Written by: Kevin Hiltpold, Federal Sr. Solutions Engineer – At my first job in cybersecurity at one of the biggest Internet providers that ever existed, I asked, “Do we have multiple vendors in our network security stack to provide defense-in-depth?” The Chief Architect replied, “No, we have multiple vendors to use as leverage when we have a feature request that one of them doesn’t want to fulfill.” With that answer, my philosophy was set. Defense-in-depth is about being able to detect and stop what the first line of defense lets through, not vendor diversity. It is hard enough finding qualified security professionals who can respond to attacks quickly without forcing them to be fluent with multiple vendors. If you are wondering if several well-meaning security architects and SOC chiefs told me over the years that their environment had defense-in-depth because their firewall was from one vendor and their IDS from another, sadly, the answer is yes.
There are many problems or pain points for security teams and SOCs in protecting a company’s IT assets. All the well-known ones if you have ever spent time in these environments: Alert fatigue, operational blind spots, slow patching cycles, unfocused users, etc. However, the most significant problems are how to detect attackers that network firewalls let through because of business requirements or misconfigurations? How to detect attackers that network IDS or antivirus did not because signature-based detection is a static defense? Attackers know how to bypass static defenses and have done so for quite some time. By no means am I saying that firewalls, IDS, and antivirus are not necessary and vital parts of the defensive stack. Quite the contrary, it is just that there is no solid backup for these technologies once bypassed. Realizing this was probably the genesis of Zero Trust Architecture, but ZTA comes dangerously close to shaking the balance between security and productivity. Will regular users or managers really tolerate having to re-authenticate to Office 365 every 15 minutes because security policy requires it? If not, will security policy change to authenticate every 14 days leaving a valid token for attackers on a system during that time?
Once an attacker gets past the first line of defense, what challenges does the attacker face when they start living off the land and moving laterally? There is not much that hinders an attacker’s progress once they are inside. Time is on their side, every piece of data they collect during information gathering is true, and typically, they are utilizing a real credential that belongs in the environment. What technology is there to help defenders once the attacker assumes a friendly identity? I know someone reading this just said to themselves, “what about behavior analytics?” Yes, behavior analytics plays a role in deepening our cyber defenses. However, if behavior analytics engines train themselves in a compromised environment, then attacker behavior is now normal behavior. How many security teams can say with complete certainty that there are no bad actors on net?
What are the detection gaps? How are attackers able to stay in environments for months without being detected?
One of the detection gaps is Active Directory. Active Directory’s necessary design of open information sharing is the proverbial gift that keeps on giving to attackers. In the attacker’s playbook and ransomware 2.0, it is the first step to take after the initial compromise, typically via phishing e-mail. Remember one of my previous pain points for SOCs, unfocused users. How does a security team prevent a high-value asset that is critical to company operations from providing truthful information to a non-privileged user’s request? Especially when the asset is one that does not tolerate agents being installed or that a security team does not own.
Another detection gap is attack surface awareness. If you have ever been approached by a SOC Chief with the question “How bad did they hit us?” you cringe a little because you know there is no fast answer to this very valid question, especially when it involves compromised real credentials. Take the case of SolarWinds, where the attacker minted real credentials and then used a compromised endpoint as a jump host to move to several other machines. Is there a quick and easy way to find out every system a real credential has accessed or is currently on? There have been network monitoring tools around for a long-time that provide network pathway visibility. But how do you proactively determine the pathways that exist from system to system because of credentials? The pathways that attackers will utilize when they scrape credentials from memory.
As you will see when I discuss lateral movement detection opportunities around Microsoft’s Solorigate Blog and a semi-annual red team exercise that occurred in an Attivo Threat Defend environment. Attivo Networks is the expert in preventing and detecting lateral movement and privilege escalation. We specialize in the protection of networks, identities, credentials, and high-value assets across endpoints, AD, and cloud infrastructure.
To learn more, join me in my upcoming webinar on February 25th 11:00 AM PST.
In this webinar you will learn how security teams can:
- Detect an adversary who looks and acts like a member of the organization and is moving in operational blind spots
- Slow down the adversary with every piece of information they gather for lateral movement
- Deceive the adversary, turn the tables, and lower the Mean-Time-To-Detection (MTTD) from months to hours, or even less.