GUIDE TO DETECTION & RESPONSE - RETHINK YOUR CYBER RESILIENCE STRATEGY E-BOOK - Service Description
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
GUIDE TO DETECTION & RESPONSE RETHINK YOUR CYBER RESILIENCE STRATEGY E-BOOK
2 F-SECURE GUIDE TO DETECTION & RESPONSE 3
GUIDE TO “THAT'S NOT TO SAY THAT SKILLED ATTACKERS AREN'T ALSO OUT THERE. BUT, AS A COMPANY
THAT'S BEEN INVOLVED IN MORE EUROPEAN CYBER CRIME INVESTIGATIONS THAN ANY OTHER
DETECTION & RESPONSE COMPANY IN THE WORLD, WE CAN TELL YOU THAT THERE'S NO POINT IN WORRYING ABOUT
THE NSA OR APT28 UNTIL YOU KNOW YOU CAN AT LEAST STOP THESE GUYS.”
From the field upon joining the collective, have little to no Unix skills to Naturally, it’s the guys at the top of the pyramid who mised company networks allows them to cherry-pick
Over the last few years, you’ve probably heard phrases speak of. They probably know about five commands in really benefit from all of this. They’re the ones providing prime targets for cyber extortion and data exfiltration.
such as “the tactics, techniques, and procedures crafted total. Newcomers are taken under the wing of a mentor the tools, and by pushing all their manual work down- And any company is a potential target.
by highly resourced threat actors are falling into the who provides them with simple tools and training to stream, they get access to thousands of compromised
hands of less skilled adversaries”. That’s long speak for get them started on their new hobby. These mentors systems. Meanwhile, the newcomers are happy to The fact that these groups are able to compromise
“expect a lot more script kiddies to start pwning your are almost as unskilled as the newcomers - they prob- proudly identify themselves as “hackers” on their Face- PCI-DSS-compliant organizations is a testament to the
systems”. As Dr. Ian Levy from GCHQ recently pointed ably know about five more Unix commands than their book pages (alongside other unrelated hobbies such as fact that purely preventative cyber security solutions
out, a lot of the attacks we’re seeing nowadays aren’t apprentices. But they’ve been in the game for a few windsurfing or snowboarding). simply aren’t cutting it anymore. And the reason why
“Advanced Persistent Threats”, they’re simple hacks weeks already, and have a wealth of experience. so many companies are now being owned in this style is
performed by “Adequate Pernicious Toerags”. The toolkits being pushed down the pyramid are usually due to the fact that they simply don’t have an ounce of
As newcomers learn the ropes (which usually implies designed to exploit or brute force common services such visibility into post-breach activities on their networks.
Nothing illustrates this phenomenon better than the that they’ve learned to configure and use a couple of as SSH and webmail servers. What might surprise you (or
group we’ve dubbed “The Romanian Underground”. tools), they’re promoted to mentors, and take on their not) is that these toolkits, in the hands of completely That’s not to say that skilled attackers aren’t also out
This is a group that we have had first-hand experience own set of apprentices. This hierarchical model closely unskilled noobs, are being used to compromise even there. But, as a company that’s been involved in more
with on a number of occasions while performing inci- resembles popular pyramid selling schemes you might PCI-DSS-compliant organizations across the globe. European cyber crime investigations than any other
dent response and forensics work. have had the misfortune to encounter. Of course, the The Romanian Underground represent just one of many company in the world, we can tell you that there’s no
guys involved in The Romanian Underground aren’t groups that form part of a growing trend of low-skilled point in worrying about the NSA or APT28 until you
looking to become millionaires by selling soap - the hackers and cyber criminals. The motives of the master- know you can at least stop these guys.
The Romanian Underground are, simply put, a bunch pyramid scheme is a form of gamification, where the minds behind these groups are, you guessed it, financial
of IRC chat room buddies who decided it would be cool goal is to collect as many owned systems as possible and gain. Acquiring access to a large number of compro-
to take up the hobby of “hacking”. Most of these kids, move up the ranks.
