Once Compromised Your Detection Needs To Be Capable – Chuck Leaver

Written By Dr Al Hartmann And Presented By Chuck Leaver CEO Ziften


If Prevention Has Failed Then Detection Is Crucial

The final scene in the popular Vietnam War movie Platoon portrays a North Vietnamese Army regiment in a surprise night attack breaching the concertina wire perimeter of an American Army battalion, overrunning it, and butchering the shocked protectors. The desperate company leader, grasping their dire defensive dilemma, orders his air assistance to strike his own position: “For the record, it’s my call – Discard whatever you have actually got left on my position!” Moments later the battleground is immolated in a napalm hellscape.

Although physical conflict, this shows two aspects of cyber security (1) You have to deal with inescapable perimeter breaches, and (2) It can be bloody hell if you don’t find early and react powerfully. MITRE Corporation has actually been leading the call for rebalancing cyber security priorities to put due focus on breach detection in the network interior instead of merely focusing on penetration avoidance at the network boundary. Instead of defense in depth, the latter produces a flawed “tootsie pop” defense – hard, crunchy shell, soft chewy center. Writing in a MITRE blog, “We could see that it would not be a question of if your network would be breached however when it would be breached,” explains Gary Gagnon, MITRE’s senior vice president, director of cyber security, and primary gatekeeper. “Today, organizations are asking ‘What length of time have the intruders been inside? How far have they got?'”.

Some call this the “assumed breach” technique to cyber security, or as posted to Twitter by F-Secure’s Chief Research Officer:.

Question: What number of the Fortune 500 are jeopardized – Answer: 500.

This is based upon the possibility that any adequately complicated cyber environment has an existing compromise, and that Fortune 500 enterprises are of magnificently complicated scale.

Shift the Problem of Perfect Execution from the Defenders to the Hackers.

The conventional cybersecurity viewpoint, stemmed from the legacy perimeter defense design, has been that the assailant just has to be right once, while the defender must be right each time. An adequately resourced and persistent hacker will eventually achieve penetration. And time to successful penetration decreases with increasing size and intricacy of the target business.

A border or prevention-reliant cyber-defense model basically demands the best execution by the defender, while ceding success to any adequately sustained attack – a plan for particular cyber catastrophe. For example, a leading cybersecurity red team reports effective business penetration in under 3 hours in more than 90% of their customer engagements – and these white hats are restricted to ethical means. Your business’s black hat hackers are not so constrained.

To be viable, the cyber defense strategy should turn the tables on the assailants, moving to them the unreachable burden of best execution. That is the rationale for a strong detection capability that continuously keeps track of endpoint and network behavior for any unusual signs or observed attacker footprints inside the border. The more sensitive the detection ability, the more care and stealth the assailants must work out in committing their kill chain series, and the more time and labor and skill they should invest. The protectors require but observe a single hacker footfall to discover their foot tracks and relax the attack kill chain. Now the protectors end up being the hunter, the hackers the hunted.


MITRE provides a comprehensive taxonomy of hacker footprints, covering the post-compromise section of the kill chain, known by the acronym ATT&CK, for Adversarial Tactics, Techniques, and Common Knowledge. ATT&CK task group leader Blake Strom says, “We chose to focus on the post-attack duration [portion of kill chain lined in orange listed below], not just because of the strong probability of a breach and the lack of actionable information, but also because of the many chances and intervention points readily available for efficient protective action that do not always rely on prior knowledge of enemy tools.”




As displayed in the MITRE figure above, the ATT&CK model offers additional granularity on the attack kill chain post-compromise stages, breaking these out into 10 tactic classifications as shown. Each strategy category is additionally detailed into a list of techniques an enemy may use in performing that method. The January 2017 model update of the ATT&CK matrix lists 127 techniques across its ten tactic classifications. For instance, Windows registry Run Keys/ Start Folder is a strategy in the Persistence category, Strength is a method in the Qualifications classification, and Command Line Interface is a strategy in the Execution category.

Leveraging Endpoint Detection and Response (EDR) in the ATT&CK Design.

Endpoint Detection and Response (EDR) products, such as Ziften supplies, use vital visibility into assailant use of techniques listed in the ATT&CK design. For example, Registry Run Keys/ Start Folder technique use is reported, as is Command-Line Interface usage, given that these both involve readily observable endpoint habits. Brute Force usage in the Qualifications category need to be blocked by design in each authentication architecture and be observable from the resulting account lockout. But even here the EDR solution can report events such as unsuccessful login efforts, where an enemy may have a few guesses to try, while remaining under the account lockout attempt threshold.

For mindful protectors, any strategy use might be the attack giveaway that unwinds the whole kill chain. EDR products compete based on their method observation, reporting, and informing capabilities, in addition to their analytics capability to carry out more of the attack pattern detection and kill chain reconstruction, in support of protecting security experts staffing the enterprise SOC. Here at Ziften we will outline more of EDR solution abilities in support of the ATT&CK post compromise detection model in future blogs in this series.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>