APT shutout: Building for the Cyber Security Playoffs

By: Matthew Balcer – SentinelOne Canada

Most CIOs, CSOs, Security Analysts, Security Admins wake up every morning assuming that the solutions they’ve put in place, the solutions they have invested in on behalf of their organization, have kept their environment safe. This seems more like a general with his troops standing in a room with a ticking timebomb watching the clock hoping the triggering mechanism will fail. Over 80% of Canadian companies reported some form of successful breach last year. Where is the assurance in those odds?

If these stats are real, and we would have to assume the polled companies aren’t lying, then what mistakes are we making in selecting and deploying security solutions? Truth is it might not be so much the solutions we select or the way we deploy them but rather understanding the problem at its root.

In many demonstrations I show security and IT knowledge workers a live ransomware attack using Metasploit. Less than 10% of these knowledge workers actually recognize this tool or are aware of its functionality. They are more familiar with the latest news making campaign and its effects. Metasploit is one of the most famous hacker platforms in the world. If we don’t understand what we are up against, how do we defend against it? Knowing what WannaCry did to a few hundred thousand computers around the world is important but rarely will that lead to you knowing what solution to put in place to defend against the next big payload variant. Knowing what the hackers know isn’t half the battle, it’s the whole battle.

The first step is realizing that the whole concept of trust is gone. There is no concept of trusted applications. The most common work applications are the most exploited. There is no concept of trusted perimeter. Your data is now everywhere, your compute is everywhere, and if it’s not behind your four walls it certainly doesn’t matter if it’s in the same country as you. There is no concept of trusted source. Hackers will out social engineer the best of us and impersonate the most trusted source possible. There is no concept of trusted connections. Most of the time you connect to the hackers they don’t connect to you. In other words, blacklisting and whitelisting applications/hashes, e-mail sources, IP/URL connections, and trying to guard the perimeter is near futile.

The second step is realizing that most of the successful attacks are some form of an APT. APT (Advanced Persistent Threat) is mostly a made-up term with broad implications that has gained marketing resonance in resent years. That said, the term does have a military background. It basically refers to an attack that uses advanced tactics and techniques, has the ability to persist its propagation in spite of reboot or defense, and that typically there is a live threat actor (human being). By definition these attacks are security and defense aware and therefore are built to circumvent the security measures. Think of this like the hockey sniper that is well aware there is a goalie in the net, they are going to shoot for the open parts of the net. In order to defend against these attacks, we have to use advanced layers, a strong defensemen pair that limits the sniper’s ability to get the shot he wants and a goalie that adapts quick enough to block those openings.

How does this translate to cyber defense? Let’s take a look a “Project Sauron” as an example. There may still be traces of this payload set that are yet to be discovered on endpoints around the world. This campaign used a multitude of exploits of trusted applications, mutated from one machine to another, and was not solely dependent on internet infiltration. This rendered most security solutions useless against it since it played against the very concepts these tools are built on. No signature to blacklist, no untrusted applications to block and port or IP isolation was ineffective. There was also significant persistence involved. If you were able to detect on exploit or technique the hacker would move to the next. So how do I draft the defensemen and goalies ready for this challenge. Criteria of worthwhile security solutions… 1) Behavior aware: security solutions should be aware of the good behavior and detect anomalies from that. 2) Least dependency: security solutions should as autonomous and automated as possible but able integrate between layers. In other words, if solution is dependent on the cloud for detection, the internet is the first leg the hacker cuts off. 3) Visibility: I need to know everything that is occurring malicious or benign. Sometimes indicators need to be correlated. Threat hunting is not a nice to have it’s a necessity for all size organizations. 4) Persistent resistant: goalies should never be satisfied blocking the first shot, be ready for the rebound. Hackers often launch a distraction attack, test attack, or one that simply survives initial detection. Solutions should provide remediation to what they detect. If you detected that there were system changes that opened a door you should be able to reverse the changes to shut the door.

Truth is, when building your security posture there is no perfect “team”. When building your “team” the best you can do is be aware of your opponent and build to meet them with equal effort and resources. If the hackers are going to use advanced persistent methods then we have to use aware, intelligent, and persistent defense.

This blog was brought to you by our partner, SentinelOne. SentinelOne will be taking the stage to talk about Advanced Persistent Protection on Day 1 at 2:25pm in Grandroom C.