Posted November 9, 2017
For those of you building proactive cybersecurity programs, this blog will cover some tips that I hope will help you determine how your security teams can increase the cost on the adversary when those actors attack your organization.
Today, threat hunting encourages a more proactive approach to cybersecurity defense tactics. It requires enhancements to the detection and mitigation technologies security teams use, as well as how the analysts are using them to their advantage.
Recently I discussed new technology that can help integrate real-time network traffic inspection and mitigation integrated with high-quality, human-vetted, Threat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations make inform decisions regarding their response to the threat.. Combining these two technologies is key for organizations looking to improve how they operationalize threat intelligence. Part of this comes from the ability to identify at line-rate (up to 10G) Layers 3 through 7 traffic patterns that match technical indicators from known malicious sites. The second part comes from providing a fully-automated system of threat intelligence integration to the network mitigation system so that the burden of threat intelligence vetting and management imposed on network security teams is reduced or eliminated completely.
The following diagram shows a high-level picture of the threat intelligence deployment with network mitigation system.
The key challenge for security teams that is often overlooked is how to appropriately respond to advanced threats. Threat actors are using more sophisticated tools and exploit kits enabled by the broader awareness of malware marketplaces and leaks of sophisticated tools, making it is easier for them to mount more challenging threats to organizations. Organizations need to consider more sophisticated responses to potential threats beyond simple blocking based on known traffic indicators.
Leveraging threat intelligence and a threat intelligence gateway with counter-measures employed can significantly change the dynamic in favor of the security organization over the adversary.
There are at least 3 categories of threat response that can be employed individually or in coordination to respond to the adversary.
- Application Layer Attacks and Response: This category of attack primarily focuses on taking advantage of application layer behavior and provides the security organization with opportunities to modify those behaviors to confuse, obfuscate, delay, or interact in a manner that will yield greater costs to the attacker when leveraging this attack category.
- Domain Name Attacks and Response: This category of attack primarily focuses on taking advantage of the domain name layer of network behavior that attackers may rely on for discovery, redirection, or transport of malicious activities.
- Transport Layer Attacks and Response: This category of attack primarily focuses on taking advantage of the transport protocols that most applications rely on. By understanding the behaviors of the network transport protocols and modifying the behavior without detection, security teams have an advantage over their adversaries.
Application Layer Threat Response Example
- An adversary is scanning your organization’s public web infrastructure to determine what they can find about the infrastructure’s software version, patch levels…. etc. Using public tools and freely available scanning capabilities, the adversary can normally determine a lot about your infrastructure and then use that information to potentially exploit it.
- Security Team Response
- The organization protecting the web infrastructure deploys a threat intelligence gateway with active counter-measures in front of the infrastructure.
- They change the infrastructure’s cookie information returned to the adversary’s scanner without the modification being detectable by the adversary, causing the adversary to continue looking for other attack vectors or moving to a different target.
- The adversary continues putting effort into finding an exploitable path into your infrastructure.
Domain Layer Threat Response Example
- An adversary has successfully infected an organization’s asset with a known botnet agent. The agent running on the organization’s asset attempts to reach out from the corporate network to the botnet command and control server on the Internet.
- Security Team Response:
- The organization protecting the corporation’s networked assets of the deploys a threat intelligence gateway with active counter-measures inside the perimeter of their network defenses, specifically on the point of presence, inspecting and applying counter-measures to any traffic patterns that have active security profiles.
- They determine via their threat intelligence the known botnet server active IP address and domain information. This information is sink-holed by the threat intelligence system and is providing a highly reliable determination of any infected botnet clients attempting to reach the original botnet server.
- The infected agent’s DNS query communications are intercepted by the threat intelligence gateway and the DNS response is provided by the threat intelligence gateway, redirecting the agent to a known good asset within the perimeter.
- The organization could additionally quarantine the corporate asset until the security team remediates the assets back to a known good state.
- The adversary is unable to leverage the infected corporate asset any further for potential pivoting towards other assets in the network or data theft from the asset.
Transport Layer Threat Response Example
- An adversary has identified a known TCP protocol-stack exploit on the corporation’s network infrastructure that has not yet been patched and remediated and has started attempts to leverage the exploit.
- Security Team Response:
- The security team deploys the threat intelligence gateway with counter-measures in front of the perimeter of their network and identifies the specific indicators of an attempt to exploit the TCP-based attack.
- The team configures the counter-measures profile such that the threat intelligence gateway responds (without detection by the adversary) on behalf of the corporation’s network assets with
- a TCP-RST that causes subsequent flows from the adversary to be terminated.
- The threat intelligence gateway does not forward any further attempts from the adversary on that specific TCP source or destination muting the attack.
- Continued effort on behalf of the adversary to understand why despite the exploit being visible from their scanning they are unable to invoke a successful attack against the corporation’s network infrastructure that was identified as having the exploitable software.
Each of these three threat response categories employ fairly simple techniques that rely on undetectable behavioral modification of network and application traffic patterns that increase the adversary’s level of effort to attack the organization.
Security teams focused on proactive cybersecurity should consider how to leverage these threat response techniques to maximize the impact on the adversary. Operationalizing threat intelligence with network-based threat mitigation can substantially improve their organization’s ability to respond to threats.
Keep an eye out for more sophisticated approaches for leveraging threat intelligence gateways and the capabilities unleashed by active threat response within the gateway are just starting to emerge.