Into the Breach: Why ‘Self Detection’ Leads To Faster Recovery

When an organization can identify network and system intrusions in their early phases it takes the advantage away from its adversaries. Here’s how.

In an age where information is the ultimate currency, traditional defense-in-depth focused on malware detection, perimeter protection, and patching of known vulnerabilities is largely ineffective -- unless organizations focus on strategic and proactive preparedness. But what steps does a company need to take in order to successfully craft a strategic approach to security?

To help answer this question, CrowdStrike Services recently compiled the Cyber Intrusion Services Casebook, which is an analysis of key data from hundreds of incident responses and proactive service investigations. The Casebook provides evidence of emerging trends observed in attack behavior, as well as a number of actionable takeaways so organizations can utilize lessons learned and best practices to improve their own defenses.

One particularly interesting finding was the marked increase in the number of organizations ‘self-detecting’ breaches -- far above what had been previously reported. All too often a company is alerted to the fact that they have been compromised from a third-party source. With self-detection, an organization is far more likely to identify breaches in their early phases, which typically leads to faster recovery and far less rapid data loss.

Our research showed that organizations that invest heavily in improving processes, educate their workforce, and acquire the latest technology to combat advanced threats, were more likely to self-detect breaches. This is mainly due to two factors:

Organizational maturity
According to the Project Management Institute, a high level of maturity is achieved when processes are optimized and projects are directly tied to pre-determined business strategies and needs. By having a clear picture about an organization and its goals, security teams can be integrated into every aspect of the business and make better decisions about cyber defense strategies. Mature security programs don’t utilize a generic plan, but consider the unique aspects of their specific threat landscape and adapt accordingly.

Improved endpoint and network detection capability
Comprehensive, next-generation endpoint detection, prevention, and response tools provide maximum visibility intro intrusion attempts. With a higher level of visibility, incidents can be contained quickly, and attackers thwarted before significant losses occur. Enterprises can invert the traditional reactive security model by actively hunting for indicators of attack within their environment.

To illustrate this trend, let’s take a look at a real-world example:

The organization — a leader within its industry — became increasingly aware and concerned about the threats posed by nation-state adversaries interested in stealing intellectual property for industrial espionage. In the aftermath of a data breach at another organization, this organization called in self-detection services to ensure its systems and networks were protected.

A compromise assessment (by Crowdstrike Services) on the organization’s network showed evidence of past compromise; endpoint monitoring sensors reported alerts indicating preliminary attacker activity. In response, we worked with the organization to design and implement a detailed remediation plan, which included updates to network architecture. This near real-time visibility via host and network sensors enabled rapid identification of where and how attackers were accessing the enterprise environment. For example, we identified multiple attempts to install back doors on employee laptops, which the security team could immediately block without losing track of additional and subsequent attacker activity.

The big payoff
Months later, the attackers attempted to return, exploiting a similar vector — a different web application — to access an Internet-facing system not protected by an endpoint sensor. This is a trend we see across almost all use cases; the attacker used credentials obtained from this system to attempt to move laterally and dump credentials on another system. But because the client now had experience detecting and responding to attacks following its detection assessment — and had developed a stronger response playbook that included detection and response as part of their daily procedures — the entire team moved with much greater agility to respond to the new intrusion.

The incident was quickly analyzed and mitigation actions taken to prevent the new tactics, techniques and procedures (TTPs) from being successful. As a result, the compromise was fully mitigated in less than one hour.

As the example shows, when it comes to security, preparation is key. By achieving a state of awareness through security assessments, organizational maturity and having the right technology in place, organizations can take the advantage away from the adversaries. With this groundwork in place, IT teams can self-detect system and network intrusions, evaluate weak points and implement tools to defend against emerging and enduring adversaries. As is the case in most competitive situations, battles can then be won and lost before adversaries make contact. 

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5