In Part 1, we set a baseline for understanding the concepts for how adversaries handle a key aspect of their attacks - remaining invisible from the "eyes" you have on your network to detect their presence. Part 2 illuminates why we need to redirect our focus to stopping attacks before they start.
Cyber defenders use a variety of tools and techniques to improve their detection capabilities. Some of the most commonly used tools include EDR/MDR/XDR, endpoint protection (EPP), network monitoring, security information & event management (SIEM), and behavioral analysis (UEBA). AI and machine learning have been incorporated into these tools, and we can anticipate that it will accelerate in the future. But adversaries are incorporating AI into their methods as well.
What is EDR/MDR/XDR/SIEM/UEBA?
Most of you reading this article are familiar with these terms, so skip forward if this is elementary for you. We’re including these definitions so that we’re setting a baseline for these terms for all readers.
EDR provides advanced threat detection and response capabilities on endpoints such as laptops, desktops, servers, and mobile devices. EDR solutions typically collect and analyze data from endpoint activities and behaviors to identify suspicious activities that may indicate a security incident. EDR solutions also typically provide incident response capabilities to help security teams respond to security incidents on the endpoints.
MDR is when a third-party – generally referred to as an MSP or MSSP - offers threat detection and response service. MDR services typically are a combination of analytics, threat intelligence, and security analysts who assess and respond to incidents.
XDR merges data from endpoints, networks, cloud services, and applications. This provides a more comprehensive view of threats and intrusions. These solutions have begun to incorporate machine learning into their technology.
While EDR/MDR/XDR are oriented toward detecting and responding to threats, SIEMs analyze security logs and correlate events looking for patterns and signatures to indicate problems. UEBA incorporates network traffic flows and endpoint agents along with machine learning advanced analysis, providing insight into the organization’s security posture. There is a convergence of these technologies, so expect to see interesting developments and acquisitions occurring.
Challenges for Detect-and-Respond Technologies
All these technologies detect and respond to malicious activity. But detecting and responding are far from foolproof. As we’ve pointed out, attackers are advancing their methods for evading detection at an accelerated pace. The effectiveness of MDR/XDR technologies in detecting intruders inside a network depends on the sophistication of attacks, the quality and configuration of the solutions, and the overall security posture of the organization.
MDR/XDR is not as effective as they need to be because they rely on a pattern or sequence-based approach to threat detection. Because they look for specific patterns or indicators of compromise (IOCs) to identify threats, attackers can evade detection by using techniques such as malware obfuscation, fileless attacks, and living off the land, which makes it difficult for MDRs and XDRs to identify threats.
For instance, earlier in the attack flow adversaries use lateral movement, once they move into the evasion phase, to create a mesh of devices that slowly increase certain behaviors on the network so they do not trigger anomalous behavior alarm thresholds. They distribute activity across a number of devices, in more or less a "crowdsourcing" type of concept, so that events fall under the detection threshold for MDR/XDR, UEBA, and SIEM tools because each device is generating only a small amount of traffic. This method is often used in conjunction with techniques like multi-stage payloads, which allow the attacker to deliver a series of small payloads over time, each of which is designed to evade detection.
Most organizations focus their budgets and resources on detecting and responding to malicious actors. But, there is a growing movement towards more proactive means of building attack vector-based defenses.
The costs are high: maintaining an active technology base (MDR/XDR/UEBA/SIEM/SOAR), detection analysts, incident response efforts, chasing down false alarms, and red/purple team exercises are good for discovering new evasion techniques and developing new defenses - it’s expensive to always be on the defense, always reacting and responding.
