Making sense of attack patterns.

As new technologies, attacks, vulnerabilities, and exploits are developed and discovered, it can be difficult and exhausting to keep up, detect, defend, and respond accordingly. Large corporations and enterprises are especially at risk as the company’s massive network size needs to account for countless devices, endpoints, users, vulnerabilities, and entry points.

Attackers, on the other hand, are quicker to find vulnerabilities and develop new attack methods. So how should an enterprise organization fight this uphill battle?

We reached out to David Kennedy, founder and principal security consultant of TrustedSec for commentary and insight. He recommended prioritizing damage mitigation over attack prevention, as being a much more effective approach.

“There’s a difference between a company with one compromised computer, compared to 1,000, or 10,000,” offered David, highlighting the need for a damage mitigation perspective.

Given this mindset, information security professionals can rely on some tools, strategies, techniques, and approaches in order to effectively bolster their defenses and minimize the impact of an attack.

In this article, we’ll go over the following:

    • How to assess your own security environment before you make major investments

    • How tools can help your company detect, identify, and respond to common attacks

    • New approaches and methods for proactively defending your network

    • Avoiding common pitfalls and mistakes in attack detection and incident response

Understanding your own security environment


Keeping track of all potential vulnerabilities is a monumental task in and of itself but testing new security protocols, ensuring employees are trained in the right manner, and implementing a rigorous security environment without slowing a company down can be its own challenge.

An organization must first understand their own environment in order to approach information security the right way. Tools, software, strategies, and techniques have can serve a department differently depending on the resources, the professionals, and the technologies available.

“Choosing a tool depends on the [company’s] environment, the personnel in a department, and the fit of a tool within that environment,” said David.

To better understand how your company can manage additional security tools, strategies, and more, consider the following:

  • The size of your information security department. A two-person team will have different needs and considerations compared to a 10+ person department.

  • The makeup of your network organization and segmentation. How much of your network is confined to local servers? The cloud? Are employees logging in through remote devices? Do they use a VPN?

  • Your access points and employee privileges. Through any given employee, how easy would it be to completely compromise your network?

  • What are your available resources? Leveraging additional tools and software might require additional costs or resources. Otherwise, their benefits are limited.

By gaining an understanding of your security environment, you’re now ready to consider new tools, approaches, and techniques.

These are important steps to take if you're looking to make sense of cyber attack patterns. #InfoSecInsider #infosec Click to Tweet

How tools can help you identify and prepare for common attacks


There is no one tool to solve all problems and no one tool offers the perfect solution. Instead, tools should be considered with your department in mind and often fall into two (or both) camps: visibility and detection.

Visibility

These tools offer a comprehensive look into an organization’s network. They often consist of listening and tracking tools capturing, for example, endpoint and event logs, allowing a company to see how a user is moving around in an organization’s network.

David highlighted a free tool from Windows called Sysmon, exposes event log tracing, allowing organizations to really see what’s happening in a kernel and shows executables happening in a network or system. Coupled with ETW (Event Tracing for Windows), this allows organizations to navigate through a specific user’s network activity. If an attack should occur on your network, these visibility tools will help you understand where the attack came from and how an attacker might have obtained access.

Detection

These tools are extensions of visibility tools that alert an organization when a potentially malicious or compromised activity has occurred.

A new generation of products called EDRs (Endpoint Detection and Response) offer continuous monitoring and allow departments to ensure they have up-to-date information on their network at all times, increasing the productivity of their department, allowing them to focus on additional work.

Techniques and approaches for attack detection and minimizing attack impact


Information security must find the right way to work with different tools and strategies. For example, when it comes to EDRs, it’s up to the security department to know whether the flagged activity is actually a problem and an indicator of a security issue and what their security response would be given an alert. Otherwise, they may be wasting valuable resources.

Attack patterns, techniques, and styles can number in the thousands, especially when it comes to enterprise risks, so security departments need to start building a formalized program for internal detection and responses to ensure they can respond quickly and intelligently.

When it comes to minimizing the impact of an attack or compromise, the first thing to identify is where the compromise occurred. Where was the entry point, was there a specific exploit that led to a compromise, or was it due to a device or a user? If a department can’t identify where or how an attack happened, the organization is at risk for a similar attack.

Additional data points to look at are:

    • Privilege escalation
    • Persistence of the attack or user
    • Any suspicious lateral movement in your network
    • Post-exploitation and exfiltration data

As part of your incident response, David suggests that departments should “identify the cause analysis. That’s most important, otherwise a company is still vulnerable to the same attack.”

David also pointed out that a new approach that is becoming popular is threat hunting. This consists of security departments proactively looking for abnormalities in a network, building internal practices for detection and response, and setting up a formalized governance, responsibility, and response matrix. These kinds of processes provide foundational support, allowing a department to scale their defense as the company grows.

Common pitfalls to avoid in detection and incident response


Most organizations, even enterprises, often fail to cover their basics. Research and dedicated training is a must here, something David was adamant about.

“Teams need to understand attack patterns more often which means that dedicated research and training is a major component. Up to 50% of your time should be going to research,” said David.

In addition to this research, organizations must prioritize their vulnerability, device, and patch management. These are low hanging fruit that can often be exploited, especially for older vulnerabilities where the exploitation data has been around for a while. By having an understanding of their assets, fixing CVEs, and finding basic vulnerabilities, departments can then take advantage of more sophisticated software and tools.

SIEM (security information and event management) software can do wonders for an organization, but if there isn’t the foundational maintenance, understanding, and integration capabilities, it starts becoming a drag on the department and losing its effectiveness.

“SIEMs are valuable,” said David, “because it provides visibility but it needs to be maintained, understood and integrated with the right sources.”

Using threat intelligence resources, investing in ongoing security training, and even having an eye on Twitter can make a difference in ensuring an organization is up to date on new vulnerabilities, potential exploits, and discovered risks. This is a fast-moving industry and should be treated as such.

To learn more about how to identify your organizations’ risk factors, how your network stacks up to new attacks, and how to stay on top of newly discovered threats and vulnerabilities, sign up for MISTI’s Threat Intelligence Summit on July 23rd. Check out the agenda and register here.

To learn more about how to identify your organizations’ risk factors, how your network stacks up to new attacks, and how to stay on top of newly discovered threats and vulnerabilities, sign up for MISTI’s Threat Intelligence Summit on July 23rd. Check out the agenda and register here.