Industry Trends

Threat Intelligence Cyber Defense, Part 3 of 3

By Anthony Giandomenico | June 08, 2016

In my last blog we discussed some high level defensive tactics we can take within each phase of the attack chain, once we understand the attacker’s attack methodologies, in order to build a more intelligent defensive posture.  (

Now in this final blog in this series, I will take a look at how we can go a bit deeper within each phase of the attack to get more granular with our cyber defense.  

As we all know, we live in a cyber world where we can never guarantee 100% security.   The bad guys are often one step ahead of us by leveraging evasion tools such as packing, or obfuscation techniques, or polymorphic malware.  The use of such advanced evasion techniques requires us to change our way of thinking when it comes to protecting our digital assets. The reality is, unless you are a very small operation, you just can’t protect everything within your environment. The attack surface is simply growing too fast as companies continue to adopt new technologies and architectures to keep ahead of the competition. The challenge is that many of these new technologies also increase the success rate of attackers.  

Instead, you need a three-phase approach to security. First, you have to focus on protecting your critical assets by detecting and blocking as much bad stuff as possible. You also have to assume that malware and attackers will get through your defenses, so you need to develop an increased ability to detect and respond as quickly as possible to a threat.  We know that once in, attackers will act fast, so you need to implement strategies to slow them down to give you time to fight through the attack.  And finally, you need good forensics tools so you can calculate the impact of a successful attack in order to gather intelligence and further harden your defenses.

Below are additional items to think about in each phase of the attack chain.  

Detect:  As I mentioned before, you have to assume that threats will circumvent your network defenses, so detection is extremely important. You have to think, “how I can detect the various tactics likely to be used within each phase of the attack once the threat is inside my network?”  This usually includes actively monitoring the logs from various devices within the network, and then implementing some sort of alerting system when anomalous behavior or attack patterns are discovered.  Logs can be sent to SIEM technology, for example, which can provide you with rules to help identify threats through correlation and set up automated alerts and policy-based responses. Since these systems have a tendency to be noisy, it’s good to predefine use cases to help narrow down exactly what you are trying to detect.  Additionally, consider looking at big data and machine learning technology to help identify attack patterns that you may not get from just log correlation.  Consider which indictors of possible compromise within each phase will help you identify a threat. 

Disrupt:  Many attackers, especially cyber criminals, are all about efficiency, so if you can slow them down by finding ways to disrupt the attack process it may frustrate them enough that they just quit. Because there are so many other fish in the cyber sea, frustrated attackers may simply move on to the next more vulnerable victim.  Or if they decide to be persistent, a disruption strategy will at least slow them down, thereby providing you with a bit more time to execute your response plan or evaluate other options.  
Degrade:  One thing you need to think about when responding to a threat, especially when it’s a persistent threat, is that once the attacker knows he/she has been identified they are likely to change tactics or even have the attack go dormant.  This makes it much harder to find the full scope of the breach, as you can no longer see and evaluate their malicious behaviors.  If this happens, you may prematurely think the threat has been eradicated and resume normal business operations, only to find out weeks or months later when the attack starts back up that you jumped the gun.  Degrading is a technique that will help you slow down an attacker without totally tipping them off that you have discovered them.  The attacker may simply think they have encountered a network problem, or a slow network, and continue the mission as planned.   
Deceive:  It’s always good to understand the bad guy’s intentions, especially when they are already inside your environment. Why are they in your network?  How did they get in? How long have they been here? How many other devices are infected? What are they trying to do?  Gathering information that can answers these questions will be valuable in shortening the time it takes for you to eradicate the threat.  While you are gathering this information and monitoring their behavior, you want to trick them into believing that they have not been discovered. 
Contain:  Another important item to think about is, how I can minimize the impact of this breach?  If the bad guys get in the network, can I isolate them somehow in order to limit the access they have to sensitive data or control the business services they can affect?  