The simplest, yet most effective approach to changing how we defend our organizations, is to focus on attack vectors rather than the controls-focus that our industry largely holds today. Cybersecurity Ventures estimated that spending on threat detection and response technologies, which includes SIEM, EDR, and MDR, will reach $23.8 billion by 2025, representing a 10.6% compound annual growth rate from 2020. The SANS 2020 Cybersecurity Spending Survey indicated that the FTE cost for the SOC and response team functions is close to 50% of the cybersecurity workforce budget. McKinsey & Co.'s "Cybersecurity Trends: Looking Over the Horizon" says that 70% of organizations’ cybersecurity spend is on “attack and post attack activity”.
How to Make the Most of Prevention and Detection
To fill the gaps in detect-and-respond, organizations are turning their focus toward implementing prevention technologies and to more "behavioral-based" detections, such as UEBA and next-generation XDRs to improve threat detection. UEBA involves monitoring system behaviors and traffic flows to find anomalies. To build more prevention technologies into your strategy, the following list is prioritized by their general effectiveness and value in interrupting adversaries’ kill chain progression:
1) When implemented together, zero trust, microsegmentation, and device cloaking prevent many techniques: initial access, lateral movement, and discovery. Stopping these exploits, which are early in the kill chain, prevents any further exploits. There are critical design parameters that must be taken into account when implementing these technologies. In fact, Gartner predicts that “60% of organizations will embrace zero trust by 2025. But, more than half will fail to realize the benefits.” To make sure you are in the 50% that will achieve the promise of zero-trust, the detailed results produced by this vendor-neutral network security assessment are an excellent place to start.
2) Endpoint Protection (EPP) comes in many forms: device firewalling, antimalware, application whitelisting, encryption, EDR, and web & phishing prevention. There are limitations to what most EPP solutions can do to protect against malicious behavior. The biggest problem is that EPP software and agents run as device drivers or applications controlled by the operating system. Adversaries evasions go right to the core of this foundational vulnerability, because once a device is compromised EPP protections can be bypassed, disabled, obfuscated, or blocked.
3) Vulnerability management and patching are foundational. At the same time, patching isn’t for every device – such as legacy devices, unprotectable and unmanageable devices, devices restricted by limited CPU power, and government-regulated devices. Compensating controls, especially device cloaking and device firewalling (external to the operating system) are extremely effective - generally, even more effective than air-gaps.
4) Penetration tests and red/purple teams remain critical activities to keep team members sharp and to know how to respond when all the other protections fail.
5) User awareness gets a bad reputation since user behavior is often referred to as the weakest link. It is still a vital component of building a culture of security, but we also have to stop blaming the user, collaboratively find new ways to reinforce good user hygiene, and find ways that limit the damage that results from a user’s mistake.
Detect-and-Respond is an Important Part of a Defense-in-Depth Strategy
In our next blog, you’ll learn how to reduce the number of compromises, intrusions, and exploits by optimizing where and how you prevent attacks. We have touched on some key points in this blog, which no doubt raises a number of questions. With that said, nothing is perfect, so there’s no doubt that defense-in-depth is key to protecting your network, your assets, your people, your reputation, and your organization’s resiliency. Detect-and-respond will remain a key part of your overall cybersecurity architecture and strategy.
Our goal is to make it so difficult for bad actors to achieve their goals that they give up trying. Your resources will free up. You will have the time and resources to enhance your proactive activities, rather than always reacting at the latest news, latest incidents, and the changing world and business around us. Prevention turns the tables on our adversaries. Buckle up, because it’s going to be a fun ride. What stands before us are exciting times for us (and not for our adversaries!)
In future articles of this multi-part series, we’ll be talking about progress our industry has made in reducing “dwell time”, industry metrics, and ways we can improve our defensive posture, and move toward a more proactive strategy that will radically reduce adversaries’ success in meeting their objectives. Our end-game is becoming proactive in how we defend the people and organizations we are charged with protecting.
Resources for Further Learning
MITRE ATT&CK framework: Understanding attack methods (CSO Online)
Windows Red Team Defense Evasion Techniques (Linode)
Defense Evasion Techniques (Cynet)
Defense Evasion Dominated 2019 Attack Tactics (DarkReading.com)