Outpacing the Adversary: How Tactics-Based Detection Automatically Finds AttackersLet’s open up the big book of cybersecurity clichés. By: Matt DeMatteo
If It Ain't Broke, Don't Fix It.
If you were to pick a motto for cyber-criminals, that might not be what would come to mind, but it's surprisingly apt. While some threat actors do employ sophisticated tactics, techniques, and procedures (TTPs) to accomplish their goals, every threat actor has core TTPs that only change slightly over time. For example, while there are millions of malware variants, there are only a few hundred tactics or chains of events that are used routinely to execute attacks.
Malware variants exist to evade conventional detection. And let's be specific – when we speak about 'malware variants' sometimes the only noteworthy difference between two variants is that they aren't exactly the same. Many times, there are no functional differences. Some malware authors simply compile their malware differently or use techniques like salting to generate a variant. The underlying tools and tactics stay the same, meaning there is little to no effort put in to evading security controls.
Necessity is the Mother of Invention
To fight back, organizations need to make life harder and less profitable for attackers – to force them to reconsider the cost and effort of attacking a target. Developing entirely new tactics in order to have success achieving their objective affects their bottom line.
This concept is described in the Pyramid of Pain, first introduced in 2013 by security professional David J. Bianco who was focused on improving detection of indicators of compromise for incident response and threat hunting.
The top of the pyramid is the intelligence that is most valuable for defenders to understand and hardest for attackers to change – their TTPs that bring them success. If a defender can detect and stop attackers based on behaviors closely tied to their preferred TTPs, then accomplishing their goal becomes much more difficult – and possibly not worth the effort.
Only the most determined and well-resourced threat actors (usually those tied to large crime syndicates or nation states) will be inclined to keep a target in their crosshairs while they reassess their TTPs and create new ones. Even in these cases, the defender is buying time – and in an adversarial science like cybersecurity, that is often the most you can hope for.
Being able to quickly and accurately find adversary TTPs is no small task. It takes well vetted and contextualized threat intelligence, comprehension of the MITRE ATT&CK framework, and security analytics that leverage heuristic algorithms.
Garbage In, Garbage Out
So why are traditional signature-based defenses, detecting those millions of malware variants, no longer enough? Because they require exact knowledge of the threat posed to be effective. They only detect the “known knowns.” Increasing numbers of vendors are turning to data science, boasting the use of machine learning, deep learning, and artificial intelligence, combined with large data sets, in their approach. But confusion abounds, with no clear consensus on what those approaches mean and how to apply them. Furthermore, it isn't enough to provide a query engine that can handle vast amounts of threat data. Systems that do not easily allow integration of relevant threat intelligence and the context of that intelligence usually only succeed in creating false positives and a perpetual sense that “ We just need to invest a little more (time, money, cycles) and then we'll see a payoff.”
Work Smarter, Not Harder
To detect threat actor TTPs, AI-based solutions must be informed by real-world lessons from the threat landscape across multiple verticals and environments. This input is critical to building models that generate high-fidelity alerts and insights. The expectation must be that these systems will be accurate and nuanced enough to show defenders adversaries based on the understanding of their goals and tactics. This is only possible with the strength and scale of cloud-native advanced security analytics, fed by vendor-independent data, and enriched by incident response and threat intelligence crowdsourced from thousands of organizations worldwide.
Instead of focusing on the arms race that is “vulnerability – exploit – detection – protection” where defenders are always on the back foot, we need to bravely take a step forward. That means using data science approaches like graph databases (or simply called “graphs”) which can be trained to recognize the underlying tactics attackers use, through a combination of machine learning and deep learning. We need to use automation to identify and label common tactics and behaviors that can be observed across organization's entire IT landscape – endpoint, network, and cloud.
A Journey of One Thousand Miles Begins with A Single Step
Research and strategy firm Enterprise Security Group (ESG) has produced a white paper you can download here, called 'Detect and Stop Advanced Threats Faster to Reduce Security Risk.' It discusses how, through data science, better threat intelligence, and crowdsourcing experiences savvy organizations can outpace the adversary. When faced with abandoning existing tactics and putting time and effort into developing new approaches, attackers are much less likely to target you at all and are less likely to be successful if they do.