Blind Spots in Your Threat Landscape

Your teams are utilizing a combination of cloud and on-premise infrastructure. Couple that with staff working remotely, and the challenges of having visibility into where devices reside and what staff is able to access those devices can be daunting!

Mike Cotton of Digital Defense sees a key shift in the threat landscape as attackers focus more on attacking key endpoints and infrastructure. As a result, many organizations are developing security blind spots. Cotton explains how to regain visibility.

In an interview with Tom Field of Information Security Media Group, Cotton discusses:

  •  Shifts in threat activity
  • Blind spots in cyber defenses
  • Myths and realities about dwell time

The Latest Threats

TOM FIELD: Mike, when we talk about the threat landscape, what are some of the latest trends and the shifts that you’re particularly paying attention to?

MIKE COTTON: One of the interesting things about my job is that I get to work with a lot of talented penetration testers. Testers, who use tactics that are ahead of the curve and ahead of what malware is doing. Recently we’ve been seeing some new malware variants, which mimic these advanced attacker tactics and use things that we’ve been waiting to surface but haven’t surfaced yet.

For example, there was a lot of press coverage over the Astaroth attacks that Microsoft highlighted and the way that they used fileless malware and malware that did not necessarily target a specific CVE-able vulnerability, but really was almost a rebuild of what we used to see way back in the day where people were sending shell scripts and executables over email. So we thought that was a shift and particularly interesting.

It does seem like there’s more of a shift to attackers using configuration or tactical issues to attack key endpoints or infrastructure as opposed to relying on the latest Flash vulnerability where there’s a new version released and then an exploit comes out, then everyone rushes to patch it. So it seems like they’re shifting to things that current security postures maybe aren’t well designed to combat as much.

Security Postures

FIELD: How do you see these shifts impacting security postures?

COTTON: The challenge that security postures have had in the last several years is that as attackers have gotten more advanced and gotten better at routing around them, there’s been a tendency to want to double down on the same sorts of tactics, but just smarter. There was this idea of we’re going to bring machine learning in and maybe that will solve it but keep the same endpoint paradigms and same firewall paradigms. While those things are helpful, they don’t necessarily solve the problem of attackers gaining a foothold and then gaining more intelligence on a network and then starting to pivot through.

“The defenders need to be more tactical, and they also need to be better at combating not just vulnerabilities but configuration issues, which present a weakness even beyond the normal patch cycle.”

So one of the fallacies that we sometimes call out is a lot of times we’ll see companies focus on one part of their network and say, “This is the really important part. So this is where I’m going to put all the super anti-virus defenses or other sorts of network-based protections.” And what they really fail to understand is that by the time the attacker makes its way to that key critical point in your network, they’re not slinging lateral movement exploits so much as they’ve already picked up administrator credentials four or five hops ago, and they’re just coming in as a valid administrator and they’re moving into that part of your network. And that’s going to be very, very hard to stop.

So the defenders need to be more tactical, and they also need to be better at combating not just vulnerabilities but configuration issues, which present a weakness even beyond the normal patch cycle.

Blind Spots

FIELD: Mike, it sounds like what you’re saying is that these shifts are actually creating new blind spots for defenses.

COTTON: Yes, they are. It’s a challenge because traditional audit paradigms or security audit paradigms often rely on looking at vulnerabilities rather than the configuration issues. It seemed like very simple configuration issues like default passwords were baked in a long time ago, and people understood how to deal with them. What they’re having a harder time with are things like fileless campaigns, where there’s not necessarily anything that ever hits the hard drive to develop a signature on or maybe even be able to effectively simulate it in a sandbox environment.

There’s more and more need to take advantage of cloud services and things that can speed up deployment. But because of that, the traditional, continuous network block perimeter is just totally gone. People have things up in all sorts of different clouds and some stuff on site and people working remotely. And so even though there are elements of traditional security posture that still work in those environments, it’s just a much, much more complex paradigm to defend than your old castle-based firewalls on the outside, endpoints on the inside paradigm. And so that’s been a challenge for a lot of people.

Dwell Time

FIELD: Mike, we’ve talked over the past few years about the concept of dwell time. What can you tell us about some of the myths and realities around that concept?

COTTON: Dwell time is a concept that started getting traction and being talked about mostly in the context of threat hunting. The idea with threat hunting is that once something makes its way past your initial line of defenses, you need to have a mechanism to go ahead and detect that and see if there’s a way that you can backstop your existing security defenses such that even if there’s an initial failed detection from your firewall or email gateway or endpoint protection systems, you still have some way to backstop and detect a threat that’s made its way into your network.

