With the number of cyber breaches you hear about in the news, it’s easy to get disheartened and frightened. Rightfully so! I, however, remain optimistic, and here’s why: with the advent of the change in strategy the industry is taking, the playing field is being leveled in favor of the good guys. Allow me to explain by walking you through the development of this industry, what it meant for administrators, and for hackers… and why that has all changed now.
The first very cybersecurity controls entailed organizations allowing and denying traffic into their network through the router/gateway. As networks evolved and the quantity of data and connected devices proliferated exponentially, there was a dire need for organizations to “keep bad guys out” of their network. The costs of security breaches were simply too high.
Cybersecurity evolved in a linear fashion at first. Technologies, processes, and controls were created to allow good traffic in and stop bad traffic. Firewalls, antivirus, email security, web security, IPS, and other sub-categories emerged within cybersecurity. Security professionals were preaching a “defense-at-depth” strategy where organizations would have security controls at the endpoints, the network edge, and the data-centre, to attempt and block potential breaches.
For a hacker, the goal was (relatively) simplistic: penetrate JUST ONE of these controls, and you own the network. If you are able to breach just one unpatched server, compromise one overlooked/un-updated laptop, send one successful phishing email, you were in. In fact, once inside the network, lateral movement was quite easy and could be done without being seen by network administrators.
In other words, to protect a corporate network, administrators had to be right at every single juncture on their network, and they had to be right 100% of the time, ALL the time. The hacker, alternatively, had to be right just once in order to breach a network.
Technologies such as log management tools and SIEM platforms emerged to ideally identify potential unwanted traffic, but they were (and are) largely passive. They also have the major dependencies of being set up correctly in the first place and requiring vigilant and experienced monitoring. Without those supporting factors, hackers still had the advantage…
How the world has changed!
The emergence of Managed Detection and Response in 2015 changed the economy of cybersecurity altogether.
Managed Detection and Response is the use of proprietary, commercial, enterprise-grade technologies, adherence to agile/dynamic yet proven processes, by professional cybersecurity professionals who spend their time monitoring networks for potential threats.
The main principle behind MDR is that there is evidence left behind by hackers. Threat Hunters search networks and operating systems for such evidence; if found, there is a high probability of a computer intrusion.
Our own threat hunters, responsible for delivering ActZero’s MDR service, regularly report that many of the indicators of compromise they examine would otherwise be characterized as ‘normal’ traffic patterns by common tools and standards. They look for things that are indeed allowed, but are suspicious, and warrant further investigation. Suspicious activities can include:
- Registry or System File Changes (aka File Integrity Monitoring)
- Anomalous DNS Requests
- Quantity of Requests for file
- …And so on. In fact, ActZero threat hunters have hundreds of checks and rules in their library that they routinely go through.
On the surface, many of these items can appear to be innocent enough. But upon further investigation, it becomes apparent that we are looking at an indicator of compromise (IOC), and further investigation is merited. Investigations like these uncover how the IOC came to be, or how the attacker was able to move throughout the network. Ultimately these investigations don’t stop until we have identified the root cause of the indicators of compromise.
What does this mean? It means that no matter the entry point of the attacker (endpoint, cloud, network, …) there are clues that are visible at the time or that can be left behind after that would indicate a compromise. Identifying just one such clue can suggest a compromised network and dictate an immediate response.
Now, with detection and response, the defender has to be right just once, while the attacker needs to evade detection at every single juncture on the network every single time.
Oh, how the tables have turned.