Table of Contents
I’m a fan of measurement, perhaps because of my engineering background or because it is built into the human body. As humans, we are measuring things all the time. We can tell when our body doesn’t feel well and we react accordingly; we can spot when our car is making a funny noise. That’s our senses measuring the way our car behaves and comparing it with previous experiences. And that helps us spot instances that could have caused an accident, a breakdown, or at the very least an annoyance.
Continuous Measurement in Cybersecurity
Translating all this into cybersecurity, I often tell my customers that we should feel our networks and be able to spot when something is not right, that’s an ability that will help every cybersecurity operator to defend better. Obviously, it is better if you have a tool that can help you do that. But I will refrain from that for obvious reasons but most importantly because it diminishes the real value of measurement in cybersecurity in the story I want to share.
So here is this company with a seemingly “clean” network behavior (shown in the following image from 8/27 to 9/12
One can see this is a very clean environment, despite the fact that there is some cryptomining malware associated with these two spikes. I’ve written before about how cryptomining can be a precursor for bad things happening because it indicates adversarial access to the network and you can’t second-guess the intentions of anyone with access to the network. I am sure you’d agree with this.
How measurement saves the day
Here is the same network from 9/13 to 9/26.
On 9/13 the culture of measurement helped identify a burst of C&C connections indicating cobalt strike being present in the network. The culture of compromise measurement helps to identify that “funny” behavior that otherwise would have been unattended resulting in a catastrophic outcome, likely a ransomware incident.
This compromise radar shows the point when Cobalt Strike first got into the network (scroll down to see how the cybesecurity stack reacted).
And this is when the cobalt strike starts acquiring additional targets within the organization (moving laterally).
This can also be validated by the number of hosts that exhibit contacts with the adversarial infrastructure associated with this incident is shown in the following image.
On this day the cybersecurity operator of this company saw a big return on the skills they acquired every day by measuring normal behavior in this company.
Providing Feeback to the System
One may say the cybersecurity stack wasn’t doing its job and that’s probably a fair assessment even though these are very reputable protection tools (we will still need to assess if they were properly configured or not). Nevertheless, there will never be a security stack that will do the job 100% of the time for 100% of the ways the adversary has to attack. Hence the need for continuous measurement to provide feedback to the cybersecurity stack. Of course, this can be automated and most modern tools allow for this, so that it can self-regulate. Note how the evidence shows that this company’s network self-regulates post-incident. (9/18 and beyond).
Choose Your Battles – Proactively
I’ve learned that in cybersecurity, generally speaking, it is better to choose small battles rather than big battles. However, I have seen ringside how cybersecurity operators often dismiss the opportunity to win those small battles.
I think cybersecurity tools can do a better job of highlighting the context the operator needs to be decisive in taking action. There is only a small window of opportunity to break the cyber kill chain while it is still a small battle and procrastinating won’t do any good.
Taking Decisive Action
As a general rule, my mindset is focused on the fact that nothing good happens if my IT environment is in contact with adversarial infrastructure. However, cybersecurity operators have been flooded with all sorts of alerts. I have learned that the best way to get them to take action is to highlight front and center what actions were taken by their cybersecurity stack. The following screenshot highlights how the firewall let adversarial contacts associated with this incident ‘pass through’.
And this one shows how Cobalt Strike was trying to get loaded in memory on the affected endpoints even though they have a reputable EDR agent installed.
This information was enough to get the secops team to act decisively and at speed to mitigate this incident and better defend this organization.
One must not assume that because we have a Firewall and an EDR, we’re secured. That’s why continuous measurement in cybersecurity in general and specifically measuring what those tools are missing is important to provide feedback to the current cybersecurity stack—continuously. In this particular case:
- Firewalls were allowing contacts with adversarial infrastructure
- EDR wasn’t detecting those connections as malicious, initially.
- Servers were not protected by the EDR agent because of compatibility issues which allowed the attack to progress
Once remediation was executed, it was easier to validate that the EDR tool was able to mitigate those attempts, the entire network was cleansed and the firewall started to mitigate these contact attempts.