Are you working with good information?
A key question security organizations might ask themselves with regard to emerging — or imminent — threats: Are the systems we have logging the correct information? They may need that information to hunt threats or to reconstruct what an attacker did while maneuvering around internally.
Traditional data sources might include authentication logs, DNS queries, web-proxy logs, operating-system logs, and performance logs. However, businesses oftentimes decommission many of these low-cost monitoring systems just as threats or vulnerabilities present themselves. Let’s dive into how emerging threats come about and some methodologies for going on the offensive.
Vigilance through visibility
Having the right systems in place that make sense for your organization is one aspect of threat detection. Another key aspect is ensuring those monitoring systems are logging the correct information. In the world of cloud services like Azure or AWS, this would mean continuously ingesting your logs from those providers.
Similarly, anytime there is user activity on a SaaS service like Salesforce, it’s a good rule of thumb to ensure security teams enable logging and can readily collect those logs in near real time. Via pathways like search, correlation, and centralized storage, teams can access those logs with ease and speed.
It may go without saying to anyone reading this, but a quick reminder of traditional security-specific monitoring systems could lead to a quick remediation:
- Anti-virus solutions monitor at the systems level and are easy to deploy and maintain.
- Network security solutions monitor broadly at the network level.
- Endpoint detection-and-response solutions monitor and respond at the endpoint plane.
Knowing your threats
Is a threat actor looking to compromise your particular business or leveraging it to gain access to someone else along your supply chain? This wide-ranging attack surface makes it hard to know if the target is you, a client, or a provider. Attackers could be simply looking for money or they might be playing a higher-stakes game in corporate espionage or nation-state sponsored transgressions.
Taking all of this into account — and if you’re a provider — one of the most responsible questions you can ask yourself is, “If compromised, would I provide access to a customer whom my attacker is targeting?” For context, see our SolarWinds Supply-Chain attack blog. It could be something as simple as a browser plugin at a provider or customer site that compromises that company’s entire partner and supply chain, which could include you. These sorts of simpler attacks may seem as if they would be pulled off by “small-timers” looking for some quick cash, but increasingly the perpetrators reveal themselves to be organized, nation-state sponsored groups.
Depending on individual log retention, it may not be possible to know if you were affected by a direct or supply-chain breach. And of course, there’s the obvious fact that it can be time-consuming to pore through those logs for evidence of an incident. Therefore, a few tips to stay vigilant:
- Know the latest circulating threats by appointing a team, or at least a few key people, to analyze industry and private publications for real-time intelligence.
- Research newly identified threat actors targeting your industry.
- Monitor known actors for changes in their attack patterns.
Attack - analyze - defend
Following along from that last bullet point above, is it actually possible to build a profile of a threat actor? Then, can you actually look at that profile and compare it to enough observed changes over time to know whether a different attacker is targeting your industry or your company? The answer is yes, but it takes time.
Looking at user-behavior analytics (UBA) of threat actors across a given time allows teams to begin to build a profile; and it can start with something as small as an administrator action that looks different from what your co-worker might do. Another instance is if an analyst detects a new AWS region or if a user appears to be authenticating from multiple countries in a short time frame. Calibrating built-in alerts within your incident-detection and response platform can give time back to security teams looking to innovate in other areas.
Attackers are much less likely to use net-new tools and processes, preferring to use existing techniques until those templates ultimately prove to be liabilities. This makes defense a bit more predictable and iterative, but with the caveat that predictability is a limited-time thing. As far as defenses go, let’s talk about intruder traps. Routing non-used IP space to dedicated monitoring systems is an obvious way to tell if someone is adventuring into a space they shouldn’t be. Honeypots — like imposter network services and imposter files created to lure attackers — are also time-tested intruder traps.
Stay several steps ahead
Eoin Miller, Manager of Threat Intel and Detection Engineering (TIDE) at Rapid7, recently presented a webcast on how to stay ahead of emerging threats by maintaining comprehensive visibility of systems, having a clear idea of known or potential threat actors that target certain industries, and much more. Protect your business: Strengthen defenses by going on offense.