Response Capability. This is fundamentally due to cybercriminals doing their homework on organizations and waging a fierce, persistent campaign to find any possible way to get a foothold. Attackers have a fine tuned malware development process that is increasing in efficiency.

  • Evolving Malware Development Process
    • Create Malicious Tool (x 1)
    • Obfuscate Malware, Create Permutations (x 10,000)
    • Test against Detection Engines (OK)
    • Deploy Un-Detected Samples
  • Availability of Malware Tools
    • Results in high degree of Attack Automation
    • From systematic identification of targets to fully automated exploitation
  • Leads to increase in opportunistic attacks
    • Attacker no longer needs expertise or special skills

Malware Development

Malware Development Increases in Efficiency

Detection is the Weakest Link

Common intrusion detection methods are lacking in their ability to detect multi-step blended and targeted attacks.

Breach Detection Timespans

The Signature of an APT

A targeted attack aka advanced persistent threat (APT) is a targeted effort to obtain or change information by means that are difficult to discover, difficult to remove and difficult to attribute.

APT Attack Kill Chain 2

First – the bad guys get in. Always. It doesn’t matter if it’s social engineering, phishing, or some contractor organizations didn’t watch closely enough.  Sooner or later they find the weak spot and they exploit it – despite all of the best plans to keep them out. Target retail stores learned this the hard way. Who would have guessed that an HVAC system could be a point of weakness?

Case Study: The Target Attack Step-by-Step

In December 2013 – Target announced that it had been breached by attackers who had gotten away with 70M customers’ Personal Identifiable Information (PII) and 40M credit cards, financial damages currently stand at $148M, and are estimated to reach $1B. A high-level summary of the steps taken mapped to the kill chain are:

Target Kill Chain

  • Install malware to steal credentials from Target’s HVAC vendor.
  • Connect using stolen credentials, enables access to Target’s application dedicated to vendors.
  • Exploit a web application vulnerability on Target’s Web interface enables the attackers to execute code on Web application server.
  • Search relevant targets for propagation by LDAP querying Active Directory from the Web application’s server.
  • Steal access token from Domain Admin of the previously connected Domain Admin from the memory of application server.
  • Create new Domain Admin account using the stolen token in AD.
  • Propagate to computers using the new Domain Admin credentials
  • Steal 70M PII. Do not find credit cards, data is extracted using SQL
  • Steal 40M Credit Cards. The data is extracted by the Kaptoxa malware from the memory of the POS system.
  • Send stolen data to an FTP server in Target’s internal network.
  • Send stolen data via FTP to attackers-controlled FTP server.

Enabling Advanced Defense

Second – once they are in, organizations better figure out how to spot them. Developing, tuning, optimizing and evolving situational awareness and behavioral analysis allows network anomalies to be used to detect the different stages of APTs using various indicators.

  • Factors associated with APT attacks include the following:
    • Sudden increases in network traffic, outbound transfers
    • Unusual patterns of activity, such as large transfers of data outside normal office hours or to unusual locations
    • Repeated queries to dynamic DNS names
    • Unusual searches of directories and files of interest to an attacker, e.g., searches of source code repositories
    • Unrecognized, large outbound files that have been compressed, encrypted password-protected
    • Detection of communications to/from bogus IP addresses
    • External accesses that do not use local proxies or requests containing API calls
    • Unexplained changes in the configurations of platforms, routers or firewalls
    • Increased volume of IDS events/alerts

Attacker Defender View

Proactive Defensive Measures to Address Unknown Threats

Coming Soon

In NG-OPS Advanced Defense – Part 2  we will further develop the concept of developing and evolving an Advanced Defense security posture that identifies any gaps, improves detection capability and precision, enables proactive defensive measures to address unknown threats and — holistically integrates and operates continuous intelligence, detection and, response.

NG-OPS Ecosystem

In order to help organizations reduce operational overhead the NG-OPS Strategy Series will also include the following blog articles (although topics will be added as the theme develops and evolves):

  • NG-OPS SOC Version 2.0: Build a Next Generation Security Operations Center to protect critical assets
  • NG-OPS Evolving a SOC Team: Building, Nurturing and Evolving Security Operations Staff
  • NG-OPS Operational Maturity: Migrating from Reactive to Dynamic Defense and Cyber Resilience
  • NG-OPS Automation & Orchestration: The Next Big Thing: Automation and Orchestration
  • NG-OPS Threat Modeling: Manage complex systems using a structured methodical framework
  • NG-OPS Risk Management 2.0: Shifting focus from technical assets to critical business processes
  • NG-OPS Smart Telemetry: Leveraging 3 levels of telemetry: End-point, Gateway and, Infrastructure
  • NG-OPS Security DevOps: The critical convergence of security and IT operations with DevOps 

This new NG-OPS Strategy Guide builds upon and enhances the current APT Strategy Guide and Security Architecture Series Guide introducing a whole new set of topics into the framework.

Nige the Security Guy Bio

NigetheSecurityGuy

Nigel is a Chief Security Architect with 30 years of international experience in Security Operations, Management, Research, Development and Security Services. He started his career as an assembler programmer who was contracted by the US DoD to develop secure operating systems with multi-level security and preclude covert channels. Nigel is a passionate evangelist who loves working with organizations to share thought leadership and practical strategy to help defend against advanced targeted threats.

Sources:

[1] Why cyber criminals are winning: The secret weapon of the black hats

[2] ISMG Advanced Persistent Threats Survey: New Strategies to Detect, Prevent, and Defend

Thanks for your interest!

Nige the Security Guy.