The managed security service provider market is crowded with 5,000+ companies worldwide offering some degree of MSS. That’s good news and bad news for customers. Competition should drive quality of service up across the board. But it also presents a paradox of choice, and many customers find themselves with buyer’s remorse.
A good MSSP, however, is invaluable. The variety and volume of security technologies available create a web that becomes too complex and costly for the enterprise to manage and maintain itself. Complexity, after all, is the enemy of security.
What Is an MSSP, and What Is It Not?
Before we begin, it’s important to understand what you should expect from your MSSP.
At its most basic, a managed security services provider is an outsourced partner who monitors and manages security technology on behalf of the enterprise to aid in incident detection and response. MSS, however, can be much more than that. The right provider will understand the bigger security picture for the enterprise and be able to contextualize the threat, reduce time to detect the breach, and, ultimately, lessen its impact.
Most traditional MSSPs aren’t set up to achieve those outcomes, however. Instead, they’re comprised of bolted-on services primarily driven by sales opportunities. A customer purchases a large amount of technology and asks if they might also be able to manage that technology. Then another technology is purchased, and more services are created and sold.
The problem with this approach is it simply shifts the complexity to a different team. That team may have more technical knowledge, but the services are still siloed and independent from the total security strategy and ecosystem.
Understanding the differences in approaches is critical to the long-term success of your MSSP relationship. So how do you tell a good MSSP from a bad one? Here are seven red flags to look for.
Listen to our Fire Your MSSP Webcast here to learn more.
7 Signs It’s Time to Move on from Your MSSP
#1 Their portal has an ugly interface.
Forgive us for being vain, but the usability of the MSSP portal absolutely matters. The portal should be beautiful, easy-to-use, and, most importantly, provide value and context from the very first screen. Many portals today are outdated and not user friendly. If your MSSP has a portal, and you never log into it, that’s a problem.
#2 They are just an alert factory.
Is your MSSP simply “alerting” you to alerts? You deserve more! Your MSSP should be able to provide insight and context as to why that alert is or is not relevant to you. If the alerts you receive are generic and templatized, you’re essentially paying your MSSP to manage escalations.
#3 They can’t give you a unified view of incidents across environments.
In this day and age, providing management and visibility across environments—IT, OT, Cloud, etc.—is table stakes. If your MSSP can’t give you a unified view of incidents across environments, or if they can’t provide security visibility regardless of where your data resides, it’s time to move on.
#4 They say they do threat hunting, but can’t prove it.
Threat hunting has become a buzzword that MSSPs use to lure in prospective clients. But can they actually back it up? Threat hunting should not be abstract. In our case, we show clients exactly which threats we’ve detected and relevant incidents right in their portal. This should be the norm, not the exception.
#5 They have restrictive SLAs and a nickel-and-dime attitude.
This one is pretty simple. If your MSSP is holding you to an SLA, or if their own SLAs are prohibitive, they do not have your best interest at heart. Similarly, if they charge for every extra hour or request outside your retainer, they’re loyalties lie with their bottom line, rather than your security wellbeing.
#6 They can’t give you real-time visibility into the service you’re paying for.
Do you know if the services you were promised are being delivered? If service was interrupted, would you be able to tell? If not, it’s time to look for a better provider.
#7 You’re only with them because they were easy to get through procurement.
Would you believe that often customers don’t actually choose their number one MSSP? It’s true! Customers often end up choosing the MSSP that’s best from a budget, procurement or MSA perspective, rather than the one that offers the best services. With a service that you’ll interact with nearly every day, it’s important not to fall into the “procurement trap.”
Kudelski Security Recognized as Leader in The Forrester Wave™: Midsize MSSPs, Q3 2020
3 MSSP Requirements You Shouldn’t Compromise On
If you decide it’s time to let your MSSP go, it’s important not to repeat the same mistakes you have in the past. Here are three criteria to add to your checklist when selecting an MSSP.
Modern interfaces and collaboration tools. Today’s security engineers have been raised on mobile devices and chat apps. Streamlining the user experience and offering more real-time collaboration will ultimately lead to better client satisfaction.
Tailored, strategic service. An MSSP that customizes its services to your specific environment and is committed to your long-term success will ultimately be more successful than one that relies on a more transactional approach.
Honesty and transparency. Your MSSP will likely not be able to “do it all.” There may be areas where your team is stronger or where a technology vendor may be able to provide better service. Your MSSP should work with you to define and shape requirements rather than claim they can check all the boxes.
