Information Security Today Home

New Books

Software Quality Assurance: Integrating Testing, Security, and Audit by Abu Sayed Mahfuz; ISBN 9781498735537
Enterprise Level Security: Securing Information Systems in an Uncertain World by William R. Simpson; ISBN 9781498764452
Big Data: Storage, Sharing, and Security edited by Fei Hu; ISBN 9781498734868
Mastering the Five Tiers of Audit Competency: The Essence of Effective Auditing by Ann Butera; ISBN 9781498738491
Information Security Policies, Procedures, and Standards: A Practitioner's Reference by Douglas J. Landoll; ISBN 9781482245899
Electronically Stored Information: The Complete Guide to Management, Understanding, Acquisition, Storage, Search, and Retrieval, Second Edition by David R. Matthews; ISBN 9781498739580

All Seeing, All Knowing Border Control: Endpoint Detection and Response

By Peter Cohen, Strategic Manager of Countercept at MWR InfoSecurity

Necessity is the mother of invention, and with new breaches reported on a near-daily basis, the evolutionary arms race between hackers and cyber-defenders has led to the rapid disruption of the traditional managed security service provider (MSSP) market. As vendors scramble to stay relevant, this has led to a sea of sales messages and acronyms, including the advent of EDR and proactive threat hunting.

Breaking this down, we have EDR (Endpoint Detection and Response), the word proactive (the mainstay of copyright teams globally), and threat hunting (why wouldn’t you want that), but marketing aside, what does this actually mean?

The easiest way to explain EDR and proactive threat hunting is to use an analogy. Let's liken the corporate IT network to a country, and use the UK as illustration.

ID Check Point

The UK goes to great lengths to stop known foreign criminals entering the country.

There is the expectation that, individuals who are known to have performed illegal activities in the past, maybe a potential risk to society if allowed into the country. To mitigate this risk, the UK Border Agency check everyone’s passport arriving at international airports, and if there’s a match against the database, entry to the country is denied.

This is much like your traditional MSSP vendor monitoring an organization's Internet ingress points for known or suspected 'bad' IP traffic. The danger is that, if the criminal has a new passport with a new name, they may be able to get through the border in the same way that a moderately capable attacker would spin up a new IP address or flip some bits in their malware to target an organization. Indeed, in the 2015 Verizon breach report, over 80% of malware samples associated with breaches were unique to that organization.

Is that it then? Is any criminal with a new passport guaranteed to get through?

Behavior Analyzed

The answer is no. Thankfully, the UK Border Agency staff receive extensive training to help them spot suspicious behaviour which may indicate that someone is not who they say they are.

In the same way, IT security vendors have evolved to address the problem with the widespread deployment of heuristics and behavioural analytics run against inbound files. For example, "This file says it does 'x', but actually hidden inside it does 'y' so it must be blocked."

The problem with this approach is that each vendor will plug just one or perhaps a handful of attack paths with its specific technology, and even then, being driven by automation, they cannot be accurate 100% of the time.

Breaches occur almost daily, week in week out from relatively unsophisticated attackers, proving this approach fails.

Alternative Entry Point

Going back to the original analogy, and taking the example of an advanced criminal who is well resourced and persistent. The criminal wants to get into the UK, and to guarantee their success at doing so, they plan to land deep inside the country, parachuting in, and thereby bypassing all border controls entirely. If anyone did spot them on landing, they would have a new passport anyway. This is how modern cyber threat actors operate; they go straight for the users’ endpoints with custom malware in phishing campaigns, USB sticks or watering hole attacks, bypassing the security controls to establish a foothold on the network.

Eyes and Ears Everywhere

EDR and proactive threat hunting are different. They assume that the above scenarios will play out, that the perimeter will be breached, that compromise is inevitable.

In terms of border control in the UK, an EDR tool is the equivalent to the Border Agency going door-to-door to every single house in the country, every single minute, to check whether there is anyone new or different on the premises (anomaly based analysis).

This intelligence is then utilized by the Serious Organised Crime Agency (SOCA) to guide their agents through counties, into towns, narrowing down to streets, and ending up at the specific house where a new or different person is deemed to be. This is the equivalent to proactive threat hunting.

Once at the house, the SOCA agents need to determine where the person has come from (network traffic analysis) and what they have done since arriving (log analysis and further EDR).

Rather than just relying on a passport check at the airport.

While it unrealistic to implement these draconian controls in countries, the analogy can only go so far. Thankfully, corporate networks are a different story. Managed EDR threat hunting services are readily deployable, and affordable, so the electronic 'foreign criminals' looking to infiltrate the enterprise has nowhere safe to hide.

Subscribe to
Information Security Today

Bookmark and Share

© Copyright 2016 Auerbach Publications