Offense is Winning.
Enterprise IT security strategies, processes and technology stacks are fundamentally defense-based, requiring known information about the adversary. They depend on prior knowledge of the adversaries’ tools to drive detection and prevention. Adversaries continue to be on offense, targeting specific organizations, identifying attack paths to valuable assets, and deploying customized malware variants, intrusion techniques, and tailored towards organization’s infrastructure.
In fact, 70-90% of the malware used in data breaches are unique to the victim organization, often leading to complete circumvention of signature-based enterprise defenses. Adversaries compromise at will, penetrating defenses in ways that leave companies ignorant ofa breach for 146 days on average.
A dollar of offense always wins against a dollar of defence. Traditional security programs are bureaucratic and compliance-minded, while adversaries are committed, creative, and nimble. Security teams must be successful 100% of the time, while attackers only need to succeed once to enter enterprise networks and cause damage and loss. A different approach is needed. Enterprises must assume that their networks are compromised and implement an offense-based strategy. This requires a shift in mindset, wherein enterprises think like the adversary and deploy the same creative and nimble tactics, techniques, and procedures that the adversary uses against them. Enterprises must hunt for adversaries within their networks.
Security Teams must think like adversaries, actively identifying adversaries without known indicators of compromise, and evicting them before data is exfltrated or systems are disrupted. This paper explains the benefits of an offence-based strategy and how to integrate hunting into security operations to evict adversaries within enterprise networks.
Challenges in Detecting Adversaries
Adversary is Evading Traditional Tools
Adversaries build evasion techniques into their exploits and malware to work around or disable traditional security tools. An identified security tool quickly becomes a circumvented security tool. Being detected by the adversary means game over. Adversaries enable automated checks for running processes/service names, and can then use simple commands to stop services and gain access to the network. Knowing that the adversary is looking for you, enterprises must hide from the adversary to provide uninterrupted protection, and track and contain attacker behaviour, analyze their techniques, and ultimately evict them from enterprise networks.
Polymorphic Malware, Customized Attacks
Adversaries increasingly employ never-before-seen tools and tactics including custom and polymorphic malware that defeats detection strategies that depend on prior recognition of known signatures and IOCs. By changing a few lines in the code, the adversaries can alter the signature of the malware or exploit without changing the malicious code’s capabilities to execute code and gain access. By the time novel attacks have been characterized and provided to search technologies, disruption and theft have already occurred. In this scenario, the search identifies compromises too late in the kill chain, and often after damage and loss have occurred.
Limited Expertise, Scarce Resources
The threat landscape is seemingly infinite and unconstrained; however, enterprise resources are not. With an industry-wide shortage of skilled practitioners, enterprises are struggling with both personnel and financial limitations to resource their security teams. Tier 3 security analysts spend 30-50% of their time in incident management, dealing with a backlog of alerts, many of which turn out to be false positives.3 To efficiently utilize resources, analysts must focus on adversary techniques and not just the tools and known IOCs, which are transient and prone to false positives. In addition, today’s security analysts have to use multiple tools to monitor events, perform forensic investigations and remediate validated incidents. Organizations with limited resources need a comprehensive, integrated platform to hunt effectively. This enables analysts from tier 1 to tier 3 to be more productive and efficient in detecting and evicting adversaries.
Limited to No Automation
In many organizations, hunting largely remains a manual process. Hunting manually is inadequate for the scale of the data and the diversity of attacks. Today, security analysts are using time-consuming methods to hunt with command line-driven tools like PowerShell to collect data, and excel spreadsheets to analyze data and remediate per endpoint. Enterprise security teams require faster detection methods with automated data exploration capabilities and advanced data visualization to collect, correlate, analyze, and extract insights. Focused on empowering the hunt, automation allows analysts to detect and evict adversaries at all stages of the kill chain before damage and loss occur. Automation does not replace the analyst, but removes onerous and time-consuming tasks, allowing a more efficient use of time focused on protecting critical assets.