Building Breach Resiliency Through Collaboration
Setting the Stage
With the release of the latest Verizon Data Breach Investigations Report it is encouraging to see that threat and detection time has been greatly reduced, even with attacks on the rise. However, external attackers are persistent and new threats emerge constantly. As our networks and applications are becoming more sophisticated—with more complex integrations and enhanced capabilities—so too are the modern threats facing our organizations. We must continue to adapt and improve our security to keep up.
In this post, we will cover some of the issues with current approaches, how organizations can best defend against the latest attacks bad guys are using, countermeasures beyond the all-too-typical band-aid remediations, and the merging of red & blue teaming methodologies to validate our controls are maturing.
Breach resilience, or the ability to respond and recover quickly, is now considered a basic requirement
Problems With Current Approaches
For a number of reasons, current testing approaches do not always enable and support collaboration or center around a holistic view of the environment. While the following list does not represent all approaches by all companies, the following are current trends that adversely impact the overall value to the organization:
Insufficient time allocated to testing
Compliance-based testing may only cover a small portion of an environment
Leadership education and awareness of goals and outcomes
Limited purple team / incident post-analysis workshops
Detection and response is not always a key factor in success
What Is Breach Resiliency and Why Is It Better
Breach resilience, or the ability to recover quickly, is now considered a basic requirement –albeit a massive undertaking– that requires serious collaboration between the SOC, the Incident Response team, vendors, and in some cases government agencies. How resilient your organization centers around how well you understand your environment, your defensive capabilities, and your threat landscape.
So, where is your perimeter? What are your biggest threats? How ‘resilient’ is your organization?
Breach resiliency by design is not a modified threat hunt or purple team exercise, but a strategic and tactical program that centers around employing an attackers perspective into architecture and day to day operations. With a resiliency approach, the focus is more on collaboration and cooperation between red and blue to enable more instant and comprehensive feedback that can be applied and then ...validated! Build the capacity to recover quickly with identification, detection, and response.
Building Breach Resiliency Through Collaboration
Threat intelligence, large data feeds, using MITRE ATT&CK mappings, and EDR all play a part in a strong defense and realization of true threats to the known environment. But, what does your known environment look like? Is it the DMZ web servers, the SOX servers, administrative laptops, or is it every web service running in the enterprise, the list of systems the Domain Adminstrator account password has been stored on, the list of paths to Domain Admin, and systems that can connect administratively to your security tools? The more granular our known environment becomes, the more data we can leverage to our advantage.
The goal is to discover, protect, detect, and recover quickly. Step one—like most security frameworks— is discover / inventory all your systems and software. In this case however, it is inventorying all your systems, identities, third party interfaces, available exposed services, customer roles, etc. The best way to achieve this level of detail is through continuous collaboration across your different teams.
This is certainly not a one size fits all solution. Your organization’s approach must be developed based on what you have at your disposal to help establish processes to aggregate and action information quickly.
The goal is to expose and enumerate the entire environment to compile a data repository that can be used to build up an organization-centric threat library. With this environment-specific data, you can tactically threat model and establish scenarios to expose both basic and complex weaknesses in an effort to drive valuable and practical remediation, update defensive actions, and enhanced threat monitoring.
Next Steps
While there is a lot of information to gather and process, you do not need to boil the ocean. It does not have to be a huge undertaking from the start. Start small and start chipping away.
You can start with basics from vulnerability assessment results, administrative tools, and known penetration testing methods to develop a basic profile of your environment. This basic profile can be used to drive strategies to reduce the attack surface of high-risk systems. Strategically, it can identify rogue IT, technology debt, be an input into a FAIR risk analysis, determine installation of EDR on legacy systems, or enhance IOA/IOCs in your SOC.
This building blocks approach will bring to light systemic design issues, network routing flaws, application communication issues, overuse of reused service accounts and admin accounts, open services, least privileged failures, etc.
"This building blocks approach will bring to light systemic issues"
In Summary
Breach resiliency could be called a million different things. At its core, breach resiliency is leveraging blue team knowledge and data and infusing a red teamer’s analysis as a tactical way to enumerate active threats the environment is exposed to. The more you know about your environment, the easier it becomes to protect what's important to you. Identify threats before they become a compromise.