Sign in Subscribe

Seeing Everything, Understanding Nothing

Seeing Everything, Understanding Nothing

To help you get a head start on making your environment safer and in keeping with the theme of January’s “New Year, New Priorities,” we thought it appropriate to discuss the second most common issue we see in organizations, prioritizing threats.

Before we dive into it, I want you to follow a thinking process with me:

First, I want you to think about your current environment and the tools deployed on your endpoints, network layers, and boundary layers. Regardless of how large or small your environment is, how many different sensors do you have deployed? 

Now, think about how all those sensors communicate to tell you when an alert has been triggered and where you can see those alerts. Most likely, you either go directly to each individual dashboard or, if you found yourself going insane by jumping around them, a SIEM.

Finally, here’s the real kicker...
I want you to think about how much noise is reported on those dashboards. That is where we will focus today, because that noise isn’t a tooling problem, it’s a comprehension problem. Confusing visibility with understanding is how security teams burn time instead of reducing risk.

So, what do we mean by this? From our perspective, based on ongoing monitoring and emulation of real criminal and nation-state threat actors, we consistently see patterns emerge. Depending on industry, organization size, and geographic footprint, threat actors tend to reuse a relatively narrow and predictable set of tactics, techniques, and procedures within a given vertical. You are best at what you are comfortable with, after all. We don’t just see this in the TTPs either. They also don’t commonly navigate outside their preferred industries. For example, it’s unlikely MageCart will attack an electronic health records system anytime soon, given that their TTPs are focused on marketplace credit card skimming with retail as their main industry. This isn’t a revolutionary revelation; many research groups and seasoned red teams have been calling this out for years. Despite this, defensive teams still default to preparing for all threats equally rather than prioritizing the ones most relevant to their environment.  The result is predictable: time, attention, and detection capability and capacities get spread thin, and the threats that actually matter are buried. The problem is usually exacerbated when teams must monitor multiple dashboards rather than a single one, but the underlying issue is the same in both cases. Really, at a certain point, you are just investing in anxiety, regardless of whether or not you use a SIEM.

So, what's the solution? How do defensive teams make their alerting more relevant?  Less dashboards? Less SIEM? AI? More People? Fewer people? Truth be told, none of those are the answer.

It’s much simpler. First, it's understanding you, not you personally, rather you as an organization:

Who are you? Industry, size, types of data stored.

Who are your customers/clients/users? Again, industry, size, types of data stored.

Most of us who have been in a position longer than a quarter will have a decent understanding of those questions, and if you don’t, this should be the first thing you focus on. Having a firm grip on this information helps answer the next question:

What groups like to target organizations like yours? 

This is where paranoia gets us all, and many will fall into the trap of, “Oh no, you're wrong, everyone and their grandmother wants to hack us!” The truth is, most groups probably don’t care about you. The most recently profiled new hacker group isn’t always relevant to your organization.

Let me give an example: APT42. First of all, APT42 is probably not operating right now due to the situation in Iran, so hopefully, they won’t be a problem much longer. Regardless, we get a lot of requests to emulate them because they and their other IRGC counterparts regularly show up in the news. For 90% of our clients, they are not a relevant threat. That’s not an opinion; it’s a function of what the group actually targets. The group’s main focus is government-based espionage. Their goal is geopolitical leverage, which, quite frankly, the retail industry really doesn’t provide. On the other hand, there’s a group like Scatter Spider. Yeah, they were relevant to everyone, mainly because they didn’t care who you were. They just knew they could make money off anyone and everyone. But Scatter Spider is an outlier, not the baseline, and even then, their TTPs aligned with others that show up as common across all industries.

Now, if this sounds a bit like threat intelligence, well, you are right on the money. But, wait, you don’t need to spend hundreds of thousands on a new threat intel platform just to start doing it yourself. Truth be told, there are plenty of resources you can use that you probably already pay for or are available for free. For example, even if you only pay for Falcon from CrowdStrike, you still get access to their Counter Adversary Operations. From there, you can filter crime and nation-state groups by motivation, target country, and target industry. Other orgs offer a free glimpse into their full Threat Intel platform as well, but I specifically call out CrowdStrike simply because it’s the platform I know best. Once you have a baseline of potential groups you may face, then it’s a quick Google search to look up their TTPs on MITRE or Google Threat Intelligence, both of which are free.

So, what's the tie-in here?  How do we move from many dashboards to granular detail on why it's important to know yourself and the threats you face? Well, once you do the latter, the former, i.e. the configuration and tuning of the dashboard(s) becomes a lot, and I mean a lot, easier.

Let me give you a physical example you can relate to this. When driving, we all know that the biggest risk on the road is other vehicles. Also possible, but less common, debris or wildlife. You prioritize the cars and trucks. Are you also looking for planes? No, you focus on the biggest risk. So why in cyber do we always look for the plane?! The same applies here. Most organizations do not face a “tooling” issue, i.e., wrong tool for the environment, despite what every vendor will tell you when they try to switch you over to their product. More often, organizations face a configuration issue, i.e not setting up the tool specifically for their environment. To do Monitoring and Response properly, you must understand your likely threats so you can tune your alerting to prioritize them. Knowing the likely TTPs that will be employed in your environment helps you focus your efforts. That’s not to say you should ignore the less common ones, but you don’t need to prioritize them all and flood the dashboard with false positives.

Monitoring is a balance; one of the few things in cyber that truly requires it. Most dashboard problems come from too much yin and not enough yang. It’s on you to force that balance through understanding. Don’t invest in your own anxiety!

If you need help understanding your threat profile, we at EC would love to help, and it won’t cost you an arm and a leg. Whether as a one-off report or as part of our ongoing service through Emulated Crime-as-a-Service (ECaaS), we want to ensure teams are prepared for the realistic threats they may face. If you’re interested in learning more, reach out to us. As we like to say, “It doesn’t cost a dime to have a conversation.”