If you want your active threats (ATs) to live long and flourish, you need to start with a network that allows freedom and supports rapid growth.
An AT needs freedom to roam and access to all sorts of interesting places to make itself at home. The most fundamental way that you can encourage an AT to thrive and prosper is to remove all obstacles to new hosts and limit opportunities for detection, analysis, and response. Easy ways to do this are by keeping your network flat and unobstructed by any sort of control and making sure that any high-risk endpoints can clearly see a lateral movement target, such as a legacy application server, or maybe warm resting places, such as forgotten servers with an unmanaged interface directly exposed to the internet. Sometimes, all your AT needs is access to a large number of other end-user workstations where it can grow its credential knowledge and plant more tools for persistence, observation, and discovery.
Many times, you may feel that implementing network segmentation practices will improve your performance and data isolation, but in reality, you’ll only be limiting or delaying the potential spread of an AT. These segmentation efforts also present an opportunity for experienced application developers, solutions architects, or nosey and capable security teams to catch your AT before it has a chance to really set down roots.
Aggressive detection platforms and authentication requirements at the segmentation boundaries are sure to trip up weaker ATs before they have a chance to truly thrive. Improved visibility and detection controls will only allow an active security program ample opportunity to model its normal data usage and better make the newness of your AT stand out. Even worse, such visibility allows rapid response and scoping of any AT growth, leading to a high probability of a quick demise.
Finally, don’t bother confirming that your controls are effective through proactive investigations or analysis such as threat hunting. The time and money that you allow for analysts to roam through your data or build an intelligence-driven hunt program will certainly lead to earlier threat detections. This is especially true for threats that may have evaded signature-based and general threat correlation rules.
Keep these lessons learned in mind and you will have a well-established AT in no time! In fact, you may already have!
- Lesson 1: Give your AT the most opportunities to land and expand as possible.
- Lesson 2: The fewer barriers to network movement, the better.
- Lesson 3: Forget about network security controls and points of visibility. The fewer, the better.
- Lesson 4: Don’t be proactive.
All kidding aside, these "lessons learned" are still being learned the hard way by too many organizations. In this ongoing blog series, we will explore the continued proliferation and success of targeted attacks and network compromises. While some organizations have grown and improved, we have seen too many that are still years behind the current best practices in defense, controls, detection, and response. We are looking to promote a conversation about what works, what doesn’t, why these “known issues” are still a problem, and how one can prioritize improvements. We welcome your input and feedback.
To learn more about Accenture Security Cyber Defense Services, including Incident Response and Threat Hunting to minimize risk, exposure, and damage, please contact us at CIFR.firstname.lastname@example.org.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks