mobile logo
29
April

APT shutout: Building for the Cyber Security Playoffs

April 29, 2019
In Industry, Partners
By Secure Sense

By: Matthew Balcer – SentinelOne Canada

Most CIOs, CSOs, Security Analysts, Security Admins wake up every morning assuming that the solutions they’ve put in place, the solutions they have invested in on behalf of their organization, have kept their environment safe. This seems more like a general with his troops standing in a room with a ticking timebomb watching the clock hoping the triggering mechanism will fail. Over 80% of Canadian companies reported some form of successful breach last year. Where is the assurance in those odds?

If these stats are real, and we would have to assume the polled companies aren’t lying, then what mistakes are we making in selecting and deploying security solutions? Truth is it might not be so much the solutions we select or the way we deploy them but rather understanding the problem at its root.

In many demonstrations I show security and IT knowledge workers a live ransomware attack using Metasploit. Less than 10% of these knowledge workers actually recognize this tool or are aware of its functionality. They are more familiar with the latest news making campaign and its effects. Metasploit is one of the most famous hacker platforms in the world. If we don’t understand what we are up against, how do we defend against it? Knowing what WannaCry did to a few hundred thousand computers around the world is important but rarely will that lead to you knowing what solution to put in place to defend against the next big payload variant. Knowing what the hackers know isn’t half the battle, it’s the whole battle.

The first step is realizing that the whole concept of trust is gone. There is no concept of trusted applications. The most common work applications are the most exploited. There is no concept of trusted perimeter. Your data is now everywhere, your compute is everywhere, and if it’s not behind your four walls it certainly doesn’t matter if it’s in the same country as you. There is no concept of trusted source. Hackers will out social engineer the best of us and impersonate the most trusted source possible. There is no concept of trusted connections. Most of the time you connect to the hackers they don’t connect to you. In other words, blacklisting and whitelisting applications/hashes, e-mail sources, IP/URL connections, and trying to guard the perimeter is near futile.

The second step is realizing that most of the successful attacks are some form of an APT. APT (Advanced Persistent Threat) is mostly a made-up term with broad implications that has gained marketing resonance in resent years. That said, the term does have a military background. It basically refers to an attack that uses advanced tactics and techniques, has the ability to persist its propagation in spite of reboot or defense, and that typically there is a live threat actor (human being). By definition these attacks are security and defense aware and therefore are built to circumvent the security measures. Think of this like the hockey sniper that is well aware there is a goalie in the net, they are going to shoot for the open parts of the net. In order to defend against these attacks, we have to use advanced layers, a strong defensemen pair that limits the sniper’s ability to get the shot he wants and a goalie that adapts quick enough to block those openings.

How does this translate to cyber defense? Let’s take a look a “Project Sauron” as an example. There may still be traces of this payload set that are yet to be discovered on endpoints around the world. This campaign used a multitude of exploits of trusted applications, mutated from one machine to another, and was not solely dependent on internet infiltration. This rendered most security solutions useless against it since it played against the very concepts these tools are built on. No signature to blacklist, no untrusted applications to block and port or IP isolation was ineffective. There was also significant persistence involved. If you were able to detect on exploit or technique the hacker would move to the next. So how do I draft the defensemen and goalies ready for this challenge. Criteria of worthwhile security solutions… 1) Behavior aware: security solutions should be aware of the good behavior and detect anomalies from that. 2) Least dependency: security solutions should as autonomous and automated as possible but able integrate between layers. In other words, if solution is dependent on the cloud for detection, the internet is the first leg the hacker cuts off. 3) Visibility: I need to know everything that is occurring malicious or benign. Sometimes indicators need to be correlated. Threat hunting is not a nice to have it’s a necessity for all size organizations. 4) Persistent resistant: goalies should never be satisfied blocking the first shot, be ready for the rebound. Hackers often launch a distraction attack, test attack, or one that simply survives initial detection. Solutions should provide remediation to what they detect. If you detected that there were system changes that opened a door you should be able to reverse the changes to shut the door.

Truth is, when building your security posture there is no perfect “team”. When building your “team” the best you can do is be aware of your opponent and build to meet them with equal effort and resources. If the hackers are going to use advanced persistent methods then we have to use aware, intelligent, and persistent defense.

This blog was brought to you by our partner, SentinelOne. SentinelOne will be taking the stage to talk about Advanced Persistent Protection on Day 1 at 2:25pm in Grandroom C.

Post Tags:

Related Posts

Effective Patch Management Tools for Your Organization

Welcome back to the...

The Evolution from Password Managers to Privileged Access Management. Which is right for you?

Welcome back to the...

A Secure Sense Competitive Advantage

Welcome back to the Cyber Security Month blog! In last week’s blog, we talked about the importance and value of an MSSP, what sets Secure Sense apart from other MSSP’s and how Secure Sense can help your business. Today, we want to continue the conversation around the competitive advantage of working with Secure Sense and what sets us apart in the world of managed security.

