Organizations continue to invest heavily to block advanced attacks, on both endpoints and networks. Despite all this investment devices continue to be compromised in increasing numbers, and high-profile breaches continue unabated. Something isn’t adding up. It comes down to psychology – security practitioners want to believe that the latest shiny geegaw for preventing compromise will finally work and stop the pain.

Of course we are still waiting for effective prevention, right? So we have been advocating a shift in security spending, away from ineffective prevention and towards detection and investigation of active adversaries within your networks and systems. We know many organizations have spent a bunch of money on detection – particularly intrusion detection, its big brother intrusion prevention, and SIEM.

But these techniques haven’t really worked effectively either, so it’s time to approach the issue with fresh eyes. Our Network-based Threat Detection series will do just that. By taking a new look at detection, not from the standpoint of what we have done and implemented (IDS and SIEM), but what we need to do to isolate and identify adversary activity, we will be able to look at the kinds of technologies needed right now to deal with modern attacks. The times have changed, the attackers have advanced, and our detection techniques for finding adversaries need to change as well.

As always, we wouldn’t be able to publish our research for the awesome price of zero without clients supporting what we do. So we’d like to thank Damballa and Vectra Networks for potentially licensing this content at the end of this series. We will develop the content using our Totally Transparent Research methodology, with everything done in the open and objectively.

Threat Management Reimagined

Let’s revisit how we think about threat management now. As we first documented in Advanced Endpoint and Server Protection, threats have changed so you need to change the way you handle them. We believe threat management needs to evolve as follows:

1. Assessment: You cannot protect what you don’t know about – that hasn’t changed and isn’t about to. So the first step is to gain visibility into all devices, data sources, and applications that present risk to your environment. Additionally you need to understand the security posture of anything you have to protect.
2. Prevention: Next try to stop attacks from succeeding. This is where most of the effort in security has been for the past decade, with mixed (okay, lousy) results. A number of new tactics and techniques are modestly increasing effectiveness, but the simple fact is that you cannot prevent every attack. It is now a question of reducing attack surface as much as practical. If you can stop the simplistic attacks you can focus on advanced ones.
3. Detection: You cannot prevent every attack, so you need a way to detect attacks after they get through your defenses. There are a number of different options for detection – most based on watching for patterns that indicate a compromised device. The key is to shorten the time between when the device is compromised and when you discover it has been compromised.
4. Investigation: Once you detect an attack you need to verify the compromise and understand what it actually did. This typically involves a formal investigation – including a structured process to gather forensic data from devices, triage to determine the root cause of the attack, and a search to determine how widely the attack spread within your environment.
5. Remediation: Once you understand what happened you can put a plan in place to recover the compromised device. This might involve cleaning the machine, or more likely re-imaging it and starting over again. This step can leverage ongoing hygiene activities (such as patch and configuration management) because you can and should use tools you already have to reimage compromised devices.

This reimagined threat management process incorporates people, processes, and technology – integrated across endpoints, servers, networks, and mobile devices. If you think about it, there is a 5×4 matrix of all the combinations to manage threats across the entire lifecycle for all device types. Whew! That would be a lot of work (and a really long paper). The good news for this series is that we will focus specifically on network-based detection.

Why Not Prevention?

From reading thus far, you may think we’ve capitulated and just given up on trying to prevent attacks. Not true! We still believe that having restrictive application-centric firewall policies and looking for malware on the ingress pipes is a good thing. Our point is that you can’t assume that your prevention tactics are sufficient. They aren’t.

Adversaries have made tremendous progress in being able to evade intrusion prevention and malware detonation devices (sandboxes). And remember that your devices aren’t always protected by the network perimeter or your other defenses at all times. Employees take the devices outside of the network and click on things. So your devices may come back onto the corporate network infected.

That doesn’t mean these devices don’t catch stuff, but they don’t catch everything. Thus, if you are having trouble understanding the importance of detection; think about it as Plan B. Every good strategist has Plan B (and Plan C, D, and E) and focusing effort on detection gives you a fallback position when your prevention doesn’t get it done.

So in a nutshell, it’s not either prevention or detection. It’s both.

Why Not Existing Monitoring?

You probably already spent a bunch of time and money implementing intrusion detection/prevention and SIEM to monitor those network segments. So why isn’t that good enough? It comes down to a fundamental aspect of IDS and SIEM: you need to know what you are looking for. Basically, you define a set of conditions (rules/policies) to look for typical patterns of attacks in your network traffic or event logs. If an attacker uses a common attack that has already been profiled, and you have added the rule to your detection system, and your device can handle the volumes (because you probably have 10,000 other rules defined in that device) you will be able to find that attack.

But what if the attacker is evading your devices by hiding traffic in a standard protocol and communicating by proxying through a legitimate network? What if they are using a pattern you haven’t seen before? Yep, you’ll miss the attack.

Again, it’s not like you don’t have to monitor your systems and networks anymore. Compliance mandates that you still need your IPS and your SIEM. It’s still critical to collect data and analyze it to find attacks you know about. And to be fair, many IDS/IPS and SIEM platforms are adding more sophisticated analysis to their standard correlation capabilities to improve detection. But these approaches still require a lot of tuning and experimentation to get right, and nobody has time to do everything. Nobody has time to waste on a noisy security monitor.

The Answer Is…

Unfortunately we haven’t found sustainable cold fusion, or a magic bullet that identifies every attack from every adversary every time (cold fusion actually seems a bit more likely). Would be nice though, right? But a couple capabilities have come together to enable better and more accurate detection on the network:

1. Math: Actually math has been around for a while (yes, that’s sarcasm). But improved ability to find patterns among a variety of data sources has made a big difference in the effectiveness of detection. Vendors call this “Big Data Analytics” and “Machine Learning”. Shiny buzzwords aside, these capabilities improve your ability to find anomalous traffic earlier in the attack chain.
2. Context: Anomaly detection has been around almost as long as math, but it offered limited value because it threw off a lot of false positives. An anomaly could just as easily be legitimate and malicious, but you had no way to tell the difference without a pretty deep investigation. So being able to evaluate other types of data such as identity and content/payload, and to prioritize anomalies based on which are more likely to be an attack, helps you eliminate now-obvious false positives.

So network-based detection has evolved to the point where you can identify devices that look like they have been compromised. To be clear, this is still suboptimal, because damage has already been done. Our inner security purist still wants to block every attack. But a breach doesn’t happen until exfiltration occurs, and if you are able to respond faster and better you can contain the damage. That’s what better detection is all about.

Our next post will dig into the typical indications of a compromised device. Attackers always leave traces, so by looking for certain things on your network you can find them.