All Seeing All Knowing Border Control

Necessity is the mother of invention, and with new breaches reported on a near-daily basis, the evolutionary arms race between hackers and cyber-defenders has led to the rapid disruption of the traditional managed security service provider (MSSP) market. As vendors scramble to stay relevant, this has led to a sea of sales messages and acronyms – including the advent of ‘EDR and proactive threat hunting’.

Breaking this down, we have EDR (Endpoint Detection and Response), the word proactive (the mainstay of copyright teams globally), and threat hunting (why wouldn’t you want that) … but marketing aside, what does this actually mean?

The easiest way to explain EDR and proactive threat hunting is to use an analogy. Let’s liken the corporate IT network to a country, and use the UK as illustration.

ID Check Point

The UK goes to great lengths to stop known foreign criminals entering the country.

There is the expectation that, individuals who are known to have performed illegal activities in the past, maybe a potential risk to society if allowed into the country. To mitigate this risk, the UK Border Agency check everyone’s passport arriving at international airports, and if there’s a match against the database, entry to the country is denied.

This is much like your traditional MSSP vendor monitoring an organisation’s internet ingress points for known or suspected ‘bad’ IP traffic. The danger is that, if the criminal has a new passport with a new name, they may be able to get through the border in the same way that a moderately capable attacker would spin up a new IP address or flip some bits in their malware to target an organisation.  Indeed, in the 2015 Verizon breach report, over 80% of malware samples associated with breaches were unique to that organisation.

Is that it then? Is any criminal with a new passport guaranteed to get through?

Behaviour Analysed

The answer is no. Thankfully, the UK Border Agency staff receive extensive training to help them spot suspicious behaviour which may indicate that someone is not who they say they are.

In the same way, IT security vendors have evolved to address the problem with the widespread deployment of heuristics and behavioural analytics run against inbound files. For example – ‘This file says it does ‘x’, but actually hidden inside it does ‘y’ so it must be blocked’

The problem with this approach is that each vendor will plug just one or perhaps a handful of attack paths with its specific technology, and even then, being driven by automation, they cannot be accurate 100% of the time.

Breaches occur almost daily, week in week out from relatively unsophisticated attackers, proving this approach fails.

Alternative Entry Point

Going back to the original analogy, and taking the example of an advanced criminal who is well resourced and persistent. The criminal wants to get into the UK, and to guarantee their success at doing so, they plan to land deep inside the country, parachuting in, and thereby bypassing all border controls entirely. If anyone did spot them on landing, they would have a new passport anyway. This is how modern cyber threat actors operate; they go straight for the users’ endpoints with custom malware in phishing campaigns, USB sticks or watering hole attacks, bypassing the security controls to establish a foothold on the network.

Eyes and Ears Everywhere

EDR and proactive threat hunting is different.  It assumes that the above scenarios will play out, that the perimeter will be breached, that compromise is inevitable.

In terms of border control in the UK, an EDR tool is the equivalent to the Border Agency going door-to-door to every single house in the country, every single minute, to check whether there is anyone new or different on the premises (anomaly based analysis).

This intelligence is then utilised by the Serious Organised Crime Agency (SOCA) to guide their agents through counties, into towns, narrowing down to streets, and ending up at the specific house where a new or different person is deemed to be – this is the equivalent to proactive threat hunting.

Once at the house, the SOCA agents need to determine where the person has come from (network traffic analysis) and what they have done since arriving (log analysis and further EDR).

Rather than just relying on a passport check at the airport.

While it unrealistic to implement these draconian controls in countries – after all, the analogy can only go so far, thankfully corporate networks are a different story. Managed EDR threat hunting services are readily deployable, and affordable, so the electronic ‘foreign criminals’ looking to infiltrate the enterprise has nowhere safe to hide.

Countercept is exhibiting at Infosecurity Europe – 7 to 9 June at London Olympia, Stand B260