Threat actors, advanced persistent threats, and simple cybercriminals are always looking for the latest way to get in or take advantage of potential victims. An avenue of approach is defined as a route of an attacking force leading to its objective. The latest and easiest avenue of approach is Office 365. Since this capability is relatively new and IT organizations have not put as much thought and expertise around defending this critical communications capability in the same ways they did with their on-premise Exchange infrastructure, the threat has been able to take advantage of this lack of attention.
Office 365 is complex and has many caveats without a lot of security guidance or documentation available. The initial vector remains to be primarily phishing. Although two-factor authentication has helped reduce phishing, there are many cases in the past several years where attackers phished the 2-factor code as easily as the normal credentials. There are even several open-source two-factor bypass frameworks that are being leveraged daily to compromise users. With all the available ways to continue to steal user credentials, the attackers continue to go after the O365 as a way to manipulate or execute social engineering to steal money.
In one scenario, an attacker gained access to an account on O365 and enabled send on behalf privileges, created administrator accounts, created inbox rules for certain individuals – all in attempts to hide malicious communication activity and spoofed emails. The attacker sent an email from a self-created email string with the response and forwards of legitimate company executives with instructions to wire funds.
In another scenario, attackers sent requests for payment with a PDF invoice that contained new, attacker-controlled, account information. All of these actions leveraged unauthorized access to the email environment. The activity went undetected for many weeks. The new norm for defenders must be to monitor and review activity, configuration changes, inbox rules, and account delegations. Hunting in real-time and watching not just for security events, but also suspicious or abnormal IT activity is a must for reducing the dwell time. Fraud and security teams must develop processes and playbooks for working together to combat this attacker technique.
So how do we impede or block the O365 avenue of approach? The playbooks must include what alerting is available by security teams and what use cases or non-security related activity a security and or fraud team may need to identify malicious activity. Ensuring there is a monitoring and hunting capability while doing configuration verification is simply a must. This includes a thorough review of current licensing and logging so that when an incident happens, administrators are not blind to attacker activity because logging was insufficient. An important report to review is the malware detections report. The ability to detect a security control failure and limit the impact of account compromises is paramount. Just like other systems, using multi-factor authentication for O365 helps protect the data and devices accessible by each individual, but is not the silver bullet. Limiting the number of global administrators and monitoring the activity of those administrator accounts identifies when the most valuable accounts are being used. Another good practice is turning on, consuming and eventing on mailbox auditing for all users allows for the visibility of unauthorized access of exchange online activity. Email is, of course, a normal phishing avenue of approach, so, understanding how your users within your O365 environment are being targeted by malware to then determine further mitigations or more aggressive malware defense actions is key.
Some other security actions are reviewing mailbox access by non-owners which identifies possible malicious activity and turning on Spam notifications. This allows you to see which accounts are blocked for sending spam, which is also an indication of an attacker using that account. Whatever actions you take, make sure there is a continuous periodic review. Never use a set it and forget it approach. Additionally, Microsoft has been rolling out more advanced security options for O365 within its Automated Investigations and Response (AIR) framework to include some Security playbooks for automation of opening investigations. The initial set of playbooks include User-reported Phish Message, URL Click verdict change, Malware ZAP, Phish ZAP, and email investigations.
O365 is complex and moving from on-premise exchange to O365 does not reduce your need for security activities and actions required to defend your environment. Attackers will continue to use this Avenue of Approach until we as security professionals force them to move to a different avenue in order to gain ground. Making this lucrative objective a hardened target should be on everyone’s to-do list.
Angesichts des hohen Tempos und der Komplexität bei der Transformation von Unternehmen sowie der ständig steigenden Sicherheitsbedrohungen für hybride Umgebungen wünschen sich IT- und Sicherheitsteams vertrauenswürdige Sicherheitspartner, die dabei helfen können, die Visibilität zu erhöhen, die Komplexität zu reduzieren und dem Fachkräftemangel entgegenzuwirken.
Olivier Spielmann, Director of EMEA Managed Security Services, Kudelski Security.
Millionen von Menschen sind von Datendiebstahl im grossen Stil betroffen. Cybersicherheit – die Abwehr dieser Bedrohungen – rückt deshalb überall zunehmend in den Mittelpunkt des Interesses. Zugleich steigt aber auch die Komplexität der Cyberbedrohungen, was die Gefahr für Daten und die Reputation der betroffenen Firmen auf eine neue Stufe hebt. Allein Unternehmen kosteten Cyberattacken im Jahr 2018 weltweit rund 1,5 Billionen US-Dollar. Gleichzeitig passen Organisationen ihre IT stetig den steigenden Erwartungen der Konsumenten an.
