Maturing Security Stack from Indicator Of Compromise (IOC) to Indicators of Attack (IOA)
The Year 2020 has enabled world to have a proactive approach to identify the risks to the environment, society, critical national infrastructure, and the technology stack. Recent events including Sunburst, COVID 19, fire due to PG&E have forced the risk community to look at the low-frequency events vis-à-vis the speed of onset of risk materialization.
Certainly, Low likelihood events wouldn’t force leaders to think:
- ‘What if’ such risk materializes? How catastrophic would be the impact?
- Are we resilient enough to stand tall against situations that we don’t know or have never faced before?
- Can we demonstrate growth when there is no playbook or past examples?
What makes these questions so pertinent is not only the changing Threat Landscape but also the velocity of change in the Threat Landscape. Usually, Threats takes 2–3 years of time to get themselves notated as a valid risk and catch some eyeballs. Especially when a sophisticated threat actor broke down industry dominant service provider [SolarWinds] and exposed more than 18000 organization and millions of end-users at the risk of grave loss. For risk professionals, this is a time to pause, reflect, and pivot.
Are we doing a good job to communicate the speed of onset or time for a risk event to materialize?
Sunburst-like attacks are just like someone peeping us from a keyhole and we can only see an eye on the other side, but can we see if there were only one, a dozen, or hundreds of like them standing behind the door? With greater information sharing; the legacy security stack provided the response teams a playbook to operate on the basis of what was already been experienced. But it doesn’t allow response teams to contemplate what seems to be too innocuous to be considered as an anomaly. FireEye, a cyber security firm, with one of the best people equipped with industry best tools mentioned in their blog; never seen before techniques to trojanize the SolarWinds update and establishing a persistent footprint in the target organization.
The current security stack enables response teams to contain what matches with the established signatures, rules and heuristics, and assume threat actor may not have ability to evade detection based on the old notion of lack of resources or high cost of attack. Now, there are websites like malvuln which demonstrates how to exploit vulnerability in malware and resources like this will essentially improve malware coding with time and we will see more sophisticated attack down the line [Yes, unlike general developers, malware developers have direct incentive to improve and fix vulnerabilities in code]. This presents us an opportunity to broaden the ontology of the corrective approach to detect Indicators of Compromise (IOCs) with Indicators of Attack (IOA) for tight monitoring of North-South traffic and early detection of lateral movement in the organization.
The usual belief against configuring monitoring systems to detect IOAs is that it would lead to high false positives. Similarly, the system needs to mature against potential events trying to incur noise, identify small privileged changes, and admin rights provided to service accounts.
Since the post-mortem analysis of the breach is still in progress, I believe we will have many questions to be answered. We don’t know yet what perpetrators wanted to achieve after breaching the Treasury, DoD, and others. Do they want to influence the list of sanctions or to provide undue advantage to a specific country? Or obtain data to control the mind and hearts of the nation and its citizens? There are so many whys that could have been answered with the IOA approach against the present IOC approach. The community is now aware of techniques, but it needs to mature to identify unknown threats to become resilient against attacks in the future.
The time is asking us to mature traditional [if I can say so] Security Operation Center (SOC) and Threat Intel (TI) to consolidate efforts to look at anomalies from a Threat Actor’s (TA) perspective. TA has an incentive minimize the forensic footprint to evade detection. If detection footprint is low it wouldn’t trigger alert to Incident Response (IR) team and enable them to have persistence in the network for longer time.
Also, Cyber Risk Managers need to have new tools in the arsenal to highlight potential low likelihood threat events which may jeopardies confidentiality, integrity and availability of Information Infrastructure.
