Ghost Busting
First, read Jack's post, Don't wait for an intrusion to find you. Next, read this post (The Blue Team Myth).
Notice any similarities...not in content, but in the basic thought behind them?
Yeah, me, too. Great minds, eh? Okay, maybe not...but
So, you're probably wondering what this has to do with Ghostbusters...well, to many, an intruder within the infrastructure may seem like a ghost, moving between systems and through firewalls, apparently like an apparition. One thing I've seen time and again during incident response is that an intruder is not encumbered by the artificialities of an infrastructure, where someone shouldn't be able to access systems, due either to policies and roles, or to local laws (European privacy laws, etc.). Yeah, that doesn't stop an adversary.
Jack's right about a number of things. First, the old adage about an intruder needing to be right once, and a network defender needing to be right all the time is...well...wrong. Consider this...prevention, by itself, is ineffective. In defending a network, you need to include prevention, detection, and response in your security plan. Given that, what is the adversary's definition of success? What is their goal? Once you arrive at what you believe to be the adversary's goal, you'll realize that there are plenty of opportunities for defenders and responders to "win", to get inside the adversary's OODA loop and disrupt/hamper/impede their activities.
Jack is exactly right...an intruder needs to accomplish five stages in order to succeed, and all five of those stages require one thing in common...execution of commands. Something has to run on the systems. Doesn't it then make sense to have some sort of process creation monitoring in place, such as Bit9's Carbon Black, or MS's Sysmon?
Here's another way to look at it...in the beginning of my blog post, I mention two annual security/threat reports, and describe what some of the statistics mean. In short, one metric that the investigators report on is dwell time...how long (as far as they can tell based on the artifacts) a targeted actor was embedded within the infrastructure before being detected. What this means is that when investigators look at the available data, they're able to determine (at least up to a point) the earliest indicators of the adversary's activities, be it early indicators (use of web shells), or the actual initial infection vector (IIV), such as a strategic web compromise, or an email with a link to a malicious site, or with a weaponized document attached. The point is that the investigators are able to find indicators...Registry keys/values, Windows Event Log records, etc...of the adversaries activities. And all of these are indicators that could have been used to detect the adversaries activities much sooner.
Finally, one other thought...Jack's steps 4 and 5 are cyclic. Wait...what? What I mean by that is that following credential theft and establishing persistence, the adversary needs to orient to where they are and begin taking steps to locate data. What are they looking for, what are they interested in, and where is located? Is the data that the adversary is interested in on a server someplace (file server, database server), or are there bits of the data that they're interested in located on workstations, in emails, reports, spreadsheets, etc.? So, what you may see (assuming you have the instrumentation to observe it) is the adversary collecting data for analysis in order to assist them in targeting the specific information they're interested in; this might be directory listings, emails, etc. You may see this data exfiltrated so that the adversary can determine what it is they want.
