But I stayed at a Holiday Inn Express last night!

… said the current vendors to the industry.

What is your tech stack really doing?

Is it operating the way an attacker would?

Probably not.

It’s no surprise that the security industry is flooded with vendors developing the next generation of products that are supposed to automagically conduct security operations. Yet there’s still a huge problem in the increase and sophistication of network intrusions.

I’ve been doing security operations for a long time, and there’s two main things I’ve learned from doing it.

  1. To quarterback your investigations and analytic processes, deliberately collect data from resources attackers must use.
  2. Conduct analysis on aforementioned data set using analytics that directly mirror what an adversary would do.

And here we go…

  1. Collect out-of-band network traffic from network devices (because bad actors HAVE to use the network to maneuver, period.)
  2. Query for tradecraft (because tools are irrelevant, only actions matter)
  3. ???
  4. Fortune and glory

Let’s dive a little deeper.

Why should I be so focused on out-of-band network traffic collection?

Because it doesn’t lie. Ever. You should focus on collecting network traffic from out-of-band collectors as many places as possible.

  • The choke points (ingress/egress points, etc) only tell a fraction of the story. You need to collect deeper in your network.
  • When your network gets compromised and actors start to move around, nothing will tell the story better than the network traffic itself. It’s like having CCTV in a huge commercial building, if someone gets in, you will want to see everywhere they have been.
  • When you collect out-of-band, you know the integrity of the data. THIS IS IMPORTANT. Know the integrity of your data!
But I’m already collecting so many things, can’t you just analyze that?

That’s the philosophy of the Big Data solutions. It’s downfall is in how deliberate they are in what to collect. Most of them, don’t collect anything organically. They’ll take what you have and tell you magic. Magic! Yes!

Let me ask you a question now, my virtually distant Medium friend:

If you aren’t deliberately collecting data from resources that you know bad actors a) must use and b) cannot manipulate … how do you trust the analytics? How do you know your existing data is not tainted?

You should be collecting data from the road bad actors travel on, not the location they end up. If you’re ingesting tons of logs and other telemetry from endpoint systems that could be compromised, you should not trust the data itself…but your existing security solutions do. Problem? I think so.

(Hacking Protip: If you don’t want there to be logs of what you’ve done. Delete or disable the logs.)

Mind blown right? But seriously. Don’t trust data that comes from potentially compromised systems as your primary investigative tool. Be deliberate in getting the right data you need to observe bad actors everywhere they go.

Should you collect the data you already do? Of course! But you should hinge your investigations on a SINGLE TRUSTED DATA SOURCE. Everything else you have is enrichment to add context to the analysis.

But I already have vendors that collect lots of traffic! So there!

That is great! So how about the follow on analytics?

Machine learning? Signature matching?

One is telling you what movie to watch, what food to eat, and what “threats” you have. And the other is a totally antiquated method of detection that is nothing but a lagging indicator in how bad you’ve been owned. I’ll let you sort out which is which.

Machine learning is great technology that should be used to solve a small fraction of a big problem. We use it ourselves, in very small doses. It should not solve the entire security problem itself, yet multiple vendors are basing their entire analytic platform on ML. At best, they are finding anomalies, but inherently ML has absolutely no built in knowledge of what an adversary does.

Your analytic platform should be founded in expert knowledge and proven techniques for discovering malicious activity. In other words:

  1. The analytic platform should be programmed with custom algorithms written by security professionals themselves, who have been the adversary before.
  2. The analytic platform should be targeting tradecraft, not tools, the actions malicious actors take, not the tools they use.
What is this tradecraft you speak of?

Well… I’m glad you asked. It means:

  • I don’t care what tools you write
  • I don’t care how fast you can write them
  • I don’t care how many random mutations of a signature you can force
  • I don’t care how deep in the OS you hide
  • I don’t care how many credentials you’ve harvested
  • I don’t care that you use native OS tools to execute your mission
  • I don’t care that you use blended attacks of native OS shells and malware to trick current solutions
  • I don’t care that you use encryption
  • I don’t care that you can cover your tracks

The bottom line…

  • I will deliberately collect out-of-band network traffic from multiple points in my network
  • I will see everywhere you go and everything you do
  • You will not be able to manipulate or compromise my data set
  • I will analyze for your actions and tradecraft, not your tools
  • Interactive sessions, lateral movement, internal reconnaissance, persistence, data staging, data exfil, brute force attempts, forward shells, reverse shells, internal pivoting, internal tunneling, any and all tradecraft … I will watch you.

Ask yourself…

If your security operations platforms are thinking like an attacker. If they aren’t you should consider a different approach. Be proactive, target the transport mechanism attackers use and the actions they take.

These are the problems we’re solving at Efflux Systems.

See ya out there.

— John T. Myers, CTO