Charles Leaver – Focus On Detection Not Perimeter Breach

Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften


If Avoidance Has Failed Then Detection Is Important

The last scene in the well known Vietnam War film Platoon portrays a North Vietnamese Army regiment in a surprise night time attack breaching the concertina wire boundary of an American Army battalion, overrunning it, and slaughtering the startled protectors. The desperate company commander, grasping their dire protective dilemma, orders his air assistance to strike his own position: “For the record, it’s my call – Dump everything you’ve got left on my position!” Moments later on the battlefield is immolated in a napalm hellscape.

Although physical dispute, this shows two aspects of cybersecurity (1) You have to handle inevitable perimeter breaches, and (2) It can be bloody hell if you do not find early and respond forcefully. MITRE Corporation has actually been leading the call for re-balancing cybersecurity priorities to position due focus on detecting breaches in the network interior rather than simply focusing on penetration prevention at the network border. Rather than defense in depth, the latter produces a flawed “tootsie pop” defense – hard, crunchy shell, soft chewy center. Writing in a MITRE blog, “We could see that it would not be a question of if your network will be breached however when it would be breached,” discusses Gary Gagnon, MITRE’s senior vice president, director of cybersecurity, and chief security officer. “Today, companies are asking ‘For how long have the trespassers been within? How far have they gone?'”.

Some call this the “presumed breach” approach to cybersecurity, or as published to Twitter by F-Secure’s Chief Research Officer:.

Q: What number of the Fortune 500 are jeopardized – Response: 500.

This is based upon the probability that any adequately complicated cyber environment has an existing compromise, and that Fortune 500 businesses are of superbly intricate scale.

Shift the Burden of Perfect Execution from the Protectors to the Attackers.

The standard cybersecurity viewpoint, stemmed from the legacy perimeter defense model, has been that the opponent just has to be right one time, while the defender must be right all the time. An adequately resourced and persistent opponent will ultimately attain penetration. And time to effective penetration decreases with increasing size and complexity of the target business.

A border or prevention-reliant cyber-defense design essentially demands the best execution by the defender, while delivering success to any sufficiently sustained attack – a plan for particular cyber disaster. For example, a leading cybersecurity red team reports successful enterprise penetration in under three hours in greater than 90% of their client engagements – and these white hats are limited to ethical ways. Your business’s black hat attackers are not so constrained.

To be viable, the cyber defense strategy needs to turn the tables on the attackers, moving to them the unreachable problem of perfect execution. That is the rationale for a strong detection ability that constantly monitors endpoint and network behavior for any unusual signs or observed hacker footprints inside the boundary. The more sensitive the detection ability, the more caution and stealth the assailants must work out in committing their kill chain series, and the more time and labor and talent they need to invest. The protectors require but observe a single hacker tramp to reveal their foot tracks and loosen up the attack kill chain. Now the protectors end up being the hunter, the hackers the hunted.


MITRE supplies a comprehensive taxonomy of hacker footprints, covering the post-compromise sector of the kill chain, understood by the acronym ATT&CK, for Adversarial Tactics, Techniques, and Common Knowledge. ATT&CK task team leader Blake Strom says, “We decided to concentrate on the post-attack period [portion of kill chain lined in orange below], not only because of the strong possibility of a breach and the scarcity of actionable information, however likewise because of the many chances and intervention points offered for efficient protective action that do not necessarily rely on anticipation of enemy tools.”



As displayed in the MITRE figure above, the ATT&CK design offers additional granularity on the attack kill chain post-compromise phases, breaking these out into ten tactic classifications as revealed. Each tactic classification is additionally detailed into a list of techniques an attacker might utilize in performing that strategy. The January 2017 model update of the ATT&CK matrix lists 127 techniques across its ten strategy classifications. For instance, Windows registry Run Keys/ Start Folder is a strategy in the Determination classification, Strength is a method in the Credentials classification, and Command Line Interface is a technique in the Execution category.

Leveraging Endpoint Detection and Response (EDR) in the ATT&CK Model.

Endpoint Detection and Response (EDR) solutions, such as Ziften provides, offer vital visibility into opponent use of strategies noted in the ATT&CK model. For example, Computer system registry Run Keys/ Start Folder method use is reported, as is Command-Line Interface use, given that these both include readily observable endpoint habits. Brute Force usage in the Credentials classification must be obstructed by design in each authentication architecture and be viewable from the resulting account lockout. However even here the EDR product can report events such as unsuccessful login attempts, where an opponent might have a couple of guesses to attempt this, while staying under the account lockout attempt threshold.

For attentive defenders, any method usage may be the attack giveaway that unravels the entire kill chain. EDR products contend based upon their strategy observation, reporting, and notifying abilities, as well as their analytics potential to carry out more of the attack pattern detection and kill chain restoration, in support of defending security experts staffing the business SOC. Here at Ziften we will detail more of EDR solution capabilities in support of the ATT&CK post-compromise detection model in future blog posts in this series.