Netzwerkperimeter werden dabei immer weiter ausgehöhlt, um eine solche Transformation zu ermöglichen. Um die Sicherheit kritischer Firmendaten weiterhin gewährleisten zu können, müssen IT-Sicherheitsteams über eine unternehmensweite Visibilität verfügen. Dafür benötigen sie vertrauenswürdige Partner, die sie bei der komplexen Verwaltung von Cybersicherheitsprogrammen in Multi-Technologie-Umgebungen unterstützen und helfen, den Investitionswert zu maximieren.
Immer von einem Datendiebstahl ausgehen!
Die Frage ist nicht, ob oder wann ein Datendiebstahl erfolgen wird, sondern wie rasch eine Bedrohung erkannt werden kann, die bereits im Netzwerk ist. Die Geschäftsleitung involviert sich stärker, sie will die Gewissheit, dass das Unternehmen vor den aktuellen Bedrohungen geschützt ist. Dennoch bleiben die meisten Bedrohungen im Schnitt 101 Tage unerkannt. Ein höheres Mass an Informationen ist erforderlich – eine bessere Übersicht über Bedrohungen und Gegner, eine grössere kontextuelle Relevanz und ein dynamisches Verständnis in Bezug auf eine sich wandelnde Bedrohungslage.
Den traditionellen Lösungen von Managed Security Services Provider (MSSP) fehlen die fortschrittlichen Funktionen, die erforderlich sind, um fortschrittliche Gegner zu bekämpfen. Ein effektiver Ansatz für die Erkennung von Bedrohungen darf nicht linear sein, muss Visibilität generieren und die Ad-hoc-Bewegungen eines Angreifers im System widerspiegeln. Dies erfordert spezifische Fachkenntnisse und Fähigkeiten, die kontinuierlich aufgefrischt werden müssen, um immer einen Schritt voraus zu bleiben.
Ansatz Threat Hunting
Egal wie gut Technologie und Prozesse sind, Bedrohungen können dennoch unentdeckt bleiben. Eine fortschrittliche Sicherheitsabteilung erfordert spezialisierte Teams aus Threat Hunters, also Analysten mit der Denkweise eines Hackers, die anomale Aktivitäten und Dateien analysieren, um unbekannte Bedrohungen aufzudecken. Da weltweit knapp drei Millionen Cybersicherheitsexperten fehlen, werden Unternehmen allerdings Mühe haben, die benötigten Talente zu rekrutieren.
Mit der Digitalisierung nimmt die Anzahl der Angriffsvektoren zu. Auch gibt es stetig mehr Plattformen und Anwendungen, die Daten sammeln, speichern und auswerten. Dies macht es schwieriger, die Risiken zu reduzieren und eine hohe Visibilität im gesamten Unternehmen aufrechtzuerhalten. Kritische Infrastrukturen sind für einen wirksamen Einsatz immer stärker vom Internet und von den IT-Umgebungen abhängig. Die Kombination dieser Faktoren bedeutet für Sicherheitsteams eine komplexe Mission, für Angreifer neue Ziele und für Aufsichtsbehörden eine völlig neue Dimension.
Visibilität und Überwachung von Cloud-Plattformen: Laut Gartner werden 75 Prozent der Unternehmen bis 2020 ein Multi-Cloud- oder Hybrid-Cloud-Modell implementieren. Eine Migration in die Cloud mag zwar kurzfristig Zeit und Geld sparen. Jedoch ist der Einsatz der Cloud in Bezug auf langfristige Visibilität und Datensicherheit mit grossen Herausforderungen verbunden, insbesondere in hybriden Umgebungen.
Visibilität und Sicherheitsüberwachung in den Bereichen Operational Technologies (OT) und Industrial Control Systems (ICS): Netzwerke in OT und ICS stellen ein wachsendes Risiko dar. Böswillige Aktivitäten nehmen zu. Den Beweis dafür liefern die steigende Anzahl Bedrohungsaktivitäten von ICS-Angreifern und das Aufkommen von ICS-spezifischer Malware wie Triton oder Trisys. Berüchtigte Angriffe auf kritische Infrastrukturen, darunter Wasser- und Energieversorgungsunternehmen, zeigten, dass hier eine bessere Sicherheit erforderlich ist. Trotzdem haben viele Organisationen immer noch Mühe, die nötige Visibilität zu erreichen, um ihre industriellen Umgebungen wirksam zu überwachen.
