Active defense a key approach to protecting against major threats
Having an active defense posture, where the defenders actively use threat intelligence and their own environment telemetry to uncover potential compromises, is the next stage in the cyber security maturity road. Instead of waiting for detections to trigger, defenders can take initiative and hunt down threat actors inside their environment, putting a halt to their malicious activities before they can fully accomplish their goals.
Ransomware compromises, which usually involve data exfiltration, are not fast nor swift. Attackers need time to find their way in the network, including identifying the databases with the relevant information they are seeking, to exfiltrate the information and finally to deploy the ransomware. This is the time window when an active defense strategy can make the most impact, by looking from the inside out: The perimeter was already compromised, no relevant alerts were raised, and the attackers have already begun to carry out their malicious activities within the victim’s network.
Conducting periodic threat hunting exercises increases the chances of detection. However, despite the potential benefits of threat hunting, the odds are against defenders, as the hunter has limited time and resources, their target is unknown, and the type of activity the defender is searching for is often undefined. As threat hunting becomes more routine and as the hunter becomes more familiar with the environment, this exercise will become more efficient, the findings and analysis will become more useful, and the defender’s visibility of the environment will improve.
Besides the possible detection results, there are two important outcomes of threat hunting:
- Identifying weak spots in the organization’s overall defense. By analyzing successful detections at a deeper level, defenders can understand what failed and on which levels.
- Exposing the blindspots in defenders’ network visibility. Threat hunting is about analyzing the available information and searching for what shouldn't be there as well as identifying potentially useful data that we don’t have access to. This type of assessment provides valuable information on what can be improved in the visibility of the environment.
There is no “one size fits all” approach or “magic bullet” solution that will get organizations to their best defense posture. Rather, it's an iterative process that greatly improves with repetition. Threat hunting supports—and can dramatically improve—active defense, particularly when hunt results can be leveraged to improve the environment. In the next sections, we introduce some of the quick wins that can help organizations implement an effective active defense approach.
Monitor DNS queries
Monitoring the domain name system (DNS) queries provides a unique view into what is going on in the network. Analyzing the DNS query logs and singling out the systems that resolved recently created domains provides a good starting point. The analysis of known malicious domains should also be done, as that would provide visibility into the effectiveness of the first line of defense. Keep in mind that this is about searching for what was not detected, as known malicious domains should already be blocked.
On the other hand, If a compromise did occur, the DNS query logs may also provide a good source of information about the adversary’s actions and the extent of their malicious activities on the network.
Create high-priority alerts
Implement high-priority triggers with near-zero false positive alerts. No organization has unlimited resources to monitor security events, as alert fatigue is a real problem in security operation centers. High-priority triggers won’t eliminate security incidents, but they will help focus on critical events.There are two types of these triggers: generic and intelligence-driven.
The generic triggers are those that are designed to alert in the event of abnormal behavior usually triggered by attackers while trying to establish a foothold or while in search of relevant information. Here are a couple of examples of such triggers:
- Canary accounts - Accounts that are not used by the organization but are instead intended to lure malicious actors to use in their operations. Create triggers to events regarding these accounts’ usage.
- Monitor and raise alerts on administrative accounts - Newly created accounts where privileges are added, or password changes on already existing accounts are good events to monitor.
- Domain controllers contacting unknown systems - Communications on the domain controllers should be well known. Any communication starting from a domain controller to an unknown system should be targeted for in-depth analysis.
- Profile key systems’ dual usage tools executions - Attackers often hide their actions by using dual-use tools. Starting with the critical systems, profile the execution of such tools so that abnormal usage can be detected and investigated.
- Remote administration tools - Having a well-known usage pattern of such tools allows defenders to monitor for unusual or anomalous usage.
Intelligence-driven triggers, by comparison, are created by analyzing the dynamic tactics, techniques, and procedures (TTPs). Therefore, these triggers should alert on adversaries’ behaviors rather than more static indicators of compromise (IOCs), such as known lists of IPs or domains. Such activity should be detected by basic cyber security tools that are already in place, and these triggers should cover the TTPs generically used by threat actors that are applicable to one's organization. For example, if your organization doesn't use ConnectWise, TeamViewer or Anydesk, create a trigger in your monitoring system that will generate a high-priority alert whenever those tools are executed, as they are commonly used by threat actors. If a defender concludes that there is no way to create such an alert, then a blindspot has been found. The resolution of such an issue should be prioritized based on that organization’s resources and other competing issues that require attention.
Perform root cause analysis on deep alerts
The most important question a threat hunter must try to answer while doing detection systems log analysis is, “How did the malware get to the endpoint?” Deep alerts like this, that come from the most inner layer of the security architecture, need to be analyzed.
Most organizations have a multi-layered, in-depth security architecture. When an endpoint defense system detects and blocks some malicious software, this is good news for the defenders. It's also an opportunity for the threat hunter to identify and improve the security in the organization. Having a multi-layered and in-depth architecture means that there are several security systems between the production systems and the untrusted environments. If a threat was detected and stopped in an organization’s most inner systems, then some outer layer defense failed.
Conducting a root cause analysis is essential to determining what failed and how, as this will provide invaluable information to the continuous improvement process. There can be multiple explanations for initial infection. For example, an endpoint can be compromised somewhere else and then connected to the organization’s environment, or credentials can be compromised and used to establish a malicious VPN connection.
Monitor communications on critical systems
Critical systems’ communications patterns can be the first high-priority alert indicating the potential exfiltration of information. Organizations don’t have infinite resources, and not all systems have the same value. For example, a file server will have communications from a lot of systems, but not all systems/endpoints will transfer an abnormal quantity of information in a short amount of time. Or, if all the systems in the environment must use a local DNS server if a system attempts to contact Google or Cloudflare DNS servers, those systems should probably be reviewed. Having a list of critical systems is one of the basic steps that organizations with a mature security posture can take to help detect malicious activity early.
Improve your visibility
Having good visibility into what is happening in the defender's environment is the first step to performing threat hunting. However, the mere exercise of threat hunting will also show defenders if there are any blindspots, thus providing opportunities for improvement. Visibility should also be seen as a powerful source of information when recovering from a compromise. Organizations often don’t have the means to implement a complete, comprehensive detection system on their entire environment. However, that does not mean that some kind of logging should not be performed. Logs may be extremely relevant during the recovery phase of a compromise. Knowing how and when a compromise occurred, even after the fact, is crucial. Proper logging can be extremely useful in determining this information, especially when analyzed from a threat hunter’s point of view, so that they can also provide information that leads to the development of proper detections.
Deploy tiered accounts
Have administration accounts that are only used on specific systems. Not all systems need to contact all the systems or the internet, and, likewise, not all accounts need to be used on all systems, especially if they are high-privilege accounts. Have specific domain administrator accounts, which are only used on domain controllers, complemented by second-tier administrator accounts. This tiering is done at the functional level and not at the privilege level. These two different account tiers may ultimately have the same privileges, but by tiering their access based on their functions, it’s possible to set high-priority alerts to trigger when they behave abnormally.