Supply chain exploits with 1,000+ developers. Exploits of on-premises email servers involving four zero-days. What’s next? How are we to defend our networks in the face of such aggressive adversaries?
We have been concerned about APTs for many years (e.g., Russian groups), but recent activity has made this concern proximate and very real — a clear and present danger — to many more organizations and sectors, as well as to a much broader set of companies than in the past.
Detections are the table-stakes of cyber defense. After all, how can even the most astute analysts and vigilant hunters defend a network if threat activity is undetectable? Across all sectors, we’ve had a wake-up call that focusing on known indicators of compromise (IoCs) no longer is enough. Signature-based detection is inherently reactive, and, worse, is readily circumvented: how many Cobalt Strike beacon signatures fired for Teardrop, for example?
Behavioral detection, which can spot unknown anomalies on networks, gets us much closer to closing gaps in detection. It is true that network detection and response tools traditionally can alert on too many false positives when tuned to be sensitive to unknowns. In fact, any NDR company that claims its tools yield zero false positives, quite frankly, may be guilty of a bit of false marketing. But I digress. How can we stay ahead of the next unknowns? Statistically speaking, the real question is how can we increase the signal-to-noise ratio in our processing of detections spotted by behavioral analytics?
I have written previously about making use of alert correlation within a single enterprise as a principled method to reduce false positives while maintaining high recall. IronNet's IronDefense takes this approach. Truly novel attack vectors, however, require additional measures to create a fuller picture of the threat landscape at any given time. Enter: Collective Defense.
Collective Defense means that enterprises that may be related targets of the same attacker, such as electrical companies or banks, agree to share anonymized data about the threats they are seeing, on an ongoing basis, on their networks. This flips the script on the attacker — a brilliant one-ups-man move against the adversaries given how hard it is for them to change their TTPs. Collective Defense uplevels the defensive capabilities of any one player; there is strength in numbers when analysts across sectors can share threat intelligence in real time.
Within a Collective Defense platform (that is, IronDome), IoCs that may get lost in the noise at an individual company can take on greater prominence and, hence, relevance and priority. One DNS Tunnel to an MSFT domain, for instance, when combined with multiple companies, now becomes a cluster of beacons if others are seeing the same anomaly, around the same time. If the companies have the opportunity to collaborate with this data, there becomes strength in numbers.
Maybe they could have noticed, for example, that each of these beacons is coming from, say, a Solarwinds update server?
Of course, few companies like to share evidence of an attack or even lower-level eventing data on an ongoing basis. But this data can be anonymized relative to enterprise entities. In fact, data threats on networks can be detected without needing any corporate or personally identifiable information (PII); instead, we can focus on the attributes of the event, such as packet size and beacon timing, as well as external entities and the potential attacker infrastructure.
This is Collective Defense, and this approach is the future of widespread cyber defense in a world of rapidly escalating unknowns. Collective Defense already is here with IronDome. All of us working together to help each other identify attacker behavior, and at the same time, better protects our own networks. To me, that’s how you build herd immunity against the adversaries who are running rampant in an attempt to unravel our global digital economy by stealing intellectual property or spying on both private enterprises and public entities.