In der Cloud verschwimmt die Grenze
Die Cloud macht viele Versprechen: schneller, kostengünstiger, einfacher. «Sicherer» hört man selten in dieser Aufzählung. Vor allem KMUs kann die Cloud zuweilen verunsichern. Olivier Spielmann, Director of EMEA Managed Security Services bei Kudelski Security, weiss Rat. Interview: Coen Kaat
Spielt es eine Rolle, ob ich meine Daten in der Schweiz oder in einer ausländischen Cloud speichere?
Olivier Spielmann: Nein, solange Sie nicht gegen die einschlägigen Vorschriften verstossen und einen guten Vertrag mit Ihrem Cloud-Anbieter haben. Falls Sie Cloud-Services zur Bereitstellung von Businessdienstleistungen nutzen, bleibt die Verantwortung bei Ihnen. Was sich ändert, wenn Ihre Daten in einem anderen Land gespeichert werden, sind die rechtlichen Vorgaben, die im Falle einer Datenpanne oder beim Schutz Ihrer Daten vor Suchvorgängen zur Anwendung kommen. Bei der Speicherung der Daten bei einem Cloud-Anbieter sollten Sie abklären, welche Gesetze gelten und ob diese ausreichend sind.
Die Cloud wird immer hybrider und vielfältiger. Wie erreicht man die für eine sichere Cloud-Umgebung erforderliche Transparenz?
In der Cloud verschwimmt die Grenze zwischen Datenverarbeitung und Datenspeicherung. Cloud-Services werden zwar wegen ihrer Flexibilität, Schnelligkeit und Benutzerfreundlichkeit geschätzt, können aber – gewollt oder ungewollt – zu einem weit offenen Portal zur Offenlegung von Daten werden, wodurch schon riesige Mengen an vertraulichen Informationen preisgegeben wurden. Risiken lassen sich durch die Schulung von Cloud-Benutzer-Teams, die richtige Architektur und Konfiguration von professionellen Cloud-Umgebungen sowie durch die Überwachung von Unternehmens-Clouds auf Konfigurationsfehler minimieren. Alternativ können Unternehmen die Möglichkeiten von Managed-Security-Service-Providern wie Kudelski Security nutzen. Wir überwachen Risiken und Konfigurationen rund um die Uhr und haben die Zeit zur Erkennung von Bedrohungen von durchschnittlich 78 Tagen in vielen Fällen auf wenige Stunden reduziert.
Welche neuen Herausforderungen stellt das IIoT für IT-Sicherheitsdienstleister dar?
IIoT-Umgebungen zu schützen ist nicht dasselbe wie der Schutz von IT-Umgebungen. Industrielle Systeme sind unterschiedlich aufgebaut, sind aber durch ihre Verbindung zu IT-Netzwerken nun ähnlichen Bedrohungen ausgesetzt. Sie bringen neue Risiken mit sich, die sich mit herkömmlichen IT-Sicherheitsmassnahmen nicht beheben lassen. So kann beispielsweise das Scannen eines Produktionssystems mit einem Schwachstellenscanner das System abschalten und damit den Fertigungsprozess stoppen. Darüber hinaus sind IT-Sicherheits-Kompetenzen und -lösungen nicht auf IIoT-Umgebungen ausgerichtet. Anbieter und Dienstleister müssen neue Lösungen bereitstellen, um diese neu exponierten Umgebungen kritischer Dienstleister – zum Beispiel in der Energiebranche – abzudecken. Unternehmen, die ihre Anlagen in einer IIoT-Umgebung schützen möchten, können sich an das Cyber Fusion Center von Kudelski Security wenden, das rund um die Uhr Beratung, Bedrohungsüberwachung, Threat Hunting und Störungsbehebung anbietet.
Wer bewacht die Wächter? Wie gewährleisten Cybersicherheitspartner ihre eigene Sicherheit?
Bei Kudelski Security fordern Kunden uns regelmässig auf, zu beweisen, dass wir robuste Sicherheitskontrollen und angemessene Security-Governance-Prozesse anwenden. Cybersicherheitspartner sollten selbst umsetzen, was sie predigen, indem sie auch in ihren eigenen Umgebungen tiefgreifende Sicherheitskontrollen, eine effiziente Bedrohungsüberwachung, Threat Hunting und Störungsbehebungssysteme implementieren.
