Attack Detection vs Disruption

Attack Detection vs Disruption

created time
Dec 12, 2023 07:56 AM
last update
Jan 10, 2024 08:09 AM
notion image
Rather than using CCTV, which often requires manual monitoring and response, the use of an acrylic mirror provides deterrence without the associated costs and complexity. Psychological studies suggest that mirrors can subtly influence human behaviour, often positively. Data indicates that a simple mirror is effective in the case of bicycle theft.
Many commercial off-the-shelf (COTS) security products, whether Security Incident & Event Management (SIEM) systems or Managed Security Service Providers (MSSP) are similar to the CCTV operations. Both rely on some forms of logic to determine whether certain events are harmful or not, then another human-layer to further assess & react.
Regardless of whether a traditional approach, where experts maintain detection rules, or machine learning approaches that predict based on known or prior datasets, issues related to alert fatigue and talent shortages persist.
So what is the equivalent of that mirror in Cyber Security, such that we disrupt attacks without the high cost, complexity & SLOW human reaction?

Desirable Attributes of Attack Disruption

No or less of: “Is it bad?”

From the perspective of attackers, the cost and know-how needed to bypass host and network controls are becoming freely available and commonplace. Remember that "good" programs, web services, and so on, can also be abused for offensive campaigns. From the defenders' perspective, significant investments aren't deterring attackers. These attackers are either using free tools and techniques, or simply paying for stolen VPN/user accounts.
notion image
Reduce or completely eliminate the need to assess whether an event, action, or activity is malicious.

No need to maintain “bad” lists

Given the widespread knowledge of evasion and anti-analysis techniques in both public and dark web domains, the effectiveness and efficiency of such a "subscription" model for maintaining “bad” lists becomes questionable.
By eliminating the need to classify as good or bad, we can reduce or avoid the constant maintenance of "bad" lists.

Based on Zero-Trust Principles

Since the set of "malicious" techniques is essentially infinite and we face both known and unknown threats, it's impossible to keep up with offensive actors simply by tracking their "bad" techniques retrospectively. Examples include malware based on Portable Executable formats, which can be continuously altered using free payload generators. Reputable domains and sites with web APIs can also serve as payload delivery and command & control channels. Additionally, an infinite number of domain names can be purchased and misused to create fraudulent sign-in interfaces.
Relies on ZeroTrust approaches to granularly permit endpoints and network activities, rather than solely depending on known-bad lists. The design of permitted features should not be easily abused by threat actors.

Examples of Attack Disruption

There are fundamentally three aspects of a typical client-server architecture that attackers may target:
notion image
  1. Directly attack vulnerable exposed services & non-interactive endpoints (think IP cameras, IoTs…). For example, SQL injection into vulnerable applications, exploiting service like Log4J vulnerabilities. Denial-of-Service is also another form of direct attack that impacts availability.
  1. Interception (aka Adversary-in-the-Middle) of accounts (for take-overs), session tokens/secrets… For example, creating a fake banking sign-on page (aka Phishing) that even captures second-step One-Time-Pins.
    1. notion image
  1. Infiltrations into client zones often start from user touch-points and then moving into internal services. For example, ransomware campaigns may start off with client zones, eventually capture administrators or gain privileged access (e.g. network or backup storages) for organisation-wide encryption & extortion.

Disrupting Direct Attacks

Software Defined Perimeter disrupts direct attacks. Unlike traditional Virtual Private Networks, which provide broad control similar to a moat around an entire castle (network), SDP offers fine-grained control, allowing specific access to individual rooms (services) of which a user can enter (use) after authentication. While VPNs listen for inbound connections and are thus vulnerable to attacks, SDPs do not receive any. This keeps the network and application infrastructure invisible or cloaked from the internet, making them harder to attack.
Adoption Challenges Almost all cloud SaaS platforms are publicly accessible. Some may not permit configuration of a dedicated SDP gateway which limits access to enrolled identities & endpoints to target SaaS.

