Editor’s Note: This is the final blog in a three-part series, “Iron Rain” from Tom Kellermann and Rick McElroy.
Part 3: The ever-changing battlefield. Just like in combat operations, cyber operations are changing on a second-to-second basis. To effectively combat an insurgency, one must drive to an intelligence-driven operations center. Internal and external threat intel become crucially important to combating attackers.
Understand Your Variables
Leaders need to understand the ever-shifting landscape of their environment. In a tactical sense, this can be best facilitated in an automated fashion by collecting and using the proper telemetry and intelligence.
Strategic understanding of your environment will be key to driving a winning strategy. You will need to understand just these (to list a few):
How much time does your staff have? What is delta on dwell time of the last adversary?
What is your security budget?
What tools do you have? Are they integrated?
What’s the culture of your organization?
How are they attacking you and for what aim?
The war for our systems has been on us. It’s time we adopt new ways of thinking about the problem. We need to think less like law enforcement and soldiers and more like an insurgent.
Counterinsurgency in cyberspace manifests shared risk. We must clandestinely observe the adversary and suppress their activity as we force them to become resource constrained.
According to Carbon Black’s Quarterly Incident Response Threat Report (QIRTR) counterinsurgency is playing out in a number of ways:
Nearly half (46%) of incident response professionals say they’ve experienced instances of counter incident response,another concerning sign that attackers have become increasingly sophisticated and are initiating longer-term campaigns — as well as a clear signal that incident response must get stealthier.
Nearly 60% of attacks now involve lateral movement, which means attackers aren’t just going after one component of an organization. They’re getting in, moving around and seeking more targets as they go. Of note, 100% of respondents say they’ve seen PowerShell used for attempted lateral movement.
A growing number of hackers won’t stop at a single network — they’re after your clients’ partner and customer infrastructure as well. A full 36% of our respondents say they see attacks where the victim was primarily used for island hopping.
Intrusion suppression is a viable architectural model whose core tenant lies in can you detect, deceive, divert, contain, and hunt an adversary, unbeknownst to the adversary. We must dig at the roots of the insurgencies footprint on our networks. Begin the hunt.
“Be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness. Thereby you can be the director of the opponent’s fate.”– Sun Tzu
The commercial cyber equivalent of that would be: identities, data, systems, applications and communications. Is my list of identities accurate, how do I ensure no unauthorized identities have been added or privileges have been escalated? For example: Is the list of data updated manually or automatically, how do I know a change has been made?
As you begin to shift your operations the following are important to focus on:
UNDERSTAND THE ENVIRONMENT
Realistic Threat Profile
Current Control Framework
Understanding Business Strategy
Understanding the people and their normal
INTELLIGENCE DRIVES OPERATIONS
External and Internal Intelligence Sources
LEARN AND ADAPT
EMPOWER THE LOWEST LEVELS
Intel should be available at the lowest level
Automate Automate Automate
UNDERSTAND YOUR VARIABLES
For too long, we have relied on Lockheed Martin’s Kill Chain to understand and predict attacker behavior. This framework does not account for the psychology of the adversary, nor does it truly dig into the tactical phenomenon associated with the phases of attack. We would suggest embracing a new, predictive model, one which takes into account the intent and cognition of a cyber criminal – a framework that studies the threat behaviors (a.k.a.- modus operandi of elite hacker crews and allows you, as the defender, to anticipate and suppress the contemporary phases of a cyberattack.
Interested in learning more how you can put incident response best practices into use? At Cb Connect 2018 you’ll have the opportunity to connect with other like-minded security users and build your resume while you become Carbon Black Certified. Becoming Carbon Black Certified for Cb Defense, Cb Protection and/or Cb Response gives you the opportunity to: Earn continuing professional education (CPE) credits through (ISC)2, Strengthen your knowledge of the product, Continue to develop your skills in information. Learn more here.