Understanding the life cycle of an attack is a key component to being able to prevent, detect and respond. Depending on how attackers target an organization there are specific compensating controls and visibility that can be put in place. Verizon’s’ 2019 Data Breach Investigations Report does a good job of explaining this concept:
“In our world, you’ve put defenses and mitigations in place to deter, detect, and defend. And just like on the golf course, the attackers reach into their bag, pull out their iron, in the form of a threat action, and do everything they can to land on the attribute they want in the soft grass of the fairway.” – Page 20, 2019 Data Breach Investigations Report
The above statement relates to how companies practice defense in depth strategies. Even with all of the security investments that organizations put in place hackers have the ability pick a path that isn’t going to trigger any indicators. What is key for managed detection and response providers (MDR) in the security space is that they have the have the ability to collect data from any component of an attack life cycle. Examples of this can include network telemetry, endpoint telemetry, and log data. Being able to piece together what happened when an attacker breached the network, to being able to disrupt the initial access they have from multiple enforcement points is a key differentiator for an MDR provider.
Verizon’s Data Breach Investigations Report also explores (Figure 29 below) how detecting attack paths that are short is much more difficult than detecting longer attack paths. From eSentire’s perspective this makes a lot of sense. The hardest part for an attacker is the initial compromise. Once past the perimeter defenses of an organization it is really about completing the objective without triggering any additional alarms. The least number of steps within a compromise makes it more difficult for a security product or service to detect the threat actors.
Figures 31-33 from the same Verizon report also provides insight into the steps hackers take when an incident occurs. When looking at the results for the beginning (left image), middle (middle image) and end of an attack path (right image) it is important to note that the first step doesn’t generally originate with malware. This is common with what eSentire sees across its client base as well. Getting initial code execution within a target environment most commonly involves some sort of exploitation or social engineering. Once the initial code execution has occurred malware is generally used to gain persistence and a reliable connection into an environment. Malware is a reliable way for threat actors to keep access, load additional tools/capabilities and allows for pivoting to other machines from the compromise. In the later part of the attack stage pivoting to other machines often related to additional hacking techniques and deploying additional malware.
Defense strategies around being able to prevent, detect and respond to these types of events in the threat landscape is important. Utilizing known standards and industry supported techniques for covering these gaps within an organization is necessary to have any remote chance of detecting these various stages of an attack. An excerpt from the Center for Internet Security from the VDBIR report:
“Leveraging an attack path model is not only an important step towards formalizing our understanding of attacks, but also a means to understanding our defense.” – Page 23, 2019 Data Breach Investigations Report
MITRE ATT&CK is a great framework to leverage for creating coverage for attacks that have been seen in the wild. The tactics and techniques can be associated with specific attack paths for adversaries seen in previous incidents but at a higher level can be used to share commonalities and detection criteria. The key is to understand the different entry points in an attack and creating the capabilities to have visibility, prevention, detection and response actions tied to identifying a specific attack path.
Verizon’s Data Breach Investigations Report is a great yearly resource for companies to read and digest for trends of attacks. It should be used as an additional input (alongside resources like eSentire’s own Threat Intelligence Reports) into what an organization should focus on from a security strategy perspective.