“We’ve had the advantage the whole time; we own the endpoint”
What is the one common denominator against any adversary? What is the most precious commodity of all in the struggle between attackers and defenders? What is the one advantage the adversary has, up till now, always had over us? The answer is time itself, writes Scott Scheferman, Principal Security Technologist at SentinelOne.
The reason why threats—from WannaCry and NotPetya to MegaCortex and RobinHood—succeed is not sophistication. They simply outpace our ability to stop them in their tracks. The threats move at machine-speed. Our defenses do not. The threats are hyper automated. Our defenses are not.
WannaCry was arguably one of the least sophisticated, most poorly written ransomware payloads ever. A large portion of it was corrupted, and it never even ran in many high-profile enterprises the worm component plowed through and wreaked havoc in. It was its sheer velocity that ultimately beat enterprise defenses and out-paced Incident Response teams in the trenches.
Indeed, the most important point of this post is that our defenses lack velocity. There is nothing terribly sophisticated about most threats: they are simply faster than we are! It is why we are still just as unprepared today against a pending BlueKeep worm as we were two years ago.
The Lies We Tell Ourselves
So how can we get time back on our side? We can start by dumping untruths such as these:
“It’s a matter of when, not if, we will be compromised” and “An attacker only needs to be right once to succeed, whereas defenders need to be right 100% of the time to prevent a breach.”
The truth is that it is only a matter of “when not if” if we as defenders are unable to control the “when”.
The fact is most of us have spent the last 3-4 years building up an immense stack of extremely noisy solutions, the vast majority of which can only (by definition) help us after the fact. We’ve then spent another 1-2 years trying to get all of them to talk to each other in order to understand what bad thing just happened to the organization. Too little, too late.
The adversary benefits as we inundate our best (and hyper rare) talent with noise. With tracking down root cause analysis (RCA). With vetting false positives. With improving our playbooks to accommodate the incidents we’re resigned to expect. We have completely lost the plot… and there is no one to blame but ourselves. Most security vendors only build what they imagine enterprises want, and their investors all want them to have a cloud story… they all want them to have subscription-based OPEX model, they all want them to sell volumes of alerts, bandwidth, data retention, events per second, pew-pew laser maps, and ephemerally-challenged intelligence.
We are standing here doing the same thing over and over again while expecting better results. We have negative unemployment and millions of unfilled positions, yet we throw more after-the-fact noise/alerts/false positives and rabbit hole pivot/hunt/RCA activity at the few remaining burnt-out analysts we are lucky enough to retain.
The Battlefield Is The Endpoint
The key to winning against an adversary is to know where they are going to be, what they will do when they get there, and then taking an action that anticipates the enemy’s move in order to stop them in their tracks. The battlefield is the endpoint…namely, your endpoint. It is where attacks originate, and it is where persistence is gained. It is where lateral movement goes to and fro. It is where processes are injected into, where network packets originate from, where the data lives and where the end user creates. It is where the bad guys exfiltrate from, and it is nearly always what your RCA efforts end up pointing back to, after the fact.
I’ve run incident response teams, and I’ve been lucky enough to have had access to literally thousands of compromise assessment reports. I can already tell you what your RCA is going to be; I know how they are getting in. You do, too: spearphishing, creds, RDP, vulnerable web services, insider threat, and (sadly) your MSSP or third party/supply chain.
Yet, most of us are probably not running MFA on every externally-facing application. Or we are still running unneeded RDP services and hoping that plopping them inside a VPN makes any difference. Likely we still haven’t fixed our SSDLC because we don’t have the authority or ability to influence the cultural shift required to do so. And yes, our end users are still clicking on things because that’s what end users do on devices made for clicking things! They are not the problem, and training them effectively is only ever going to be a partial solution, even when we get measurable improvements on their behavior.
If we want to win, we have to control our own endpoints. Controlling an endpoint is not the same thing as having passive visibility into what happened on it, nor is it the ability to restore it from a back-up. It is controlling it at a process level, period.
If we have all the visibility in the world; crystal clear, 20/20 vision and perfect hindsight but it doesn’t inform us fast enough to take the action that actually matters before the bad thing happens, then all we have gained with that visibility is friction, noise, opportunity cost of precious (human) resources, and a perpetuation of the problem.
Turning the Tables Against the Adversary
It’s time to turn the tables and restore time to the defender’s advantage, and to do so on the defender’s soil. Earlier above I quoted a common misguided edict we tell ourselves:
“An attacker only needs to be right once to succeed, whereas defenders need to be right 100% of the time to prevent a breach.”
Let’s rearrange that statement to our advantage. Let’s be better hackers than the Darwinian criminals laughing at our after-the-fact cloud security platforms:
“An attacker needs to be right at every step to succeed, and a defender only needs to be right once to prevent a breach.”
The truth is we’ve had the advantage the whole time. We own the endpoint. It is our domain. We control what happens on it and what does not. We just haven’t implemented enough active machine-speed defenses to keep up with the threat.
We can hook the kernel before the bad actor does. We can identify legitimate processes before a bad actor ever gets a foothold. We can know what the majority of bad actors do once on the endpoint before they get there. We can leverage NLP and machine learning (ML) to understand entire worlds of potential malicious activity well before a bad actor steps foot in our domain. We can uninstall any software we deem vulnerable or a threat. We can reverse-out changes that unauthorized software or users make to the operating system.
We can outpace the bad actor. If we see PowerShell spawned from a Word document fetching a remote file, we can kill that process before it even completes running in memory. We can do all this because it is our domain; it is our endpoint.
There is no such thing as an attack that is only one step, other than maybe the Ping of Death from 20 years ago. If the MITRE ATT&CK framework illustrates one thing, it should be this: we can and need to be able to interject an active kill chain as it unfolds in real time.
Most attacks are automated, yet their automation is not sophisticated and it is not highly adaptable. It is not a human behind a keyboard ready to improvise. We can stop these attacks on our soil.
So let’s make the attacker be right 100% of the time. Let’s make them get it right at every step if they want to succeed. More importantly, let’s get really good at stopping them before they take the steps we know they must!
The Time is Now!
Time is the battle and the endpoint is the battlefield. To win at the game of time on a machine-speed field, we must automate. In order to allow for automation, we must have confidence that it will not break the enterprise or the mission. To gain confidence quickly enough, we must leverage both high-confidence static rules, and NLP and/or other forms of ML where and when and if it makes sense to do so. We must be able to quickly assemble enough events on a host to provide sufficient context to discern malicious activity and interject it immediately.
But let’s do this on the endpoint where the action is! Your Tesla doesn’t consult cloud intelligence before it decides to put on the brakes for you to avoid an impact. A Space-X rocket booster’s thruster controls don’t require a tether to the Cloud to adjust for pitch and yaw before landing on a floating platform at sea. Our intelligence must be where the battle is and allow automation to happen at machine speed. If we actually put first things first, and win back the time advantage on the endpoint, then we may finally be able to lean forward and solve our identity, credentials, IOT, insider threat, SSDLC, and supply chain problems.