In addition to our dedicated customer success teams and our 24×7 SOC (read more in the previous blog here) Secure Sense’s white glove service stands out in many other ways. Continue reading to find out the secret keyphrase, and our competitive advantage.

Expert engineers/analysts

Our experienced technical team comes from diverse technical backgrounds, representing a wealth of security knowledge. They play an integral role in everything we do at Secure Sense; from evaluating partners to developing services, allowing us to focus entirely on the best products and the highest training certificates.

Our engineers, architects, and analysts are required to ensure they are up-to-date on technical training. In addition to solution technical training, our technical team has focused on training in the following areas:

  • Communication for clearer and more accurate ticket updates​
  • Troubleshooting skillsets have led to fewer escalations internally, and ultimately shorter times to remediate​
  • Critical analysis skills which have measurably improved our ticket responses in providing higher quality responses to tickets.

This training has had a measurable increase in the quality of our services, as well as time to remediate and reduce escalations.

Our SOC has many teams that work with our expert analysts to ensure you receive the most from your service. In addition to our security analyst team, Secure Sense has four other technical teams: the reporting team, the threat intel team, the automation team, and the purple team.​

Automation team:

The Secure Sense automation team reviews customer requests, as well as potential customer controls, and ties those controls in with our managed services for automated systems mitigation, stopping threats in their tracks.​

The team is also responsible for:

  • Automated SIEM log analysis, tied into our Threat intelligence team to streamline the ingestion of IOCs into our managed services.
  • Implementing our vendor vulnerability review and remediation systems allows us to reduce our critical vulnerability remediation windows and provide improved visibility into coverage and reporting.
  • Delivering smart-responses from our SIEM solution, and implementation of Reporting team recommendations and improvements.​
  • Automating reporting and alerting directly into our ServiceNOW portal, providing short response times to customer alerts

Reporting team:

Secure Sense has created a dedicated reporting team to streamline and bring more meaningful data to our customers on a regular basis. This team not only builds custom reports, but also analyzes how our customers are using our services, identifying any particular improvements that we could be making to the services, and providing recommendations to the rest of the managed service teams.​

Our reporting team also builds datasets and analyses based on our customer tickets, as well as managed service systems, to identify new use cases and patterns that we can leverage to improve services internally.​

Threat intel team:

Our internal Threat Intel team reviews various events that have occurred and identifies the relevant TTPs. They provide this intelligence to our purple team which will operationalize it.​

The Secure Sense threat intel team focuses on both systematic collection of IOCs and analysis thereof, as well as individual TTPs that are used to identify new and emerging threats. ​The team looks at those tools, Techniques and procedures that threats are using in the market, and identifies how they could be leveraged against our existing customer base, along with better enhancing our services to detect those TTPs when in use.​​

Purple team:​

Secure Sense’s Purple team reflects the blend of both defensive or blue team skillsets, along with offensive or red team skillsets. The team takes tools, techniques and procedures identified by the threat intel team, analyses our customer’s environments and identifies if we can detect them. ​ With customer collaboration, the Purple team can provide execution packages where we can simulate specific components of a threat, and then validate that we have visibility into that TTP being run in a customer environment.

Professional services

Secure Sense’s implementation and support experts are experienced in a wide variety of Professional Services engagements with specialized tactical teams within our extended technical bench, focused on specific technologies and or products.

In most cases, Professional Services are project-based services that require a skilled engineer or architect for a one-time project or short-term change in your organization; or a senior consultant to provide a wide range of risk advisory services. Project teams will also typically address any ongoing support or maintenance after the initial project is complete.

Our cybersecurity consultant team and senior architects hold a broad range of top industry certifications and credentials, along with many years of experience in the industry. Our methodologies for common engagement types have been developed and refined to reflect the most up-to-date best practices and to scale to projects of any size, including global enterprise enablement.

A few of the engagements we commonly offer include:

  • Cybersecurity Architecture Assessment and Design
  • Solution Implementation Services
  • Health Checks
  • Penetration Testing
  • Vulnerability Assessments
  • Threat and Risk Assessment
  • Enablement & Training
  • Ongoing Support

Secure Sense focuses on continual training and certification among our technical ranks in order to provide the most knowledgeable technical support.

Security training

Secure Sense offers security training and can assist in helping your organization to create its cyber security training program. From general employee awareness training to specific security training for your IT and security staff, Secure Sense can help your organization combat the threats they face on a daily basis. Our team is able to offer:

  • Engaging user awareness training for end-users
  • Technology training for security solutions and products
  • Security Analyst training
  • Threat hunting training
  • Threat simulations to give your internal security teams practice in using internal tools
  • Tabletop exercise development and execution to simulate incidents and incident response

Your Key word is “Purple Team”

Don’t forget! Take this keyword and head to our LinkedIn page here to comment on it for your chance to win one of many prizes this month!

As always, if you’re interested in learning more about Secure Sense’s competitive advantage or any of our services, don’t hesitate to reach out to us at 866-999-7506 or sales@securesense.ca!

Continue reading