The cybersecurity world has been spinning with the suggested reports that APT29, Russia’s elite hacking intelligence arm, has been able to successfully infiltrate the software development lifecycle (SDLC) of SolarWinds, an IT management company, to distribute a malicious backdoor to over 18,000 of their customers. Impacted organizations include both public and private sectors, as well as entities that support critical infrastructure of the United States. The attack went undetected for months, and highlights one of the worst nightmares facing CISOs around the world — the supply chain compromise.
In an earlier series (How to Become a Mature SOC — Part 1), we highlighted the data point relationship (the curve) between enterprise spend and enterprise breaches — with the alarming statistic that a record amount of spending on security technology has occurred over the past 15 years, and at the same time, the number of confirmed breaches is also increasing at record highs. In addition, there are also significant increases to the dwell time (amount of days a breach goes undetected or remediated) and with threat groups improving the sophistication of their attacks. So, to reiterate from that article’s topic, why haven’t we flattened the curve? Why are we spending so much money with so little confidence that it is actually going to help improve our ability to thwart an attack if it is detected, or be able to prevent an attacker from reaching their ultimate actions on objections?
In my opinion you need to build an effective framework and program around how you detect, analyze, track and mitigate threats because only by harnessing the collective power of the individual tools will you be able to detect the next supply compromise or advanced persistent threat. It is hard enough in the SOC to keep up with the adversaries, and now with technology and business models evolving at a much faster pace as well, constantly bringing in new security technologies that are disjoint and not aligned to your frameworks can cause more disruption in the SOC than they do good.
At Anvilogic, we are focused on helping you build a better security operations program as a whole. We want to help prepare your SOC for the next attack, building a framework around how to prioritize threats, hunt for warning signals, and make it easier to correlate your existing alert/signals from the abundance of technologies you have deployed — all while giving you continuous insight into your existing logging, detection, productivity, and security control posture by identifying your gaps and giving you recommendations for how to improve.
This is no easy task, and we know it — but what we also know is that the security industry has let down the triage analysts, the incident responders, the people who are hired to protect critical infrastructure and data, who have never had a fair shot at being successful in their craft. We want to be a product that they can be proud of, a product for them…
In this post I won’t make promises that I can’t keep and try to describe a quick solution to detect breaches like SolarWinds — because that would leave you with a false sense of security. Instead, I will describe how you can prepare your SOC for the next breach using the data, technology, and resources you already have by giving you the frameworks, code, recommendations, and risk analysis to help you better understand your detection capabilities.
In general, to protect yourself from the next generation of sophisticated attacks, I believe the below components play a major role in the SOC’s effectiveness, in the order of importance.
- Business Intelligence — know how your business works! If you are managing a SOC, and don’t understand how your business operates or who your customers are, how are you expected to be able to protect them? Allow for application owners to play a more active role in your security operations program from the beginning (think Biz-Sec-Ops). Also, understand your critical third party vendors as well, and how those vendors interact with your business.
- Threat Intelligence — the days of just purely building a program around IOC collection and detection are over (or need to be). You need to prioritize and research the threats and behaviors that are commonly used to attack your industry based on the platforms and technologies you use, and keep your SOC informed of new concepts so that they can actually understand how it works — they need to know what “bad” looks like.
- Alert Standardization & Gap Analysis — your SOC needs to build a layered detection program around properly collecting, normalizing, tagging, and enriching the mass amount of detection signals that come from their security controls/tools, custom detection logic, machine learning use cases, etc. It is likely that in most security breaches, some signal(s) generated somewhere at some point, but the SOC either missed it or couldn’t connect the dots.
- Critical System Monitoring — use your business intelligence to build a subsidiary detection program around protecting your critical systems. By this, I don’t mean prioritize alerts that occur on 1 system over another. What I mean is, build a separate alerting framework around the activity occurring on your critical systems or within your critical business processes to identify patterns of suspicious behavior. Your primary focus should be on the smaller subset of your environment that matters most — use this as the last resort for disrupting an attack that can be a major disruption to the enterprise.
- Threat Hunting & Alert Correlation — Be proactive! Most SOCs are very reactive, spending all their time responding to alerts. Teach SOC analysts, Threat Intel analysts, and even your business support team how to hunt! Along with potentially finding suspicious activity, hunting activities also help your team learn the datasets in your logging environment. They will become much more effective during incident response when they understand the data. In addition, use your newly developed alerting framework to focus on creating patterns of suspicious activity, so your SOC can focus on responding to a collection of activity instead of always responding to every point in time alert.
How does Anvilogic help?
Anvilogic’s Intelligent Detection platform helps SOC’s build, use, and maintain all of the components listed above to help improve their detection capabilities. Below I will highlight a few of those concepts and explain Anvilogic’s approach to solving them, using the SolarWinds campaign as the focus point.
The examples used below are to illustrate how with Anvilogic you can implement a mature detection framework and program to prepare to detect threats similar to the SolarWinds attack in the future.
Step #1 — Threat Intelligence — Prioritize APT29 Techniques
To build an effective detection program, you need to be able to prioritize the threats against your organization based on the technology and infrastructure you maintain, but also based on the threat groups that normally target your industry, region, or customers. Prioritizing what you should be focusing on allows you to fine tune your detection program based on what is most important, this scope makes it easier for analysts to understand where they should focus their energy (ex. threat hunting, detection engineering, etc.).
Step #2 — Alert Standardization & Gap Analysis — Understand Your Detection Gaps from Your Threat Technique Priorities
Data quality is extremely important in building an effective detection program. An earlier post in our Becoming a Mature SOC: Part 2 — Data Hygiene explains how Anvilogic uses machine learning to help tag and enrich your alerting data sets so you can correlate the warning signals between data domains, threat groups, software, etc. possible. In addition, this allows you to begin building a framework around your detection capabilities, instead of just building many disjoint point in time detections, which allows you to start using more of the noisy signals and alerts from your security products, in conjunction with your custom rules that your SOC has built.
Anvilogic offers out of the box detection rules and recommendations to fill your detection gaps, in addition to allowing you to easily import existing signals coming from your custom detection logic or from your security tools/controls.
As you can see below, you can easily identify if your existing signals and detection systems are missing certain capabilities like techniques mapped to “Supply Chain Compromise.” Anvilogic will provide you with recommendations (ex. data feeds and security tools) that will try and inform you on what information you may need to improve your detection coverage for missing techniques.
The example below also shows how we apply our ML driven tagging and enrichment to turn a generic “Web Shell Warning Signal” into an signal that is properly normalized, tagged, and enriched to allow you to receive a better understanding of your gaps, but also empower your analysts to hunt and create advanced threat scenarios based to improve your correlation across the hundreds of signals/warnings you may generate daily in your environment.
Step #3 — Threat Hunting
With normalized and enriched data, you now make it easier for your analysts to threat hunt. Threat hunting is important to a proactive security program because it allows you to research and identify possible abnormal behaviors and create alerting around those suspicious patterns. In addition, your analysts will have a much better understanding of your logging levels and data sets when they spend time researching the feeds for suspicious activities.
You can now visualize patterns of suspicious behavior occurring across the same entity across the different taggings and detection methodologies (ex. servers, externally facing web servers, etc.), or you can identify patterns of alerts across the different labeling (ex. Threat Groups, Critical System Tagging, etc.).
Example of Finding Patterns By Computer Entity:
Step #4 — Alert Correlation — Creating Pattern Based Detections for APT29
In addition to Threat Hunting, you now make it easier to build detection code that can identify patterns and correlate suspicious activity (we call them Threat Scenarios). Threat Scenarios can help you with organizing your signals across the different frameworks and methodologies (ex. MITRE, Cyber Kill Chain, Incident Types, etc.) and allows you to influence the order in which you want those signals to occur. You can filter Threat Scenarios by specific data domains, around specific labeling you have for critical infrastructure, or around the techniques that are most commonly used by the threat groups that you have prioritized. This lets analysts visualize the pattern that they want to detect, without having to write a line of code!