Spear Phishing
Spyware
s
Reconnaissance
Hu
ck
Ransomware Lateral Movement
ta
ma
Banking Trojans Priviledge Elevation
onducted At
Self-replicating Botnets
n Co
Establishing Persistence
Remote Access Trojans Data Exfiltration
nducte
0,1%
Protection common 99,9% Usually no Protection
d
C
A
End-point protection Managed Detection & Response
e
hin
t
Email security Endpoint Detection & Response
ta
Firewall Incident Response Services
c
c
a
ks
M
... But targeted attacks have the potential to be a lot more damaging. And most orga-
Commodity threats, and the solutions that protect against them are commonplace...
nizations aren’t protected against those at all. Read on to learn more.4 F-SECURE GUIDE TO DETECTION & RESPONSE F-SECURE GUIDE TO DETECTION & RESPONSE 5
THE ANATOMY OF AN ATTACK “WHEN GDPR AND NIS REGULATIONS ARE
EFFECTIVE, IT WILL BE MANDATORY FOR
State
ORGANIZATIONS TO HAVE AN ANSWER TO DATA
BREACHES.”
In our experience, most companies only banks and critical infrastructure providers
discuss cyber security as it relates to the (such as energy companies). The same TTPs
broader topic of risk management. While then get used against heavy industry and
performing risk analyses, companies identify finally, everyone else (manufacturing, retail, Commodity threats
threats or risks relevant to their organization SMEs, etc.). Commodity threats are highly prevalent, and have been for
and then prioritize them based on likeli- decades. A company’s chance of encountering commodity
hood, impact, and cost to mitigate. When Threats to an organization aren’t limited to threats is, therefore, extremely high. However, due to
Defense
addressing cyber threats, we’ve noticed a attacks from the outside. Accidental and their prevalence and long history, there are plenty of good
potential disconnect between the risk that intentional leaks can and do originate from software solutions available designed to protect against
companies perceive and the reality of the company insiders with enough access to these threats. And these solutions work as intended. If a
situation. We’d like to help clear that up. critical or confidential assets. Upstream business is hit by a commodity threat (such as crypto-ran-
attacks, where a partner, supplier, or somware), the impact is usually fairly low. Most of the time
Sophisticated cyber attacks tend to start contractor are compromised by an attacker it’ll be blocked by endpoint protection software. If it does
at the top and work their way down. It’s looking to establish a beachhead in an adja- get through, there are two options – pay the ransom or
fix the problem. Don’t pay the ransom and a handful of
Infrastructure
the opposite of “low-hanging fruit”. When cent organization are also very common. In
new types of attacks are discovered, they’re several incident response cases we’ve been staff will lose some productive work time. Pay and, most
usually attributable to highly resourced involved with, even physical intrusion of a of the time, you’ll get the data back. Ransom amounts are
threat actors (i.e. nation states). These adver- company’s premises was used as part of the low by company standards. So, the likelihood of seeing
saries, by default, go after the highest-value attack vector. a commodity threat is high, the impact tends to be low,
targets first. As the tactics, techniques, and and the mitigation cost is basically free (we assume you’re
procedures (TTPs) used in such attacks smart enough to be running an endpoint protection solu-
Cyber attacks come in many forms, ranging tion already).
become public knowledge, they trickle from commodity malware (such as ransom-
down into the hands of less organized cyber
criminals. New TTPs first see use against
ware) to highly skilled attacks performed Cyber crime
by nation-state actors. We’ve broken these Cyber crime represents the next category on our risk
governments, military targets, and defense threats down into separate categories.
contractors. Next on the ladder are usually assessment scale. This category moves beyond the realm
of commodity malware threats, and onto targeted attacks.
Banks
Companies are selected as targets for various reasons. In
some cases, a victim is chosen because they are “broad-
High
casting” themselves via weak or vulnerable infrastructure.
Other targets are selected simply because the attacker has
John NotPetya Regin taken interest in a particular organization, for one reason
Podesta’s
Gmail Havex
Trojan
Stuxnet/Duqu or another.
