Vulnerabilities / Threats
10/22/2015
11:00 AM
Jeff Schilling
Jeff Schilling
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

To Find The Needle, Chop Down the Haystack: 5 Steps For Effective Threat Monitoring

Would bank security screen everyone entering the building then leave the vault door open with no one watching the money? Of course not!

At what point does the proverbial “haystack” get too big to find the “needles”? Many of the best security teams have hit that breaking point. They simply have too many sources and event types to process. It’s impossible to manage information at this scale and accurately decide which are truly the important events requiring action.

It is time to narrow the aperture of data collection in your environment. This will help remove as much “hay” from the “haystack” and allow for the “needles” to come to the surface. To do this, I recommend a five-step process.

Step 1: Consider Your Environment Contested Space
The banking industry has become quite good at fighting fraud from their customer base by operating as if their customers’ home systems are contested. Banks and financial institutions also have placed advanced login analytics on their online banking sites and highly encourage two-factor authentication for customers.

Enterprise IT teams can take this same approach to protecting data from compromised employee systems. In fact, most have even more control by ensuring their hosts are using hardened, updated operating systems and are following sound patch management processes. (That said, if an organization still has instances of Microsoft Windows XP in the user environment, it will live in a constant state of compromise.)

If you execute on this strategy, many (or all) of the host-level security events detected can fall to the cutting-room floor. This is because you can assume your user devices are compromised. This is a very effective strategy for companies supporting a mixture of BYOD, corporate-provided devices and Internet of Things (IOT) solutions.

Step 2: Ensure Proper Remote Access Authentication
Remote access is only safe through multifactor authentication. Period. No exceptions. Most successful advanced persistent threat (APT) attacks over the last four years have used this vector to such an extent that once they have a remote user account (normally username and password), threat actors pull back their tools and just log in as a valid user with elevated privileges.

Some will argue that multifactor is no longer effective; that it is merely a speed bump. I review every intrusion I hear about where multifactor is allegedly compromised. In each case, there was a mistake in how the multifactor authentication controls were applied. The threat actors took advantage of the flawed implementation.  

When properly implemented, multifactor authentication presents a significant challenge for attacks. It helps eliminate the need to track all remote user login activity and focus on specific events to narrow the “haystack.”

Step 3: Take Control of Elevated Privileges
Threat actors are compromising elevated privileges and creating accounts with admin rights at will. This, in turn, requires security teams to closely monitor login activity at critical points in the infrastructure. This generates an astounding number of events to assess.  

For access to critical systems, all admin users should be required to log in via a proven method of multifactor authentication to a single “jump host” (e.g., Bastion host). From a jump host, admins should connect to a permission access manager (PAM) that monitors and records all activity. This method also will help limit elevated access to match the amount of time the administrator needs to accomplish their task.  

In short, we should eliminate any and all scenarios where elevated privileges are open-ended and unmanaged.

Step 4: Direct Traffic  
Shape your network traffic to filter out as much known malicious traffic “on the wire” as you can without impacting business. This may be effectively achieved via an aggressive Internet protocol address reputation management (IPRM) program. Such an approach will help limit the amount of bad traffic — sometimes by as much as a factor of 10 — that layered security devices must inspect. 

Step 5: Learn from ‘Successful’ Events
No security posture is 100 percent impenetrable. But for events that do circumvent established controls, it’s critical to learn from the experience. By turning an eye toward network-layer events, we can better understand what’s successful against a given environment. Monitoring “traffic blocked” messages from the firewall provides little context and can serve to distract from real issues. Truly dissecting and studying successful events will serve organizations far better in the long run.

Unfortunately, many security departments expend too much time and energy managing alerts from their user base, remote access, elevated privilege use and network traffic. As a result, , they have  little time to focus on the most important events occurring on critical applications and databases that overload security information event management (SIEM) systems or mask real issues. Would banks security screen everyone entering a bank then leaving the vault door open with no one watching the money? Of course not. And it’s why it’s critical we fine-tune our focus. 

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of responsibilities include security operation, governance ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/22/2015 | 2:53:31 PM
3. Elevated Account Permissions
Even with RBAC you run the risk of things being lost in transition unless you have a CMDB. When someone transitions, especially in larger companies there transition may not be well represented at the account level if their superior did not follow the proper protocols, etc.

My RFC is, of those of you who have used a CMDB first hand what was your experience? Success stories, pain points, etc.
Mobile Malware Incidents Hit 100% of Businesses
Dawn Kawamoto, Associate Editor, Dark Reading,  11/17/2017
We're Still Not Ready for GDPR? What is Wrong With Us?
Sara Peters, Senior Editor at Dark Reading,  11/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.