This time of year, people often ask me about highlights from the past year and what to expect in the new year. As I reflect back on major threats and the processes SOCs use to investigate an overwhelming number of alerts, I'll share some thoughts on what’s working, what’s not, and what more we can do to keep pace with threat actor innovation.
One big door is closing for hackers. Attackers almost always do three things: gain initial access, engage in some form of identity misuse or privilege escalation, and run malicious scripting, such as PowerShell. Now that Microsoft finally disabled macros this past year, threat actors can no longer use Office to distribute malware, which all but puts an end to malicious documents as a threat vector much like disabling Flash ended exploit kits as a threat vector.
However, as the door to malicious documents closes, attackers will find new ways to gain initial access, and they will continue with other forms of phishing to deliver malware. For example, some are now sending emails with malicious ISO/LNK files. I don’t think this method will have much staying power as there’s no legitimate reason to allow these file attachments. If we just stop accepting ISO/LNK file types, we send attackers back to the drawing board.
Same goes for DNS abuse. It’s easy to detect and stop. For example, has anyone seen a legitimate website ending in .su or .xyz? If it’s not .com, .net, .us or any of about 12 major top-level domains (TLDs), block it in its entirety and you won't have to think about it again. The reason companies haven’t done this before is because they’re weary of false positives and afraid to do anything that might even possibly generate a false positive. But that goes back to reducing noise, the bane of every SOC manager’s existence.
Identity is the new point of compromise. Every organization is slightly different, but every organization needs and should have endpoint detection and response (EDR) because end users use laptops — and if a threat actor can get to somebody’s work computer and elevate privileges, it doesn’t matter if the critical assets are running in Kubernetes. The threat actor will own whatever the identity gives them access to and be able to do everything that user, whose identity they’ve stolen, can do.
Some enterprises will always maintain an on-premises footprint, but most are moving to the cloud (because on-premises is too difficult, and the cloud is often cheaper). Many are betting that cloud providers will keep them secure — which is certainly not something cloud providers promise. And the problem is that you don’t have the same tools for the cloud that you do for on-prem: no network products, no EDR, no CrowdStrike for AWS, Google, or Microsoft. You can’t apply traditional endpoint detection architectures in the cloud.
While the three major cloud platforms create audit trails and provide controls, the onus of security sits with the individual enterprises and their users. And part of that security needs to include detecting behaviors. That’s why it’s so important to pull in security telemetry from the three major platforms and create detections based off it to find identity misuse in cloud environments. Otherwise, you’re just hoping for the best — and there have been plenty of growing pains.
If CISOs want to improve incident prevention and response, they need to make data analytics a top priority in the new year. Let me explain.
CISOs are always under pressure to do more with less — or more with the same budget. That has made tool consolidation an easy “escape” hatch to reach for. However, over several decades, few vendors who consolidate tools have been truly effective. Too often, stitched-together tools don’t end up performing any function particularly well. Thus, organizations invariably return to using point solutions, especially as new security risks emerge. At this stage, it seems more like a pendulum of market tendencies.
However, if CISOs can get consolidation correct — beyond just multiple use cases in different parts of the same product — it’s data that can enrich each function. For instance, threat detection tools can use vulnerability data to enhance or deprioritize a detection (e.g., is the victim’s device vulnerable to the exploit firing at it?). And threat detection can enhance vulnerability data based on what attack data is being sent to a victim machine (e.g., you need to patch this now!)
The key to consolidation done well is whether the underlying vendor has adopted a big data approach to solve the problem. Generally, security is already too fragmented. Instead, the various security functions should be collaborating, sharing data, and running analytics on shared data to create real context and threat models.
SOC analysts do the same things 90-95% of the time. They receive alerts and usually ask the same questions. They keep the same browser tabs open to copy and paste information from new tickets to enrich what they know about an attack. Empowered with this information, they understand what is going on and can move on to deciding what to do. For instance, if someone is launching a log4shell attack on a machine that doesn’t have Java, they can simply close the ticket and move on, but they first need to go into a vulnerability management or attack surface management tool to ascertain whether the machine is running Java.
With a platform like Netenrich’s Resolution Intelligence Cloud, SOC teams can combine, correlate, and enrich threat detection and vulnerability data to prioritize alerts and clean up the queue. Threat detection and vulnerability data sets have always existed, but nobody put A and B together to prioritize … until now.
When the Resolution Intelligence Cloud generates what’s called an ActOn™, which is a highly contextualized, pre-incident ticket, all the information is there and 95% of the work is already done. Via machine learning, the platform understands how analysts have handled events in the past and it takes the same steps to resolve. Analysts don’t need 32 gigabytes of RAM in their laptop or 100 browser tabs open to make a decision. They can click a button and be done.