Triton/
Manufacturing
Trisis The
Shadow- Dukes Slingshot
US brokers
Office of
Personnel
Cyber criminal attacks are often opportunistic - the
Yahoo! Sofacy
Breach Hacking-
Team
attacker has an easy way in, sees an opportunity to make
Sony
Pictures
breach
money, and takes it. Cyber crime is by-and-large financially
Shamoon
motivated. Once the adversary has breached the target’s
Focus
SF Panama
Muni Papers
Protection offered
Hack
Tesco
Bangladesh
Bank network, systems or data will be held for ransom. We refer
Dridex
by typical corporate
level of investment
Bank to this phenomenon as “cyber extortion”. These types of
WannaCry
attacks are very much on the rise, and can target organiza-
VTech Hack tions of any size, from SMEs to large enterprises.
Necrus Mirai
Botnet Botnet
We predict that the introduction of the NIS and GDPR regu-
Exploit
Crypto
Ransomware Kits lations will further embolden cyber criminals and cyber
Retail
Crypto-
miners extortion schemes. Once these regulations are in effect,
companies may be more willing to fork over a ransom,
Low
in order to sweep the news of a breach under the rug
Low Skills High rather than face the expensive task of responding to and
reporting the incident.
Cyber Organized Nation
Cyber Hacktivists/ State
Crime Crime Researchers Actors6 F-SECURE GUIDE TO DETECTION & RESPONSE F-SECURE GUIDE TO DETECTION & RESPONSE 7
Cyber crime can be broken down into roughly two cate- “TARGETED ATTACKS DON'T CARE ABOUT YOUR ‘NEXT
gories – organized and non-organized. Organized cyber GEN’ PRODUCT, NO MATTER HOW SHINY THE VENDOR
criminal groups are very close, in terms of sophistica- CLAIMS IT TO BE. TO BE BLUNT, THE SOLUTIONS THEY’RE
tion, to nation-state actors. The Bangladesh bank attacks SELLING ARE FIXING THE WRONG PROBLEMS.”
of 2016 are a good example of organized cyber crime.
Non-organized cyber criminals often run as lone wolves.
They have less resources, and their skill can vary. The
Romanian Underground falls into this category.
DON’T BELIEVE THE HYPE
Two years ago, we’d have rated the likelihood of falling
prey to cyber criminals as low. Today, the likelihood is
medium, and on the rise. The financial and business Getting to the point of why we presented and response capabilities. And therein lies
impact of a targeted cyber crime attack can vary. In many this risk analysis, we’ve noticed that there’s the problem. Organizations are way too
of the cases we’ve responded to, ransoms demanded by still a very strong marketing push towards distracted to realize that they should start
non-organized cyber extortionists only ran into the tens endpoint protection solutions. We’ve seen investing in breach detection and response,
of thousands of Euros - not a hefty sum for most organi- “next gen” vendors claim that their solu- instead of another layer of protection
zations. But we don’t imagine that any organization would tions can prevent targeted attacks. Some against commodity threats (although the
simply pay the ransom and go about their business. The even foolishly claim that breach detection adversaries would love you to do this). Let’s
knowledge that an intruder is in their network is going to is irrelevant, since it’s already “game over” put it this way - would you rather have your
be enough to call in an incident response team to sort out if a threat gets through perimeter defenses. next incident involve cleaning malware off a
the situation. laptop in your sales department or dealing
It’s all very misleading.
with a full-blown data breach?
If an adversary manages to exfiltrate important data,
the costs of a cyber crime incident can really start to But don’t just take our word for it. Gartner
skyrocket. This is especially true if customer data was Targeted attacks don’t care about your
“next gen” product, no matter how shiny predicts that “by 2020, 60 percent of enter-
involved. No matter what, a breach is most likely going prise information security budgets will be
to incur reputational, legal, PR, business, and internal the vendor claims it to be. To be blunt,
the solutions they’re selling are fixing the allocated for rapid detection and response
productivity costs. And the considerations are no longer approaches, which is an increase from less
limited to protecting your business and its sensitive data, wrong problems.
than 30% in 2016.” So, ask yourself this: how
but regulatory bodies like the European Union have made much of your budget have you allocated to
new requirements. For example, the EU’s General Data Given this huge marketing push from “next breach detection and response right now?
