Security used to be all about building walls around our organizations and trying to immediately stop all attacks. But today’s adversaries are sophisticated, persistent, and not going to back down. They will get in. Once you accept this truth, it should be clear that we need to learn as much as we can about attackers in order to defeat them.
After tracking attackers for many years in my days working for the U.S. government lab at The MITRE Corporation, my team and I recognized something important — an advantage that we weren’t acknowledging. For an attack to happen, the bad guys have to use our systems — and when they do, we have an opportunity to tear them apart. But first, we have to get beyond our kneejerk reaction to malware: blocking.
The problem with blocking
The natural, human reaction to malware is to block it — and the faster, the better!
There are two major, and interrelated, problems with this strategy:
- Blocking malware often doesn’t actually stop an attack, because you may only be blocking one small part of the campaign against you
- In effect, you have turned off the only source of information you have about the attacker.
In other words, by blocking an attacker, you’ve just burnt one of the only advantages you have against them. With adversary dwell times ranging from months to years, finding another intrusion will take time and significant resources.
So if we’ve all seen the “block-and-drop” approach fail time and again, why is it still the norm?
The psychology of “block and drop”
The security community has been talking about why the “block-and-drop” strategy is insufficient for years. But the psychology that drives many organizations to rely on it is deep-seated and hard to conquer.
I believe it comes down to our natural desire to defeat threats and return to a sense of safety. People hear the word “block,” and it makes them feel better. Of course you want to block malware.
To combat this psychology, it may help to think about a piece of malware as just one soldier in an army that is fighting against you. If you’re able to capture that one soldier and get information about what the army is planning, you’re more likely to win the battle. On the other hand, if you eliminate them, you won’t know which direction their battalion is coming from, what weapons they’re using, or what their goals are. Similarly, blocking and dropping a piece of malware is unlikely to stop the overall attack and leaves you endlessly fighting the enemy, one by one.
If we aren’t going to block and drop malware the second we catch it, what’s the alternative?
Be very quiet: We’re hunting moles
Attackers target organizations either because they want to gain information (e.g. intellectual property, financial details, or customer information) or they want to hold your system hostage for a ransom. Getting the information they want or holding your system hostage requires persistent access to the target organization’s systems by the attacker. So it’s not just about getting in. It’s about staying in as long as possible.
The good news for defenders is that, in order to stay in as long as possible, the attackers have to leave artifacts behind in the form of malware and its command and control (C2) traffic.
In light of this reality, my teams at MITRE came up with a new approach. Instead of just blocking the bad guys, we started to:
1. Share information about attacks with one another.
2. Build processes and tools to effectively find the artifacts attackers leave behind.
From there, our effectiveness at defeating malware rapidly improved. This approach is now known in the security world as “hunting.”
Unlike traditional “block-and-drop” strategies, the hunting approach focuses on the need to gather and correlate intelligence about the entire attack from within your system to formulate an effective response. Part of the approach revolves around finding patient zero (the original place where the attack happened) and then identifying where the attack spread to.
Okay, but wait a minute. If you’re going to leave the malware in your system while you learn from it about the larger attack, doesn’t that leave you vulnerable? Luckily, the infosecurity community has come up with a special tool called a DNS blackhole that can keep the malware active without allowing it to communicate back to its hosts (this is what ultimately causes damage to your system.) So, even without blocking the malware, you can still neutralize it and keep your systems safe.
Later, once the attack has been successfully investigated, you can kill the malware and move on.
United we stand, divided we fall
I’ve seen some commercial security defenses start to pivot towards this “hunting” approach in the past few years, but more organizations need to get on board. The bottom line is that, when it comes to malware, it’s time to start being calm and deliberate in our responses.
Beyond starting to think like hunters, we as an industry need to become much more open about discussing attacks with the broader community. For example, we need to start openly sharing indicators from patient zero, such as subject lines from phishing emails or command and control domains. Using this information, defenders can better predict what types of attacks will follow and avoid being the next patient zero (or one, two, or three).
If you’re looking for a way to get started with sharing security information, consider joining communities like InfraGard and ISACs, which share key indicators of patient zero for use against our adversaries.
Once we begin to pivot our approach to focus more on hunting our adversaries by means of the indicators they leave behind, we’ll see a lot more success against attackers. By chasing down these indicators and sharing them with the broader community, we’ll be able to better protect ourselves and the wider world of “good guys” from the ill-intentioned attackers who have, until now, been having a field day.