Chuck Leaver – The Importance Of Detection Post Compromise

Written By Dr Al Hartmann And Presented By Chuck Leaver CEO Ziften

If Prevention Has Stopped working Then Detection Is Important

The final scene in the well known Vietnam War movie Platoon illustrates a North Vietnamese Army regiment in a surprise night time attack breaching the concertina wire perimeter of an American Army battalion, overrunning it, and slaughtering the surprised protectors. The desperate company commander, understanding their alarming protective predicament, orders his air assistance to strike his own position: “For the record, it’s my call – Dispose whatever you’ve got left on my position!” Moments later on the battlefield is immolated in a napalm hellscape.

Although physical dispute, this illustrates 2 elements of cybersecurity (1) You have to handle unavoidable boundary breaches, and (2) It can be bloody hell if you do not find early and react powerfully. MITRE Corporation has actually been leading the call for rebalancing cyber security priorities to place due focus on breach detection in the network interior instead of just concentrating on penetration avoidance at the network perimeter. Rather than defense in depth, the latter produces a flawed “tootsie pop” defense – hard, crunchy shell, soft chewy center. Writing in a MITRE blog, “We could see that it wouldn’t be a question of if your network will be breached but when it will be breached,” explains Gary Gagnon, MITRE’s senior vice president, director of cyber security, and primary gatekeeper. “Today, companies are asking ‘How long have the trespassers been within? How far have they got?'”.

Some call this the “presumed breach” technique to cyber security, or as published to Twitter by F-Secure’s Chief Research study Officer:.

Question: How many of the Fortune 500 are jeopardized – Response: 500.

This is based upon the probability that any sufficiently complex cyber environment has an existing compromise, and that Fortune 500 enterprises are of magnificently complicated scale.

Shift the Problem of Perfect Execution from the Protectors to the Hackers.

The traditional cybersecurity perspective, stemmed from the tradition border defense model, has been that the hacker just needs to be right once, while the protector must be right every time. A sufficiently resourced and relentless attacker will ultimately achieve penetration. And time to effective penetration reduces with increasing size and intricacy of the target business.

A perimeter or prevention-reliant cyber-defense model basically demands perfect execution by the protector, while ceding success to any adequately continual attack – a plan for particular cyber catastrophe. For example, a leading cybersecurity red team reports effective enterprise penetration in under 3 hours in greater than 90% of their client engagements – and these white hats are restricted to ethical means. Your enterprise’s black hat enemies are not so constrained.

To be practical, the cyber defense strategy should turn the tables on the hackers, moving to them the unreachable concern of perfect execution. That is the reasoning for a strong detection ability that continuously keeps track of endpoint and network behavior for any uncommon signs or observed attacker footprints inside the boundary. The more sensitive the detection ability, the more care and stealth the hackers must work out in committing their kill chain series, and the more time and labor and talent they must invest. The defenders need but observe a single assailant footfall to reveal their foot tracks and relax the attack kill chain. Now the protectors become the hunter, the enemies the hunted.


MITRE supplies a comprehensive taxonomy of attacker footprints, covering the post compromise section of the kill chain, known by the acronym ATT&CK, for Adversarial Tactics, Techniques, and Common Knowledge. ATT&CK project team leader Blake Strom says, “We decided to concentrate on the post attack duration [portion of kill chain lined in orange below], not only because of the strong likelihood of a breach and the dearth of actionable details, but also because of the many opportunities and intervention points readily available for efficient defensive action that do not always rely on prior knowledge of adversary tools.”




As displayed in the MITRE figure above, the ATT&CK model provides extra granularity on the attack kill chain post compromise stages, breaking these out into ten strategy categories as shown. Each tactic category is further detailed into a list of strategies an attacker might employ in performing that technique. The January 2017 model update of the ATT&CK matrix lists 127 techniques throughout its ten strategy categories. For instance, Windows registry Run Keys/ Start Folder is a method in the Perseverance classification, Brute Force is a technique in the Credentials category, and Command Line Interface is a technique in the Execution category.

Leveraging Endpoint Detection and Response (EDR) in the ATT&CK Design.

Endpoint Detection and Response (EDR) products, such as Ziften provides, use vital visibility into assailant use of strategies noted in the ATT&CK design. For example, PC registry Run Keys/ Start Folder method usage is reported, as is Command Line Interface usage, because these both involve readily observable endpoint behavior. Brute Force use in the Qualifications classification ought to be blocked by design in each authentication architecture and be observable from the resulting account lockout. But even here the EDR solution can report events such as failed login attempts, where an enemy might have a few guesses to try, while remaining under the account lockout attempt limit.

For attentive protectors, any strategy usage may be the attack giveaway that unravels the whole kill chain. EDR solutions compete based upon their method observation, reporting, and informing abilities, in addition to their analytics potential to carry out more of the attack pattern detection and kill chain reconstruction, in support of safeguarding security experts staffing the enterprise SOC. Here at Ziften we will outline more of EDR solution abilities in support of the ATT&CK post compromise detection model in future blogs in this series.



No Responses Yet to “Chuck Leaver – The Importance Of Detection Post Compromise”

Leave a Reply