Today’s security defenders are tasked with the challenge of detecting – and mitigating – cybersecurity threats, no matter the origin (cloud, Internet, insider, email…etc). However, depending on the nature and sophistication of the threat, there is no single point in an organization’s security infrastructure that can see all aspects of the threat – whether coming into an organization, or those that are already there.
Cybersecurity teams must understand how to detect aspects of the various threat campaigns their organization faces and then apply appropriate controls for detection and mitigation mapped to the kill-chain and their specific environment. As shown by the Unified Kill Chain, there are multiple steps where controls must handle unique requirements in different locations.
Figure 1: Unified Kill Chain
Just as detection can be ineffective in a single location, similar challenges face effective threat mitigation when organizations do not consider applying mitigation comprehensively across their cybersecurity infrastructure. This is where standardization plays an important role.
A common strategy many organizations apply is to focus on silos across applications (e.g. databases, cloud services); client (e.g. endpoint, server, phone), and network (e.g. router, switch, firewall, IPS). In many cases, there are separate teams focused on each of these silos.
The challenge with a siloed approach is that attackers and their playbooks do not respect or confine themselves to these silos.
Organization’s looking to combat the threats of tomorrow need an integrated and coordinated approach to cybersecurity detection and mitigation that enhances their security resilience across the entire ecosystem. The question remains, how do organizations accomplish this goal?
Step 1: Integrated Detection
Identifying system, application, and user activities reaching known C2
One of the key requirements for any organization’s cybersecurity detection infrastructure is the ability to identify threats (e.g. infected systems) as quickly and robustly as possible. Typically, they employ both network and client controls so that they provide coverage in both silos. The challenge is that these silos do not necessarily natively provide the integrated viewpoint that cybersecurity professionals require to appropriate identify the nature and scope of the threat holistically.
The following examples highlight two simple networks and an organization’s employee computer that was previously infected by malware and is now reaching out to a C2 server for further instructions.
Figure 2: Infected Organization Computer at Work Reaching out to C2
Figure 3: Infected Organization Computer at Home Reaching Out to C2
In both examples, global threat intelligence determined that the Internet-based server is a known C2. This information could include the C2’s domain address, URL information, and any other technical indicators or tactics, techniques, and procedures (TTPs) that may be used to detect the communication between infected systems and the C2.
In Figure 2, the organization can leverage the C2 communication TTPs and indicators in two separate locations.
- Organization’s network & security infrastructure (A)
- Organization’s computer (B)
In Figure 3, the organization can only leverage the indicators on the computer (B) directly.
With network-based detection, the artifacts available may include:
- DNS Request and Responses
- IP Address
- Protocol
- Ports
With client-based detection, the artifacts available may include:
- Active users
- Active application and processes
- Installed Files, Timestamps, Hashes
- Memory state
The challenge is that the combination of these two siloed views on the operations taking place in the environment are typically combined in a separate security system that may be operating offline from the network forwarding plane. This results potentially in gaps or ineffective detection if the systems are not tracking all events, and all required detail information.
For security operations teams, they might ask:
“Which user, which application ran the specific user process that just reached out to this known C2 at domain X, IP Address Y, on protocol Z, at time T”?
Imagine if the organization could rely on the combination of all of these silos in a single fabric that acts on the combined view of all security information available AND coordinates threat response across the fabric rather than separately across each component.
Figure 4: Security Fabric
Combining the network and client-based views into a single security fabric (as shown above) that is inherently built into threat intelligence, the client and network systems provide a more effective capability for real-time threat detection and mitigation.
This has advantages that can support:
- Micro-segmentation
- With integrated network+client perspective, micro-segmentation of the payloads in the network based on applications or specific functions can be monitored both on the network and client silos aiding more complete micro-segment policies that would be enforced by a combined security fabric.
- Zero-Trust
- With Zero-Trust network environments, one of the key requirements is to ensure that systems or applications being accessed by users and their computers are fully authenticated and authorized.
- Identifying which users are authenticated on a client, which processes they are running, and in turn, what those processes are accessing on both the Internet and internal network is required.
- Horizontal-Lateral Movement
- More generally, with traditional firewalls and IPS systems that are applied on the perimeters of networks, organizations are struggling to apply the detection of threats as they pivot or spread in their environment.
Step 2: Integrated Mitigation
Mitigation across client & network
As discussed in Step 1, a security fabric that provides an integrated view on security silos can assist in more effective detection. The same is also true for mitigation.
The following examples highlight the same network+client examples for detection but show where mitigation of threats can occur and the impact of that mitigation action at the location.
Figure 5: Network Only Mitigation
Figure 6: Client + Network Mitigation
In Figure 5, the mitigation of the threat reaching out to the C2 occurs in the network cybersecurity silo where it can block based on the destination IP, destination DNS/Domain of the C2, the specific protocol, and port if sufficiently unique.
In Figure 6, the mitigation of the threat occurs on the organization’s computer based on either user process or application identification that is known to be infected.
Utilizing a security fabric enables mitigation capabilities to be coordinated across network and client, as shown in the following high-level process.
Figure 7: Coordinated Network + Client Mitigation Instructions
Example Mitigation Instructions:
- Block all communications to C2 at { Domain, IP, Protocol, Port } across all network infrastructure across fabric not just where infected computer connects
- Inspect all agent clients to determine for any process and user reaching C2 or user/process on other systems that match criteria
- Terminate infected active processes on all systems and block authenticated allowed for user
- Isolate systems into quarantined network and remediate back to known baseline for system
- After verification of successful remediation, re-establish system connectivity to organization network access
- Verify system has network connectivity and no longer communicates with C2
By introducing a security fabric that integrates the security silos, organizations can enhance their detection and mitigation capabilities across those silos. At LookingGlass, we are embracing this approach for cyber defense to enterprise security monitoring and threat response.
If you would like to discuss more, please contact LookingGlass Cyber Solutions.