Read the original article by clicking here.
“Military intelligence” is no oxymoron. I’m not a career intelligence professional, but I have worked with some of the best intel organizations and operations in the world, including cyber operations and U.S. military intelligence. So, when I need to assess cyber intelligence, I revert to the framework used in a military environment.
The essential basics of any intelligence operation, whatever the sector, cover requirements definition, collection, processing and exploitation, analysis and production and dissemination. So, what particular insights do you examine within this framework used by the best cyber intelligence organizations?
A critical part of any intelligence operation is determining the need. Just saying ‘I need cyber intelligence’ or ‘I am going to create cyber intelligence’ will get you nowhere. A consumer or producer of intelligence needs to understand what is required in order to not only build a collection platform which meets the needs but executes the required collection. If you’re a cyber intelligence organization, the value of your production not only depends on your analysis but is just as dependent, if not more, on your collection.
Another aspect of your needs may be strategic and not just tactical. Strategic intelligence can help when building a network or security architectures or detection capabilities and hunting operations. There are knowledge bases for threat techniques, such as the MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CKTM), which can be used to evaluate your defenses or detection capabilities. Some of the best organizations use and build their security operations and detection frameworks from these threat techniques. These organizations use strategic intelligence to protect against threats to things in their vertical, infrastructure or their architecture.
Another part of strategic intelligence is actor and intent. Although intent may be evident in some situations, APTs have a very different intent from a simple ransomware attack. Intent and attribution can be a specific requirement for government and law enforcement to meet their needs, but intent also can be useful in other sectors like critical infrastructure. Understanding the long-term goal or intent of intellectual property theft, denial of service or physical destruction within your sector can go a long way toward understanding your risks, your specific strategic intelligence requirements and the real-time tactical intelligence you require to mitigate those risks.
The size and/or scope of your collection platform capability will determine the size of your output. Single intelligence sources or implementing single-function processes like scraping the web for malicious content or links are valuable but deliver limited intelligence with specific applications. If you only collect, process and analyze malware, it stands to reason that you will only produce malware intelligence. Collection capabilities really come from the ability to acquire unique data. Companies execute collection with various techniques, media and locations. Incident response collects data. Security products collect data. Web and darknet scraping collect data. Intrusion and Network analysis collects data. Hunting collects data. The best intelligence organizations are multi-faceted, so they can fuse together all the intelligence collected from different platforms.
Size and scope of collection are analogous to your own internal network collection and processing. Think about your network Security Information and Event Management System (SIEM). Your SIEM scales in value with more data sources (collection platform) and better correlation (processing) within the platform. If you have one data source, firewalls, for instance, you get collection and correlation from only firewalls. But if you have servers, endpoint detection capabilities, email gateway logs as well as firewalls providing data that you can correlate the information you receive from these multiple sources. When it comes to intelligence collection, companies who have a large platform or multiple platforms provide different intelligence than a provider who scrapes the dark web for specific attributes. Both can be valuable but again this goes back to your need and requirements. The main point to remember: not all intelligence providers are created equal and one big differentiator is the quality of their collection platforms.
The ability to process raw data plays a significant role in an intelligence provider’s ability to produce real-time intelligence. The best intelligence organizations have developed two important capabilities: vast collection and big data analytics. Using, storing and executing complex analytics on large amounts of data is challenging. The future is now when it comes to using artificial intelligence such as machine learning to support operations. The key to success is figuring out which providers are just using “AI” as a buzzword. Data, without good analytics, only yields piles of data with no actionable outcome. The larger and more diverse the data types and structures, the better your data storage and your ability to perform analytics must be. If you understand your provider’s ability to conduct analytics on their collection, you are another step closer to ROI on intelligence.
The goal of intelligence analysis is to figure out what will happen next. Great providers understand they must assess what is happening now and why it’s happening. Intelligence activities include trying to determine the attacker tactics, techniques and procedures. Some attackers use botnets, malware, ransomware. Others use phishing, metasploit or file-less attacks. All these techniques and the tactics of code writing, timing, sequence, targeting, and infrastructure used, need to be collected to find and attribute the most sophisticated threats.