With dwell time, one of the myths is that all this can be done by one kind of single point of failure system. Everyone would love to say my single technology handles all these things. I handle the anti-virus. I handle the incident response. I handle the dwell time detection. The problem with that, I often point out to people, is you can have the greatest endpoint protection software in the world, but if it’s not installed, it’s not going to be very effective. Or even if it is installed, maybe it’s been disabled.

Something we see a lot when we do see instances of dwell time out there is actually a surprising amount of the time there is endpoint software installed, but there are advanced variants. Say for example, they get there ahead of an update or some sort of a mechanism to detect that new advanced variant, this will cause interference with the endpoint software talking to its primary server such that the node gets orphaned and isn’t able to go ahead and properly update and maybe is essentially left defenseless.

A lot of times, people think of dwell time in terms of something that can be handled just with an endpoint solution. But they don’t necessarily think about, “Well, what if a server gets reverted to the point where the protections aren’t active or aren’t installed or maybe are being interfered with?” How do you deal with that sort of a blind spot?

Changing Strategies

FIELD: Mike, if you were to take a step back, how would you suggest that security strategies need to change to counter the threats we’ve been talking about?

COTTON: It’s multiple levels of defense in depth. It’s a longstanding strategy we’ve always preached. But with more attacker tactics, it’s becoming more and more important. It’s not enough to say, “Hey, this one security technology I have will handle that.” You have to actually go into other scenarios and say, “What if it’s not installed? What if it is installed, but if fails the detection? What if it doesn’t handle this particular type of attack?”

So you have to go through the strategy process of saying, “If I do have a failure, if some component fails along the way, what then? Does it have backup? Are there other overlapping technologies?”

“The idea with threat hunting is that once something makes its way past your initial line of defenses, you need to have a mechanism to go ahead and detect that and see if there’s a way that you can backstop your existing security defenses.”

Ideally for some of these advanced campaigns, you could say, “OK, I will attempt to catch this, maybe on my email gateway, and then hopefully my endpoint software can catch it.” But even then, I have some sort of a threat hunting or alternate detection mechanism in place where even if I see a point of failure along the way or a couple points of failure, I’m still covered.

It’s difficult sometimes because security vendors understandably will try to say, “Hey, I’m the guy who saves the day and shows up and defeats all the malware, and that’s why you should write me a big, big check.” But unfortunately the technologies often have some weak spots, and you have to incorporate into your strategy; a mechanism where if something doesn’t do a detection, hopefully you have multiple things backing that up.

Digital Defenses’ Role

FIELD: Talk to me a bit about Digital Defense and tell me what you are doing to help customers to make these changes you’ve just outlined.

COTTON: One of the things I loved about coming to work for Digital Defense is it has an illustrious and deep background in penetration testing. During penetration tests, our consulting teams and our operations team will go out and they will often simulate attacker tactics while trying to go ahead and illustrate the true network security posture of a network, trying to actually penetrate systems and route around defenses.

We really learned a lot and continue to learn a lot from those tactics. One of the first things that I was surprised by is how incredibly easy it is for them to route around anti-virus and endpoint protections and other mechanisms that they use to maintain access to a network once they have routed around those mechanisms. That sort of mentality has really been informed from some of the automated systems that we deploy. We have a vulnerability scanning system, which looks at key vulnerabilities that attackers tend to exploit – not just what is the CVE number, but how likely is a penetration tester to actually exploit something like this. And it also looks at configuration issues that don’t necessarily have a CVE. Maybe it’s like a hidden mechanic password or just a known weak configuration, fundamental to the technology. But it helps turn on a black light and show you from an attacker’s viewpoint what your network looks like.

And then we also have a threat sweeping component that we use. So when we are sweeping through a network auditing endpoints, we can peer into the endpoint with an active threat mode and we will actually see, “Hey, is this an instance where the anti-virus software has not been installed, and let’s actually scan the entire persistence chain and running memory and see if there’s something there that looks suspicious.” So if, like most IT departments, you’re doing a pretty good job installing your AV, but maybe it’s only on 90 percent of the systems … It gives you a way to back up your endpoint protection software and just turn on the black light and see those key spots in your network where maybe something is wrong.

See Firsthand How VM Can Work For You

Request a customized demo and see which cybersecurity vulnerability management options your organization needs.

Share This