Detecting, Discovering, and Eliminating Threats

First, to be successful, you need to have cutting edge threat intelligence program. If you do not fully understand what threats exist, and how they pose a risk to you, then you cannot defend against them.

Second, understand the motivation and capability of the adversary — how are they likely to operate?

Third, recognize that “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don't know we don't know” (Donald Rumsfeld, 2002).

Not All Threats Are External, Think About Internal Threats

According to Breach Level Index 2017 Report, there was a 117.3% increase in data breaches caused by insider threats from 2016 to 2017.

An insider threat is a rogue employee, contractor, etc., who exploits their access to a company in order to steal proprietary or confidential information. The numbers of potential motivations for an insider to abuse this trust are countless. Potential motivations can be (but are not limited to), financial gain, to advance their agenda, or because they may just be disgruntled. Some internal threats are the result of inadvertent or careless behavior. Make sure your security policy covers employee behavior and best practices.

At Relativity, we use advanced analytics generated in our Security Incident Event Management (SIEM) system to examine employee and consultant activity. Once we define a baseline, we are able to monitor for anomalies and detect unusual and malicious activity. From there we are able begin incident response investigations using our Endpoint Detection and Response (EDR) tool kit to identify if the observed anomaly is a legitimate threat.

Invest In World-Class Tools and Fully Utilize Them — Identify Gaps That Exist

The first thing you need to do is identify your gaps. This can be done in many different ways. We apply a “Defense in Depth” approach at Relativity. Essentially, this means that we employ a layered approach with detection, monitoring and blocking capabilities. You start at the perimeter and work your way to the endpoint, making sure that all of your tools are able to contribute their data into your SIEM.

An example of this is, you have a firewall at the perimeter, an Intrusion Detection System (IDS) inline, a Proxy for Web traffic, an Anti-Virus (AV), as well as a Data Loss Prevention (DLP) technology, on the endpoint.

This approach protects a large surface area that an attacker may exploit to get into your network, remain persistent, and exfiltrate your data. Fundamentally, you are taking the approach if the attacker gets through one countermeasure, another should find it.

Another consideration is to buy the tools that make sense for your organization, and fully implement them. Often, companies will just start buying everything that sounds cool because either they don't know (sold on it), or they think they need it. Both of those situations cause a spending frenzy.

The appropriate way to handle whether you have the right tools is to assess your company's business model, employee headcount and financial transaction. Generally, these tools have other integration points and capabilities. Do your research, understand how to fully maximize your tools, and understand your environment.

In addition remember that all security must be “top-down.” Executive leadership must have security as a business objective, understand risk reduction is a business strategy and decision, and then provide policy that enables security initiatives.

Know Where Your Valuables Are Stored

Understanding your network is probably the most difficult task organizations face. Bad configurations can generate a ton of suspicious looking traffic, which can take cybersecurity analysts copious amounts of time to get to the root cause of a suspicious event. This oversight takes them away from detecting and discovering actual threats. Have your IT teams work closely with your cybersecurity team on best practices for configurations. This will eliminate headaches down the road.

You should also know where your company's critical data resides. One of the most oft-cited problems by business is asset management. Worse still, once you have a handle on what is on your network, you need to know where the information that attackers want is kept. Law firms can have terabytes of confidential information stored on file servers, so increasing your visibility on that server is essential. Judiciously enable relevant logging capabilities, deploy a DLP solution, and acquire a robust, next-generation AV solution. Make sure that your event severity levels incorporate the value of critical systems.

Lastly, at Relativity, we protect our critical systems and data by creating high severity detection signatures and event correlation searches in our SIEM for critical assets. This allows us to be proactive and react accordingly, even to less severe security issues that trigger for critical systems.

Eliminating

Eliminating threats means something different to everyone in cybersecurity. To us, it means staying ahead of the adversary, promptly discovering, remediating vulnerabilities in our network and software, and performing root cause analysis. We are able to use threat intelligence to predict attack trends, develop detection signatures, and mitigate attacks before they happen.

We feed this same threat intelligence data into our vulnerability management process. If we discover new vulnerabilities before they are publicly available or before proof of concept code is released, we can remediate the vulnerability before an attacker has the ability to exploit it.

Root cause analysis is the act of performing digital forensic analysis on an infected or compromised system. If we determine a system has malware or is exhibiting suspicious activity, the Investigations & Analysis team is able to forensically analyze the system. We look for indications of how the system was compromised, what changes have been made, and what any malicious software is doing.

Often, cybersecurity teams will rely solely on their tools to detect and remove malware. While this may discover some of the threats, there is a large amount of information you will miss. Malware is designed to exploit flaws in software to manipulate a computer system. If you can determine how malware manipulates a computer system, such as what processes it may inject itself into and what network connections it will attempt to make, then you can apply correct patches for the exploit, develop detection signature that are targeted to that specific piece of malware, and update existing tools and configurations.

Organizations need to get away from the habit of just putting a Band-Aid on infections. We need to understand the how, what, and why the infection occurred in order to completely eliminate the attack vector.

With the sophistication of many threats, eliminating them completely may not be possible. However, if you can reduce your attack surface and implement threat intelligence into the core of your cybersecurity program, you are one step closer to achieving your security goals.

Conclusion

With cyber threats facing organizations growing exponentially and no end in sight, it is important to be able to critically asses your organization. Remember that it may not be possible to stop all cyber threats, however if you follow this list of discovering, detecting and eliminating you will have an advantage that most companies do not.

*****

Tyler Young is Senior Manager, Head of Investigations and Analysis at Relativity.