Let’s take APT29 for example, according to MITRE, they have >20 techniques that they commonly use. Since not much has been released about the specific techniques they leveraged during the SolarWinds campaign, let’s create a very simple APT29 Threat Scenario, using the SUPERNOVA webshell as the inspiration.
This scenario will look across all your rules tagged with “production_url” and “APT29.” The custom tagging for “production_url” can allow you to add certain infrastructure to specific alerting sets to help you with critical system monitoring. Anvilogic makes it easy for you to manage these tags per alert, and uses machine learning to aid in proper threat mappings based on the alert name, signature, or technology it comes from.
Codeless Builder for Attack Patterns:
Anvilogic’s codeless scenario builder allows you to easily determine the filters and sequences of the warning signals you want to include within your scenario without having to write a line of SIEM code.
Save Your Threat Scenario:
The below scenario could indicate that there is a potential web shell on your production servers, using warning signals that align to the MITRE techniques of “Server Software Component” and “Command and Control Application Layer Protocol” within a 1 day period. The entity of interest gives you additional grouping or aggregation capabilities to specify what systems/infrastructure it must occur on, or even which threats group mappings must be applied.
So, is it Possible to Detect Supply Chain Compromise?
Yes, it is possible, if you are prepared. The supply chain compromise is advanced and normally targets a specific business process or technology, so you will need to better understand those processes and point of entries, in addition to being able to identify if you have any gaps in your existing detection capabilities that look for suspicious binaries being distributed through those trusted processes (ex. vendor software updates). Remember, there is no smoking gun technology that is going to detect this every time, but a better detection framework will help to harness the collective power of the individual tools and your custom detection signals to be more effective at closing the gap.
Anvilogic makes it easy for you to identify those control gaps, and helps you justify additional security spend on tools that may produce signals to help you detect that kind of activity. If you don’t have any existing alerts or signals today for the techniques that are a priority, we also have hundreds of detection rules available to help you fill in those detection gaps, with the idea of leveraging those in larger Threat Scenarios to detect patterns of suspicious behavior.
In the alert standardization section, you can see that we didn’t have any signals being generated that aligned to the “supply chain compromise” technique. That technique requires some file monitoring or network protocol analysis dataset to better understand the software that is being downloaded and distributed within your organization. Anvilogic will provide you with recommendations on what data and tools you may need to help you detect that technique, and once you have on-boarded those tools that allow you to create warnings or signals for that activity (ex. Static and dynamic file analysis/scanning tools, EDRs, etc.), you can then easily add those alerting components to your existing scenarios to improve your pattern based detection and your overall security posture.
To learn more about Anvilogic, you can visit our website at www.anvilogic.com and request a demo of our product.
To download this article please visit https://anvilogic.com/solarwindswhitepaper
About the Author
Mackenzie Kyle is currently the Director of Product Management at Anvilogic where he is responsible for product development and strategy. Prior to Anvilogic, Mackenzie spent 9 years at JPMorgan Chase (JPMC) working in their Cybersecurity Operations space where he spent time as an incident responder, senior technical lead, and manager of their Cybersecurity Operations Center. At JPMC his team was responsible for detecting, analyzing, and mitigating cybersecurity threats against JPMC’s information systems, infrastructure, and resources which includes over $2.3 trillion in assets, over 280,000 employees, and millions of customers worldwide. As the SOC manager, he was responsible for multiple functions including: incident response, hunting, detection engineering, automation & orchestration, and an innovation team that focused on creating detection and response frameworks, while also aligning machine learning concepts to Cybersecurity Operations functions.
Mackenzie is from Syracuse, NY and currently resides in New York City. He holds a master’s degree from Syracuse University in Information Management, and multiple cybersecurity certifications.