Solve the Equation to a More Secure Environment
Imagine driving a car where you could only see through your front windshield and you’re seconds away from merging onto a busy highway. That moment, where you lack the proper visibility when you need it most, creates an unsafe situation where a collision is imminent. Unfortunately, that type of visibility is a common theme that organizations encounter while defending their networks. The solution is to maximize the field of vision in your environment and its surroundings. Let’s break that down.
More data points and visibility empower every facet of security, including prevention, detection, incident response and remediation. Your field of vision directly corresponds to your chances of success. Additional visibility forms the foundation for a clearer field of vision, providing a more vivid understanding of what you are dealing with and how you can best respond to the countless threats organizations face each day. Visibility also helps provide context to help prevent knee-jerk reactions and botched containment and remediation efforts, which ultimately saves time and money — both precious resources for every organization.
Maximizing your field of vision starts with a collaborative approach between gaining visibility into what malicious traffic is crossing your network and what suspicious activity is happening on your endpoints. For extra credit, add in robust application logging to provide a three-pronged approach to better visibility. Organizations often focus on only a subset of these three domains, which create gaps in their visibility and puts them at a disadvantage in detecting and responding to threats. The visibility equation comes down to the following:
Maximum Field of Vision = Network Visibility + Endpoint Visibility + Application Logging
While this equation is an oversimplification of a more complex security problem, if you can solve this basic arithmetic in your environment, you will greatly increase your chances of success.
Organizations that struggle to solve this equation often find that they are continuously reacting to security threats instead of staying several steps ahead. Below, we have real-world examples that highlight:
- The good and bad of responding to security incidents
- The unpredictability of attackers
- Why an increased field of vision increases your odds of success in protecting your environment
Stories From the Field — The Good and the Bad
The Good
A large retailer invested in all of the right monitoring and defense technologies. They had an advanced endpoint technology that provided in-depth detection and response capabilities for their endpoints. On the network side, they had meticulously prepared to gain as much visibility into the network traffic through streaming network forensics.
As a SOC analyst was monitoring the retailer’s defenses, they identified a critical network alert tied to recently published threat intelligence for command and control (C2) infrastructure associated with an advanced threat group known to target cardholder data. After confirming the network alert was real, the SOC analyst pivoted to the endpoint technology to collect live response data from the impacted system. The investigation team, first alerted by the network technology, quickly identified a malicious process that the endpoint technology had not detected.
Further analysis showed that an unsuspecting user had downloaded a malicious payload while browsing the Internet. Upon execution, the payload installed a malicious binary on the system that then connected to the C2 infrastructure to receive additional instructions that would have facilitated a much larger compromise of the environment.
The analyst escalated the incident and took proper containment steps using the endpoint technology to effectively quarantine the system and curtail the attacker’s ability to escalate privileges and move laterally through the environment. The early network alert filled the visibility gap from the endpoint technology allowing the SOC analyst to quickly mitigate future damages to the retailer.
The Bad
A government agency notified a medium-sized healthcare provider that a targeted threat actor was operating in their environment. In response to the notification, the healthcare provider brought in an incident response firm to investigate the attack and eradicate the attacker from the environment. The incident response team leveraged the healthcare provider’s existing endpoint technology to quickly respond to the investigation; however, the healthcare provider and the incident response team did not have network visibility available to them outside of what little logging was provided by the organization’s firewall.
After weeks of investigating the attack, the incident response team concluded that they had a solid grasp on the incident and decided that it was time to execute their remediation strategy. The remediation focused on removing systems infected with backdoors and blocking known C2 infrastructure. The investigation also revealed that the attacker was targeting a database that housed sensitive patient data. As part of the remediation strategy, the healthcare provider implemented additional monitoring for database logins and alerts for long running database queries in an attempt to identify unauthorized users dumping data from the database moving forward.
Two weeks after executing the remediation plan, the database monitoring alerted on a long-running query that matched previous attacker activity. A second investigation quickly spun up and after another few weeks of investigating, the incident response team determined that the attacker had leveraged a secondary backdoor on two additional systems in the environment. The secondary backdoors used the same backdoor variant that was initially identified but had a separate C2 server that was used for communication back to the attacker.
The attacker had simply waited for things to calm down after the remediation event and came right back into the environment through the secondary backdoor, which served as a fail-safe in the event the healthcare provider tried to block the attacker’s primary C2 infrastructure. In an unfortunate twist, the systems that the attacker had placed the secondary backdoors on did not have the endpoint agent installed due to an incomplete deployment — a common occurrence with endpoint technology.
Had network monitoring been in place, the healthcare provider would have had the ability to create signatures for the backdoor variant that went beyond just IP addresses for the known C2 infrastructure. This would have provided the incident response team the visibility necessary to see the systems that the endpoint technology had not been successfully installed on, vastly increasing the chances of a successful remediation. This is a classic example of where having only a single area of visibility handcuffs the ability to provide a successful investigation.
Solve the Equation
The combination of network visibility, endpoint visibility and proper logging provide analysts the foundation for successful defense and response strategies.
Putting too much emphasis on any specific area creates an imbalance that creates potential gaps in your field of vision that attackers are all too well versed in exploiting. As attacks continue to evolve, organizations must take advantage of every opportunity to create advantages over attackers, and that all starts with getting the maximum visibility into what is happening in their environment.