Threat modeling is a continuous process that starts during the early phases of the design of layered defense and continues throughout the security lifecycle. Persistent Threat Modeling allows the organization to rapidly get answers, intelligence and recommendations for advanced threats, and scale response and investigation efforts to reduce time, resources and impact.
- Who is targeting you? 90% of the incidents investigated by SecureState use valid credentials to gain and maintain access
- What are they after? 70% of the incidents are after Intellectual Property, 25% are using your systems to attack and steal from others
- Where are they right now? If you own more than 3000 end-points, attackers are already on your network and systems
- How long have you been compromised? SecureState, on average, responds to incidents that unfortunately have already been active for months
- How are you identifying compromises? SecureState validates that only 10% of organizations correctly identify, or fully identify, compromises; most notifications come from third-party companies or law enforcement
- What can you do to counter the loss and attacks? Threat Modeling allows the organization to implement a structured approach to incident identification, validation, containment, and limiting business impact
It’s a Solution, not a Product. Combating advanced threats against the architecture and its assets and data requires a sustained, efficient, repeatable and effective strategy. Therefore, it becomes paramount an organization can verify and validate compromises, collect evidence, contain and eradicate threats, and rapidly recover from impacts. The organization must understand that incident detection, validation and response are a continuous business process, and not a piece of purchased software or an audit checkbox. Through system and network baselining, network and host-based monitoring, and signature detection and creation, a thorough Threat Modeling program is successful in identifying malicious activity and communication that suddenly becomes active or hides within legitimate traffic. Generally, SecureState defines a Threat Modeling program to consist of four primary methodologies:
1. Preparation Controls
- Active endpoint and corporate penetration testing
- Active testing of IR procedures and data collection
- Ensure logging and monitoring and alerting are in-place
- Baseline systems and network activity
- Data Discovery and Classification Controls
2. Real-time Monitoring and Intelligence Gathering Controls
- Network and system communication traces
- Incorporate emerging threats and prior IR intelligence
- Data aggregation, correlation and alerting
- Baseline threshold monitoring
- System and network baseline health-checks
3. Real-Time Investigation Controls
- Validation of threat events
- Rapid containment and blocking strategies
- Virtual IRT Deployment
4. Real-Time Host Interrogation Controls
- Rapid investigation response
- Correlation of system artifacts, trends and anomalous patterns
- Evidence collection
Threat intelligence is the heart of Persistent Threat Modeling; without it, there would be no value. Threat Intelligence can be gathered through partnerships with law enforcement, government agencies, and security professionals. Primarily, however, Threat Intelligence should consist of the collected data and analysis of IR investigations and Penetration assessments. SecureState employs this primary method to enhance and build our attack trends and evolving and emerging threat indicators. SecureState has a powerful differentiator with intelligence gathering and analysis: SecureState knows how organizations are compromised and impacted because we do hacking and IR exercises daily, and incorporate our results and analysis. SecureState has the ability to use cutting-edge attack techniques, monitor the attack methods and responses, develop custom threat indicators, and then correlate and combine with external threat sources and analysis – providing a dynamic and powerful monitoring solution. The ideal Threat Intelligence will combine integrated forensic, hacker and risk perspectives:
- Incident Response Team members should actually sit down with IT and security staff to help monitor and identify attacks while performing an active attack (i.e. penetration test) concurrently. This fosters a vehicle to monitor, collect and develop attack and compromise indicators.
- Incident response should be augmented from a hacker’s point of view.
- Attack patterns, compromise responses, and C2 communications should be actively captured and incorporated into an evolving Threat Database.
- Intelligence gathering should identify and validate incidents’ impact and an organization’s risk controls concurrently.
- Intelligence should provide an integrated response to determine how, when, why, and where a compromise or incident occurred.
- Proactively become part of other testing and evaluation professionals, and state and local responders, who are actively engaged in and manage incidents –share information, methodologies and intelligence.
To determine the full impact of a compromise the organization must inspect all supporting evidence regarding the incident, from log correlation and base-line monitoring to system and network artifacts. Traditional investigative techniques such as relying on antivirus suites and rootkit detection tools or relying on perimeter alerts can adversely affect the speed of identification and containment, the integrity and availability of evidence, or lead to unidentified indicators of compromise. Most notably, traditional incident response will most likely miss attackers that use valid credentials to access systems and sensitive data.
Effective and efficient incident response teams combine intelligence, resources and technology to overcome the issues of traditional tools and techniques such as scope, correlation, speed and detection limitations. For an organization to counter advanced threats, it requires a solution that can reach out to endpoints and network nodes and collect all indicators of compromise, reliably acquire and process evidence, understand the environment, and rapidly determine containment actions.