Disrupting Account Take-Overs

Passwordless Authentication (e.g. FIDO Passkey) mitigates account take-overs. For instance in Passkey implementation, there is NO typing of username or passwords. A "Sign in with Passkey" button allows registered users to pick a key to sign in. This means that even when a fake website appears that looks similar, there won't be an option to select the real website's sign-in key. This means NO credentials (id + password) to capture for attackers, legit users don’t know what to key (pun intended) too! Again, no need to decide if web-page is real or fake. No keeping up with malicious domain names & sites.
Adoption Challenges Password scheme is something familiar to both users & developers. Relatively cheaper than newer forms of authentication schemes in terms of adoption costs. We need more backend adoption such that Passwordless becomes the norm & preferred! "Single-key-of-failure" occurs when the account is linked to a single key. This key, stored either on a phone or a crypto-token, may fail or be misplaced.

Disrupting Client-Side Endpoint Infiltration

Remote Browsers disrupts malware delivery & Command-&-Control channel. Even if the malware were to deliver from non-browser vector to run (for example, from a USB stick), it would encounter issues establishing a connection back via the usual SSL/TLS channel. This would prevent remote attackers from using the compromised endpoint as a pivot into internal services. There’s no logic to decide whether if the contents are malicious or not, it simply starts with a clean state for each new web session. In this context, it fundamentally distrusts all web contents, embodying the principle of ZeroTrust.
Adoption Challenges Latency depending on the type of contents that users are surfing. If the Remote Browser service provider experiences downtime, end-users will not be able to use their browsers. Some Single-Sign-On authentication flows may be affected. Some SaaS may require direct HTTPS connectivity. Once added to Allow/Bypass-list, it opens a channel for potential abuse. Not useful for servers.

Disrupting Data Theft

ZeroTrust Data Protection (e.g. SecureCircle) mitigates both Insiders & Remote Threat Actors. SecureCircle enforces encryption on data in all three states: in transit, at rest and in use. The solution is granular down to both running processes and network destinations (which cloud service). As a result, any unauthorized program-process will only read encrypted gibberish. To mitigate abuse, authorized program processes can only communicate with approved cloud services. This prevents allow-listed programs from uploading to unauthorized cloud storage. It's based on granular allow-listing approach, so there's no need to worry about endless malware.
Adoption Challenges Users who are locked into their existing Data Loss Prevention products.

Deny Threat Accessibility but maintain Usability

The cost & effort for attackers is LOW to tweak slightly to defeat controls that are based on reacting to alerts of specific offensive techniques. All the mentioned controls prevent threat actors from accessing targets such as data, passwords, or endpoints, without impacting the end-users' experience. These controls incorporate aspects of ZeroTrust without the need to pursue offensive techniques or determine their malicious nature. Instead of trying to stop specific “bads”, ZeroTrust allows a smaller set of authenticated activities & denying the rest by default. Doing so significantly increases the cost of attacks for threat actors. From a Monitoring & Response operations perspective, the mantra becomes (albeit inverted from conventional approaches): Be BETTER at figuring out what is “Normal” in your environment & context!

Disrupting Code Execution…

Apart from Adversary-in-the-Middle interceptions, nearly all other attacks require some forms of Code-Execution. Most endpoint "protection" solutions are ineffective at stopping infiltration and endpoint take-overs, especially for publicly exposed servers that cannot operate within SDP cloak.
In the upcoming series (part of
Cyber Security in 7 weeks
) , I will discuss how to disrupt attacks on Windows endpoints for both client and server zones. I will share experiences accumulated from developing and enhancing FreeEDR. This journey started with the host Application Control within FreeEDR, and has evolved into Proactive Endpoint Defense & Response. It now includes enhanced features such as ZeroTrust network egress control and anti-ransomware capabilities, specifically designed to disrupt attacks without relying on "bad" signatures.