In hindsight, it should have been easy to find the needle in the haystack of haystacks...
In security, the game is not only finding the needle in a haystack, not only knowing which haystack to look in… but knowing how to prioritize and act on each of those needles, once you think you’ve found them. This is particularly hard to do when so many in the field are suffering from both alert fatigue and “breaking news” fatigue. It makes a human-only approach prone to missing key events - you may actually strike a needle point, but not be able to distinguish it from the hay.
Take for example the Exchange 0day vulnerabilities from March 2, 2021. They were known to be exploited widely when the initial announcement was made. But how long had these attacks been going on, and what missed indicators - from event logs to news headlines - were there all along? As too many incident responders can attest, new vulnerabilities are often exploited rapidly after discovery and before a patch is deployed to correct the issue - specifically to install backdoors that will then be used weeks or months later.
The Exchange 0day vulnerabilities are typically exploited by well-resourced threat actors to gain access to valuable data. They generally drop webshells, exfiltrate important corporate assets, mailbox data as well as credentials along the way. It is indicators like these that I assert could have served as identifiable “needles in the haystack of haystacks that is ‘any potential zero-day vulnerability’”.
Let’s focus on those webshells installed as a part of the attack. Webshells have been around for a long time. They are easy to install, and yield both the remote access, and the persistence attackers crave. In hindsight, it looks like there may have been earlier indications of attacks with the same methods of operation used in the Exchange 0day vulnerabilities.
On February 11, 2021 Microsoft DART issued a bulletin about webshell use being on the rise. The article highlights the large increase in webshell use in its first paragraph - "every month from August 2020 to January 2021, we registered an average of 140,000 encounters of these threats on servers, almost double the 77,000 monthly average we saw last year."
Figure 1. Microsoft’s increased Web shell encounters on servers
In hindsight, how many of us wish that we had honed in on that warning and acted? From security researchers, to IT teams just trying to defend themselves, it’s easy to dismiss indicators that aren’t conclusively related - especially when you have limited resources, or seemingly ‘bigger fish to fry.’
This is just one more example of why security practitioners cannot go at it alone. It is essential for well designed AI to augment security practitioners, and guide us to focus on only the needles in the haystack that are “pointing up” and most actionable. Of course, it still takes the insight of a human security professional to decide to act, and make the broader connection.
This is one of the aspects that excites me about ActZero. Though I have had the luxury of exploring machine learning for many aspects of threat protection, this is no longer the biggest bottleneck security practitioners face. At ActZero, we focus on the efficiency aspects required to guide expert security practitioners to the most important information at any given time - not only from the data within their environments, but from all of our customers’ environments.
To learn more about our use of Data Science, check out my colleague’s podcast. Or, to see a specific application to ATO detection in Microsoft 365, check out this blog post.