The best nation-state actors develop techniques to look like other nation states. Finding advanced persistent threats (APT) take an enormous amount of data combed through by the best analytics fast enough to find the needle in a field on haystacks. Understanding your provider’s analysis capabilities is very different from knowing their collection methods, analytics and production capabilities. Good analysis comes from years of experience working to get in the mind of the threat actors, to understand their motivation and the goals of those threats. When assessing analysis, look for experience and historic achievements as well as a good methodology for using what they collect to reach conclusions on your requirements.
In some ways, understanding how you will consume threat intelligence or how it will be provided determines your requirements. Understanding how intel is disseminated is key: Are there automated feeds? Do I get an email? Do I read it on a portal? Are indicators of compromise provided? Is it a list of exploits being used against the newest vulnerabilities? How is it structured to be used by my security tools like direct SIEM ingestion?
In its simplest form, the intelligence needs to be actionable by security staff or security tools. In other words, have an actual effect on your defenses. Knowing the Chinese hacked the Office of Personnel Management (OPM), the Russians hacked the DNC, or the latest botnet is spreading across America may be good to know, but how does that help your security staff change your security posture?
What of that is actionable? Does your security team or provider get actionable intelligence and how do they make it useful? Do they have a way to translate data, information and intelligence into a useful defense scheme or execute real-time targeted hunting in your unique environment based on your atmospherics, architectures, vulnerabilities and priorities? How many times have you seen the intel provider send you an email with links to other web articles? Having an intelligence feed because its required by regulation, maybe checking the box, but you must figure out how to use that feed to the max extent possible. How does crawling the web help my situation? Situational awareness about threats is one thing, but actionable intelligence is what reduces risk, finds threats and stops breaches.
Even the best intelligence-producing organizations are producing for a specific need. Know what your needs are, so you can make sure you choose one that gives you actionable intelligence for your particular needs – tactical or strategic. The current landscape for cyber intelligence is vast and confusing. Providers will give you the intelligence they gain based on their own collection, processing, analysis and production capabilities.
Article originally appeared in SC Magazine. Read it here.
The newest buzz word around cybersecurity and managed services is managed hunt operations; the main nuance which might be lost is simple enough, hunting is not new! From platforms to people, everyone is touting the need to find the threats in your network, but security professionals have been looking for and finding threats in networks for 20 years. This “new” concept or theory of hunting has been executed by the best network defenders with the help of sensors, logs, AV, tools, and various scanners for a very long time.
The real trick is going from hunting to search and destroy. While finding historical evidence that attackers have been stealing your Intellectual property for the last four months and remediating may seem to be a success for most threat hunting capabilities. The truth is, discovering threat actors executing commands and watching the techniques is the goal for any modern hunt team. Crushing your advisory in real time as they move laterally, looking to steal intellectual property (IP), Personally Identifiable Information (PII) or Payment Card Industry (PCI) is the dream scenario for any member of your enterprise hunt team.
How many times has your security analyst said, “I can see at this time, this process ran which is an indication of possible blah, blah, blah.” The goal needs to be, “I see the attacker dumping hashes from memory using Mimicatz… I see the active RDP session and the attackers attempt to move laterally from Host 10.X.X.X. I see PowerShell activity on X host not associated with our internal SCCM.”
Active real-time hunting reduces the “find” time from the most recent estimate of about 99 days down to near real time. This real-time hunting takes talent, training, and humans actively executing structured activities to find threat activity. In military terms, some would say it’s a movement to contact. Movement to contact defined by FM 3-0 Operations is a type of offensive operation designed to develop the situation and establish or regain contact. A cyber movement to contact requires not only some of the best behavior-based detection capabilities and best internal collection capabilities but real-time interactive operations within the networks, systems, and hosts.
Other types of hunts we can take from military tactics, techniques and procedures are:
Area Defense: A defensive task that concentrates on denying enemy forces access to designated terrain for a specific time rather than destroying the enemy outright. This type of hunting operation allows us to conserve or use resources to focus on the “crown jewels.” These tactics may include blocking, canalization into the engagement area of the defenders choosing. Some newer deception technologies allow for a more advanced defense as opposed to the honeypot scenario.
Attack: An offensive task that destroys or defeats enemy forces, seizes and secures terrain, or both. Hunting operations within one own’s network which can be categorized as an attack must focus on the threat tools or capabilities, ensure the threat does not own, hold or control infrastructure which is too valuable to be simply wiped and baselined.
Pursuit: An offensive task designed to catch or cut off a hostile force attempting to escape, with the aim of destroying it. Or in other words, making sure the threat knows they were caught and has no way back into the network. Shut the preverbal “backdoor.”
