Continuing a topic that we've discussed, ad nauseam. Dealing with attacks and threats in 2018 will be much of a continuation of 2017. We can expect that need to address both the continual advancement and innovation of attackers ways to compromise devices and exfiltrate data, but also the need to cover the "basics" of network security.
With the systemic and ongoing resource and skills deficiencies, this issue isn't likely to be resolved in the near term.
In order to get ahead of the curve, we have to approach these problems from a more deliberate course and action. In short, it's now a requirement to understand that we can't secure, "all the things". We have to focus on what truly matters, develop actionable and automated processes of getting to that data, and letting that which truly doesn't matter... slide.
With the focus adjusted to what is actually attainable, the following skills and tasks are paramount.
- The most difficult problems are best worked in reverse. It isn't sufficient to just think about how to secure systems in a intended state, but also to understand how those same systems can behave in others manners. Once that is considered, through inversion, walking backwards through the problem and applying the necessary controls.
- Levering team members in ways that properly "weaponizes" their strengths. We all see things differently and our skillset reflects that. Using those diverse skillsets to execute mundane tasks is not the best usage of that talent.
- Security incidents are rarely single atomic events. It's required to have the ability to drill down into the activity to understand the depth of the attack and assess potential damage and figuring out work arounds to address the attack, as it fits into the overall context.
- The sheer number of Indicators of Compromise (IOCs) will require the application of "Occam's Razor". "Among competing hypotheses, the one with the fewest assumptions should be selected.". In essence, IOCs can lead to some pretty deep rabbit holes. You have to determine when you must move along to the next IOC. This isn't an easy decision, but one that must be made.
- Embracing "Second-Order Thinking". Following the thought of security being less "atomic" and more "contextual". The ability to consider, "if an attacker did this, what would happen next?". It’s easy in the security world to give first order advice. For example, keeping up to date with security patches and removing default credentials is generally good advice. But without second-order thinking, it can lead to poor decisions with unexpected consequences.
Organizations and security vendors will have to embrace the truth, that individuals in security generally don't far well with performing the same tasks over and over. They are typically a creative bunch that find solving interesting problems to be a requirement.
On the other hand, machines couldn't care less. They don’t become agitated with the mundane. They've no issue with grinding through established processes during the "graveyard" shift.
That being said, where do we go from here?
- The Basics: Build "the basics" into our established and applied processes. This eliminates the need to step backwards into the "basic blocking and tackling" of solving complex problems.
- Enrich Indicators of Compromise: Accepting that threats and attackers aren't "atomic" events and that they are actually part of a larger narrative. We can focus on correlating these single IOCs into a cohesive string of actions. This allows analysts to approach the problem, instead of a single element.
Breaking these down
The Basics (Taken from CSC Top 20):
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software
- Continuous Vulnerability Assessment and Remediation
- Controlled Use of Administrative Privileges
- Maintenance, Monitoring, and Analysis of Audit Logs
- Controlled Access Based on the Need to Know
- Account Monitoring and Control
Enriching IOCs:
- Define your objectives in using IOCs in your defense strategy. This will influence your intelligence collection criteria and how you will bind the sources.
- Select what IOC feeds are important and relevant to your environment based on these collection requirements. These can be external collected or gathered internally from sandboxes, honeypots, or other deception technologies.
- Operationalize the IOC data of your environment beyond matching the indicators against the logs. Engage platforms that can assist in automating correlation from many viewpoints.
- Enrich IOC data with Pivot Points and then use those connections to build relationships between the threat intelligence data and the company’s telemetry. Define behaviors and baselines, based on common neighbors and peers to the affected entity. This could require some dynamic baselining that accounts for context and timeframes.
How will this benefit the organization?
This potential future of security operations allows you to:
- React more efficiently: Your analysts will be better informed as the IOCs will be more contextual and less situational. Your responders efforts will be more focused as they already have the potentially compromised devices isolated and a wealth of threat intel about elements of the attack.
- Actionable process: If you could have your Senior Engineers and Analysts build the run guides that define proper processes for the most common situations, you minimize the variance in performance of Junior Engineers and Analysts, allowing for greater efficiency. Another byproduct, is shortening the churn in learning the necessary skillsets.
- Lowering the "Poverty Lines" of Information Security: In the words of my mentor, to solve these difficult problems and properly engage the vast amounts of potential available to organizations, we must lower the poverty line of Information Security.
'Til next time...