Let’s take a quick view at how this strategy can be applied to one of the attack phases.  For this example, we will map the attack chain response to the Internal Reconnaissance attack phase.  

Detect - Internal Recon:  In addition to sending logs to a central system, such as a SIEM device, it’s important to ensure you have security sensors and deployed throughout the network.  This would include things like HIDS, NIDS, and other detection technology such Endpoint Detection & Response products (EDR).  These EDR tools allow you to search across the network for IOCs and quickly response to identified and prioritized threats.  When identifying unauthorized or aberrant lateral movement across your internal network, it’s important to ensure that these sensors are deployed in the right locations of the network.  This would preferably be in the avenues of the attack paths to your sensitive data, and at demarcation points between network zones if you have properly segmented your network.  Also, limiting the amount of traffic to and from your critical servers will increase the chances of identifying an abnormality.   

As mentioned in the last blog, also leverage big data analytics and machine learning technology both on the endpoint and network.  Your NG SIEM may have some of these capabilities, as do a number of emerging security companies focused on advanced detection and correlation.  

Disrupt – Internal Recon:  Here you might think about minimizing workstation to workstation communication by either implementing host firewalling, or by deploying private VLANs.  This may not eliminate lateral movement, but it will disrupt the movement enough to make it difficult for the bad guy to move freely through out the network, and certainly not without being detected.  
Degrade – Internal Recon:   To degrade lateral movement, you can deploy and leverage Quality of Service (QOS) technology to slow the spread of malicious traffic and applications.  QOS is usually deployed to ensure certain traffic has priority over others, such as latency-sensitive Voice-over-IP (VoIP) traffic.  However, once you identify the communications being used by malware, you can configure your QOS to squeeze that specific traffic so you don’t kill communications, but just severely limit them.  This is likely to be viewed as a network issue or bad connection, and will likely not raise the bad guys’ suspicion that they have been detected.  
Deceive – Internal Recon:  One way to deceive an attacker would be to deploy honeypots at key areas in the network. Honeypots are used as a decoy to trick a bad guy into thinking he/she is on a legitimate device in order to let the security team study their malicious activity. Honeypots are also a good way to detect that a threat is in your network, since no legitimate traffic goes there. If you have already identified the threat, you can use source-based routing to funnel attackers to your honeypot for further monitoring.  Once you glean what they are doing, you can use that information to identify the scope of the breach, and then contain and mitigate it.  When deploying a honeypot, you might want to position the technology at each security zone, such as the Internet, DMZ, Server and PCI zones. This will allow you to study the attacker at each zone, and will increase detection at each zone as well.  Other ideas such as setting up phoney documents have been explored along with tying beconing to the file for tracking purposes.  
Contain – Internal Recon:  To contain lateral movement, you need to deploy transparent choke points within your network that will allow you to block and isolate an attacker once they have been identified.  This is also known as network segmentation.  Segmentation has been practiced for many years, usually at the network layer,  because until recently you were unable to effectively use NG Firewall technology for segmentation.  Using NG Firewall technology to monitor and secure network segmentation allows for much better visibility and control than a router or switch, which is what were typically used for segmentation in the past.  As mentioned before, you can also use private VLANs for more segmentation, or to deploy what is being call microsegmentation.  Lastly, keep in mind that you should consider integrating your detection technology with your NG Firewall technology in order to automate your responses to an identified threat.  

This closes the loop on Threat Intelligence Cyber Defense.  As you can see, you can  get very granular with your defensive strategy, but the key thing to remember is that whatever technologies you deploy, make sure they can talk to each other  by either leveraging the same vendor technology or ensuring the technology has open API integration, or a combination of both.  If you’re like most companies, you have limited technical and staff resources, so you will need to automate initial analysis and response to an attack as much as possible.  

Stay tuned for my next blog, as I move into the changing cyber battlefield and dive deeper into the growing market of zero-day vulnerabilities.