All that being said, hunting needs planning, real-time humans executing operations. Using a military framework may help organize the plan, but either way, get eyes on the threat actions in real time.
As opposed to attacking someone in their network, hunters can find and render any threat attempt useless through understanding tactics and techniques an attacker would use. Once in contact, the hunters must clearly understand what actions to take. If your analysts see real-time activity, have you developed a real-time response to each of the interactive scenarios? Understanding the requirements of not just finding and blocking bad stuff but knowing what tools and actions to take if your hunter sees the active RDP session, finds PowerShell running, sees certain processes running or sees the recon scanning activity is critical.
Thoroughly thought out plans, hunts, hunter actions, responses and activities upon finding the threat is sometimes referred to as hunting maturity level. What level is your organization? Start by developing a plan for real interactive hunting, build hunting goals, train hunters, understand the needed tools so we create a contested environment.
A cursory glance at any MSSP listing shows that the focus of most mainstream network and security operations centers (SOCs) is generally health monitoring, configuration, accounting, performance, security (FCAPS), mean time to repair (MTTR), and the security events as they arise.
It’s not a focus that is enjoying enormous success. According to Gartner, breach activity in 2017 was up by 43.8% year-over-year and the scale and severity of attacks as well as reporting requirements are increasing.
Speed of response is at the heart of the issue. Some of the recent largest-scale breaches, such as OPM, Equifax, Target, etc., may have had a slow decision cycle. And this is where the idea of ‘fusion’ provides an interesting answer. Fusion seeks to make better decisions based on the best available information possible and gain the advantage of having a faster decision cycle than your enemy or threat.
Clearly, the decision maker who has the fastest process to gather the best, most up-to-date information possible is going to have the advantage. This is not a new concept. As retired general Stan McChrystal said “The answer is for leaders to have a process in place that helps them gather relevant information, adequately consider dissenting views from a mix of trusted sources, make a decision, communicate the decision, and act on it. Such a system does not eliminate risk entirely, as real decisions always involve uncertainty and risks, but it does help to ensure that the decision made is well-informed, timely, and the best course of action in an evolving and complex environment.”
The military has evolved in some part due to Gen. McChrystal’s vision for fusion. Put simply, fusing who has the information with who needs the information is critical for timely decision making and action.
In cyber, this is even faster and more important than in any other domain. Before the Internet, the telephone, the telegraph, radio, and carrier pigeon, information traveled at the speed of humans. Think Paul Revere or Pheidippides. Now information travels at the speed of light, so decision cycles are faster. The need for fusion is even more important because of technology, not less important because we have technology. Traditional fusion is intelligence with operations. The critical piece to figure out in any “fusioning” is what needs to be fused. In some organizations fusing Cyber Intelligence and threat activity has led to an evolution on cyber defense, but this still falls short for two reasons.
First, using contextual information not only from IT operations but from business operations adds huge value to the speed of understanding cyber events. The old false positive problem is significantly reduced by knowing up front or in real time the cause of an event in context to operations. Think PowerShell – PowerShell may be legit if done by an Admin yet may be bad if being done by an external RDP connection.
Knowing if SCCM is being used at the same time PowerShell launches is a huge win for fusing IT operations information with security event information. With understanding IT and Business context, event fatigue then becomes minimal and the one event which is almost the same but is missing the business contextual information does not get missed because your only analyst is drowning in useless events.
Second, get rid of the notion that intelligence feeds will solve all problems in real time. “If I could only automate those feeds I’d catch the crook in the act!” If you don’t know and understand your threat through intelligence way before they break the window, you won’t see them or catch them until it’s too late. CrowdStrike estimates the average attacker takes 1 hour and 58 minutes to move laterally in your network. This means you need to have a decision cycle faster than two hours to stop that initial compromise from becoming much worse. Cyber intelligence is knowing the threat, building detection for those threats, and then spending your time hunting for those threats not relying on some automated detection with real-time cyber intelligence.
For cyber decision making, attackers fuse the latest vulnerabilities with techniques and capabilities to exploit those vulnerabilities. For the defender, the fusion comes from having the intelligence information, the network contextual information and the activities that are occurring in real time on the infrastructure. Only then can the defender reduce the decision cycle to an actionable timeframe, block the attacker decisively, contain the damage to critical assets – and hopefully – avoid becoming the next big cyber attack headline.