March 11, 2019
Care and Feeding of Your Active Threats
By: Dan Moor

If you want your active threats (ATs) to live long and flourish, you need to start with a network that allows freedom and supports rapid growth.

An AT needs freedom to roam and access to all sorts of interesting places to make itself at home. The most fundamental way that you can encourage an AT to thrive and prosper is to remove all obstacles to new hosts and limit opportunities for detection, analysis, and response. Easy ways to do this are by keeping your network flat and unobstructed by any sort of control and making sure that any high-risk endpoints can clearly see a lateral movement target, such as a legacy application server, or maybe warm resting places, such as forgotten servers with an unmanaged interface directly exposed to the internet. Sometimes, all your AT needs is access to a large number of other end-user workstations where it can grow its credential knowledge and plant more tools for persistence, observation, and discovery.

Many times, you may feel that implementing network segmentation practices will improve your performance and data isolation, but in reality, you’ll only be limiting or delaying the potential spread of an AT. These segmentation efforts also present an opportunity for experienced application developers, solutions architects, or nosey and capable security teams to catch your AT before it has a chance to really set down roots.

Aggressive detection platforms and authentication requirements at the segmentation boundaries are sure to trip up weaker ATs before they have a chance to truly thrive. Improved visibility and detection controls will only allow an active security program ample opportunity to model its normal data usage and better make the newness of your AT stand out. Even worse, such visibility allows rapid response and scoping of any AT growth, leading to a high probability of a quick demise.

Finally, don’t bother confirming that your controls are effective through proactive investigations or analysis such as threat hunting. The time and money that you allow for analysts to roam through your data or build an intelligence-driven hunt program will certainly lead to earlier threat detections. This is especially true for threats that may have evaded signature-based and general threat correlation rules.

Keep these lessons learned in mind and you will have a well-established AT in no time! In fact, you may already have!

  • Lesson 1: Give your AT the most opportunities to land and expand as possible.
  • Lesson 2: The fewer barriers to network movement, the better.
  • Lesson 3: Forget about network security controls and points of visibility. The fewer, the better.
  • Lesson 4: Don’t be proactive.

All kidding aside, these "lessons learned" are still being learned the hard way by too many organizations. In this ongoing blog series, we will explore the continued proliferation and success of targeted attacks and network compromises. While some organizations have grown and improved, we have seen too many that are still years behind the current best practices in defense, controls, detection, and response. We are looking to promote a conversation about what works, what doesn’t, why these “known issues” are still a problem, and how one can prioritize improvements. We welcome your input and feedback.

To learn more about Accenture Security Cyber Defense Services, including Incident Response and Threat Hunting to minimize risk, exposure, and damage, please contact us at

Popular Tags

    More blogs on this topic