The idea of an organization running an endpoint threat detection and response (EDR) solution to protect their network and assets has been one of the hallmarks of enterprise cybersecurity since the term was coined in 2013. But the ongoing and ever-growing list of successful cyberattacks against organizations large and small proves that more needs to be done to secure assets and resources.
EDR systems have grown rapidly into a must-have cybersecurity solution for nearly every enterprise and organization. Driven by the ever-increasing number of endpoint devices connecting to corporate networks, and the commensurate rise in cyberattacks against those endpoints, a 2018 report by Stratistics Market Research and Consulting expects sales of on-site and cloud-based EDR solutions to balloon to more than $7.27 million by 2026, an annual growth rate of 26 percent and up from $916 million in 2017.
Nowhere is this more apparent than the SolarWinds hack, which sidestepped EDR protections like a boxer dodging a wild punch. The hackers behind the SolarWinds attack (believed to be Russia-affiliated) were able to access the software update mechanism for the SolarWinds product Orion and hide a backdoor that they had the key to. Orion continued to function normally in its intended purpose, as network management software.
The SolarWinds breach essentially turned this widely-used software with global reach into a Trojan horse already in use by more than 17,000 enterprises, governments, and other organizations around the world. That’s just one part of the wide-ranging breach that we know about; the full extent of this attack is still being investigated. Since EDR systems are unable, by definition, to see into software that is otherwise functioning in a safe and approved manner, organizations must take additional steps in order to protect data, networks, endpoints, and assets.
Failure to Respond to Blind Spots
Many organizations understand this, and so have layered their security posture with dozens of software tools to make them more resilient. More than 40 percent of 412 IT and security professionals surveyed in 2017 said that they use between 10 and 25 cybersecurity tools in their Security Operations Centers, and another 30 percent admit to using up to 50 tools, according to an Enterprise Strategy Group survey. Nine percent said at the time that they were running more than 100 tools.
A year later, respondents to a SANS Institute survey said that the third biggest challenge they faced, after improving staff skills and enhancing automation, was running too many tools that were not integrated. If organizations persist in pursuing the same defensive tactics that have been proven to have significant blind spots, they will continue to find themselves in the headlines as breach victims.
Security investments have primarily been focused on perimeter controls that are defensive in nature. Our mission has been to do whatever we can to keep the attackers out, yet we continue to be compromised. Once the attacker establishes a beachhead, attackers are having their way because it’s way too easy for them to move laterally and live off the land to escalate privileges and achieve their objectives. The sophisticated attackers ‘living off the land’ easily exploit credentials left behind by standard IT operational activities and behave as a user so as not to trigger anomaly-based detection. The attacker has learned how not to be an anomaly,
Organizations need a more diversified detection strategy, evolving threat identification methodologies to operate as if we’re already compromised. A diversified detection strategy extends security controls to attacker movement not easily detected by our perimeter defenses. This focuses on the interior, shifting from a defensive to an offensive posture that trips up the attacker, creating a more hostile environment for them. By making it more difficult for the attacker to live off the land and forcing detection through deception, the attacker is put on the defensive, resulting detections are more deterministic and fill the gaps in the detection fabric for today’s operating security methodology.
Their focus must shift to stopping attackers while protecting critical assets from attackers, but that can’t happen while current defensive security focuses on protecting the perimeter with probabilistic threat detection based on signatures and anomalies.
The SolarWinds breach is hardly the only example of supply chain vulnerabilities wreaking industry-wide havoc. Security strategy needs to change. A better, more resilient strategy should presume that the attacker is already in the network or in the supply chain.
Assume a Breach—But Not Loss
By presuming that there already is malicious behavior inside the walled garden, it simplifies the challenge of trying to keep predators out, and changes the defensive mindset to focus redirecting threats from critical assets. When organizations start from the presumption that they have already been compromised, and become focused on the state of their interior security, they can actively seek out interior threats and make security decisions deterministically.
Most organizations expect that they are about to be breached—if they haven’t been already. The Covid-19 pandemic has worsened security professionals’ fears about breaches. Of the 273 professionals surveyed in the Black Hat USA Attendee Survey from 2020, 94 percent say they think that threats to enterprise systems and data have increased during the pandemic, 24 percent of whom say that the threat is “critical” and “imminent.” U.S. critical infrastructure will suffer a successful cyberattack in the next two years, say 87 percent of respondents, up from 69 percent in 2018. Meanwhile, they say preparedness for such attacks is at an all-time low, with only 16 percent stating that organizations are ready to respond, down from 21 percent in 2019.
Take modern ransomware attacks, which now in many cases exfiltrate data as well as encrypt and threaten to delete it. A Gartner report on how organizations can prepare to defend against them published in November 2020 makes three top recommendations: Creating a pre-incident preparation strategy including data backups, asset management, and user privilege restrictions; implement detection measures by deploying behavioral-anomaly-based detection technologies to identify ransomware attacks; and build post-incident response procedures.
Active defense is more than a cybersecurity fad. The 62-year-old nonprofit dedicated to creating engineering and technical guidance for the U.S. government, MITRE, has created a resource known as Shield to help organizations build active defense-focused strategies and best practices. Shield’s goal is twofold: to help organizations defend against current attacks; and to help organizations learn more about their adversaries to better prepare for future attacks.
When presuming that an organization has been breached but not yet suffered a loss of data, intellectual property, or other harm to its assets, security professionals can take steps to create an environment that is hostile to the attacker. The longer it takes for the attacker to reach their goal, whether that’s harvesting credentials, living off the land, moving laterally to further map the network and find desirable assets, or bypassing authentication and other security controls, the better the defender’s chances of detecting them.
Deploying an Active Defense is a must-have technology when adopting this aggressive-defensive strategy. An active defense determines when an attacker is in, and then stops an attacker from moving laterally across the network. Diversification of threat detection tools is critical and organizations should rely on three kinds of threat detection approaches: signature-based detection to identify prior threats; anomaly detection for uncovering odd behavior; and deterministic detection that identifies malicious attacker activity.
