Context in Risk-Based Threat Patterns

Aug 22, 2016 | by Demetrio Milea

computer-code-878x388

Risks come from various sources that are not always possible to identify and subsequently prevent and mitigate in advance. With the growth in cloud, social, mobile and "bring your own device" computing, the size of the attack surface is greater than ever. Many attack scenarios are possible mainly due the complexity of the network's topology and the variety of applications and technologies that coexist in an organization and need to be defended.

The deployment of Threat Patterns in security platforms (TPs - defined as a set of characteristics that represent suspicious behaviors to detect) whether driven by specific corporate policies, compliance mandates or, more in general TP provided out-of-the-box in security solutions, are a great starting point for the security operations team. However they are subject to false-negative results unless they are customized to provide greater context for the environment they propose to protect. Security products also need to be continually updated with new attack vectors a threat actor (TA) can launch as they evolve their techniques, tactics, and procedures.

In one of my previous posts, The Genesis of an Asset, I gave particular emphasis to a threat modeling approach to enable the security team to develop a realistic, deep and meaningful understanding of the platforms in an organization and explaining the importance of breaking down each asset in finer detail to gain more comprehensive insights and only then develop risk-based threat patterns to address specific misuse and use cases.

However, a one-off effort to develop risk-based threat patterns is usually not sufficient and tends to make the pattern itself only useful for a limited period of time. Attack vectors are not static and advanced attacks are hard to detect. Behind a TA there is always a human adversary with specific objectives and motives and, to successfully achieve that, the TA continuously evolves the rules of the game.

As such, the shift to a hunting mindset begins with a proactive approach and the security operations teams need to continuously improve their capabilities managing the design of risk-based threat patterns following an iterative process that cycle through several stages.

A simple and well-defined process is borrowed from the Software Development Life Cycle (SDLC):

  • Analysis
  • Design
  • Implementation
  • Testing
  • Evolution

Where each of these stages has their own inputs, outputs, sub-processes and the overall approach is measured and monitored. Moreover, it is always a good habit to store all the threat patterns in a centralized and collaborative revision control system, keeping track of the purpose, functionality, version and code changes (whether they are fixes or improvements), requirements and so on.

Once the model "comes to life and begins to deliver value," ongoing evaluation, maintenance and enhancement of the threat patterns needs to be done by the team to improve the detection ratio and keeping it aligned with the risks of the asset, the current threat landscape and the overall security strategy of the organization. The above approach also optimizes the capabilities of the deployed security solution where the risk-based threat patterns are configured and, at the same time, enhance the capabilities of the security operations team going beyond common alerts, events and incidents.

As this approach might be considered "time-consuming" to apply for a large set of systems; having aligned the IT department with the security department also allows the identification of the critical assets which require more attention at the outset. Furthermore, a current critical asset inventory is a fundamental building block of a sustainable security program.

Threat detection requires extensive knowledge of the platforms as well as the network of the organization the security team is trying to protect. The absence of indicators of compromise does not necessarily mean the overall security posture of the organization is "good enough" rather it could lead to a false sense of security amongst management.

Tags: Demetrio Milea, RSA Fundamentals, RSA Point of View, Correlation Rules, Risk-Based Threat Patterns, Security Monitoring Strategies, Threat Indicators, Threat Modeling