For years, access control measures, antivirus monitoring, intrusion detection, the detection of software bugs, and similar strategies have been the mainstay of cyber-security. These are largely passive techniques, dedicated to the defense of systems and networks. And they rely on having prior knowledge of the intruder’s methodologies and tools (such as malware and virus signature databases) to aid in detection and prevention.
In fact, it’s estimated that between 70 and 90 percent of the malware used to cause data breaches comes from strains written specifically for the enterprise they target – which effectively bypasses all of an organization’s known signature-based defenses.
Offensive Network Security – A Shift in Focus
In the eyes of many, it’s no longer a case of “if” an organization will fall prey to some form of cyber-attack, but “when”. And security strategies are shifting from the mounting of stiff defenses to prevent attacks, to assuming that some form of compromise has already taken place. The challenge then is to adopt an offensive network security strategy – to hunt down the agents of infiltration and evict them from the network before data is siphoned off, or systems become disrupted.
In pursuing these possible intruders, it’s imperative for enterprise security’s hunting activities to remain undetected. This requires security personnel to think like cyber-criminals, and adopt an offensive stance that uses the same level of adaptability, creativity, and stealth as their attackers.
Cyber-assailants build evasive technologies into their malware and exploits that can bypass or disable standard security tools. Running services and processes on a network may be submitted to automated checks that then issue commands to stop them and/or gain access to them. Custom-made or polymorphic malware may be deployed to thwart detection procedures which rely on file signatures or IOCs (Indicators of Compromise).
In seeking these invaders out, enterprise security measures must be crafted and deployed so as not to reveal their presence – all the while producing the barest minimum of impact on network performance.
Although attackers may use sophisticated and highly customized tools to target an organization, in essence, they have only a finite set of ways to gain network access, steal user credentials, and move laterally. By deploying stealth monitoring sensors at or below the level of infiltration, investigators can watch the critical points of a network, and act quickly to prevent intruders from executing malicious code.
Malicious intruders typically target mission-critical business systems and processes, or high-value data assets. Once they gain access to them, they can compromise or shut down vital operations, or make away with confidential information and intellectual property that result in huge financial losses and/or reputational damage. So it’s imperative to find them early and stop them in their tracks.
The detection process should begin with an internal assessment, identifying which network resources and corporate assets are the most critical points of leverage, and represent the highest value targets for an attacker. Stealth monitoring devices and protocols may then be deployed to observe activity in these areas.
Network-based detection measures monitor and analyse traffic and activity to search for indications of a foreign presence. Host-based techniques may be used to drill down on individual systems, analysing installed software and running applications for evidence of compromise. For a complete sweep of the network, both approaches may be employed.
Data gathering typically involves blacklist and whitelist checking, IP and reputation monitoring, with detailed statistical analysis which may be enhanced by machine learning algorithms in more advanced systems. Analysis may encompass:
- Blacklist, whitelist, and reputation monitoring of IP addresses
- Monitoring installed software for approved and unapproved applications and tools
- Study of host-based artefacts and patterns from users, files, processes, system registries, hardware, memory, drivers, disk activity, etc.
- Study of network artefacts and patterns from active connections, traffic flows, data packet captures, ports, services, etc.
- Monitoring of files for hash values, integrity, patterns of creation or deletion in various locations across the network, etc.
- Monitoring of DNS activity (queries and responses, zone transfers, etc.)
- Analyzing the behaviour of users, including activity on the network, user accounts, time and location dependent information, etc.
Once evidence of network compromise has been detected, the security sweep must pivot to establish the full extent of the breach, and identify the methods of remediation best suited to each circumstance.
Counter-measures must then be deployed with surgical precision, so as to minimise the impact on other network operations. The aim must be to eradicate the intruding presence while maintaining network continuity. Actions might include stopping malicious code from running, killing suspect processes, and deleting persistent files. These measures must also be deployed at scale, to completely evict the intruders across the entire network.
Expanding the Hunt
Prior warning of prevailing threats can be instrumental in empowering organizations to investigate and identify the architecture of malware that may be targeting them, and blocking it before it can do damage. Offensive techniques require a knowledge and understanding of how cyber-attackers actually operate.
Published lists of known indicators of compromise (IOCs) are a valuable resource, as is threat intelligence pulled in from partner organizations, the media, and reputable third parties. Collating information on threat agents from multiple sources is only the start of the process. Security analysts must then extrapolate from this data to infer the presence of anomalies and activity that may indicate the existence of mutated or previously unknown strains of malware.
IP address monitoring may also be used to identify potential threat actors through the websites and portals they operate, and there are online resources available to assist in this.
The Importance of Automation
Command line tools and manual data analysis are both time-consuming and labour-intensive. And with the volumes of data needed to seek out and destroy the work of actors and agents in the current cyber-threat environment, automation of the system monitoring, data gathering and reporting processes is becoming increasingly essential.
In the ideal mix, automated tools should be used for investigation, monitoring, primary analysis, and reporting – with incident response and forensic skills being called upon from security personnel when anomalies come to light.
Benefits of an Offensive Approach to Network Security
For the enterprise, taking the offensive in hunting out and blocking malicious activities has several advantages.
- Proactive and offensive measures reduce the investigative and forensic time and costs of seeking out and destroying malicious intrusions.
- Enterprises can identify and remove intruders without disrupting their operations, and without recourse to third parties.
- Identification of threat actors and vectors significantly reduces the attack surface which an enterprise presents to cyber-threats.
- Results of forensic analysis and network monitoring contribute to the hardening of security throughout the network.
- Offensive measures enhance the speed and accuracy of incident response while reducing the time between infection of a system and its detection (dwell time).
Offensive Network Security – Some Best Practices
- Establish clear measurables (such as dwell time) to chart the success of threat hunting activities.
- Analyse, understand and re-use actionable threat data discovered during investigations.
- Create a documented process for the offensive, and update it as new threats are found.
- Use automation as much as possible, backed up by manual intelligence, incident response, and forensics.
- Craft techniques to suit your working practices, and the specific needs of your organization.
Share this Post