Protection Regulation (GDPR) requires organizations to gen”, we’re not really surprised to see that We’re guessing it isn’t close to 60 percent.
be adequately prepared to detect, respond and report very few companies we’ve spoken to are In our experience, only 10% of companies
personal data breaches within 72 hours. aware of the need for breach detection we’ve talked to were even thinking about it.
Nation state
Companies that worry about being targeted by nation-
state attacks typically know who they are. They also know
that defending against a nation-state attack is almost By 2020, 60 percent of enterprise
impossible. Regardless, they’re forced to try (since they information security budgets will be
can’t afford not to). The impact of nation-state attacks
can vary from having top secret intellectual property
allocated for rapid detection and
stolen by overseas competitors or governments, to response approaches, which is an
having your nuclear enrichment halted when centrifuges increase from less than 30% in 2016.
are destroyed, like in Iran.
Gartner 'Special Report
Cybersecurity at the Speed of Digital Business’
Paul E. Proctor, Ray Wagner, 30 August 2016,
refreshed December 20178 F-SECURE GUIDE TO DETECTION & RESPONSE F-SECURE GUIDE TO DETECTION & RESPONSE 9
“ANY ORGANIZATION NOT RUNNING A BREACH DETEC- they’re being hacked. For many attackers, compro- While it would seem that attackers have the advan-
TION SOLUTION (OR NOT HAVING PERFORMED A mising systems is just as easy as a burglar walking into a tage, there’s actually a lot that defenders can do to
RECENT INVESTIGATION) MUST, IN THIS DAY AND AGE, house with the front door left wide open. turn the tables on them. Everything the attacker does
ASSUME THEY'RE IN A POST-BREACH STATE.” is bound to leave a trail of evidence behind them. And
But here’s something interesting - adversaries actually while a compromised system may not be able to tell
hate the idea of getting caught. And they hate operating you when it’s “owned”, there’s a chance that it logs
in an environment where there’s a chance they’re being some evidence. That evidence can be used to spot the
monitored. That’s why most good attackers will exercise intruder, or even travel back in time to reconstruct the
adversary’s movements.
FROM A DEFENDER’S DILEMMA TO caution. Once inside a victim’s network, a professional
intruder will tread lightly, while constantly being on the
AN INTRUDER’S IMPASSE lookout for signs that they’ve been detected. Just imagine the frustration when an attacker realizes
that every move they’ve made has been monitored, that
Attackers know that a good defender won’t react they’ve exposed their entire toolchain, and that they’ve
to signs of an intrusion in a panic – they’ll watch the effectively been sent back to square one. Not a great
Cyber threats are asymmetric in nature. They’ll then exfiltrate data using subtle feeling for the attacker. And a huge win for the defender.
An attacker only needs to succeed once to methods designed to mimic regular user intruder, gather intel, and then act on the situation
gain access to a network. Defenders must behavior. when they’re good and ready. As a defender, successful
succeed one hundred percent of the time if detection and effective response will, in the eyes of the This is, in our opinion, the best approach to cyber
they want to keep them out. You can’t rely adversary, constitute a breach of their mission. defense. Let’s delve into how we achieve that goal.
on being successful all the time. Most of the tools an attacker needs are
built into the operating system itself. And
attackers are adept at hiding from network-
And yet this is what most companies are based IDS systems by hiding in command
doing. Traditional perimeter defense tech- and control traffic. It’s almost impossible
nologies, such as firewalls and endpoint to detect modern attack techniques simply
protection software do a good job at what by analyzing network traffic. In fact, there
they’re meant to do - namely detecting
and blocking real-world and commodity
are too many ways for an attacker to hide.
All of these techniques fly under the radar
WHICH STRATEGY IS RIGHT FOR YOU?
threats. But you can’t expect these solutions of traditional perimeter defenses such
to stop advanced adversaries. Any adversary as firewalls, endpoint protection, and
worth their salt will craft an attack designed Of all the challenges that organizations face while With a lack of skilled defenders on their side, and
spam filtering. building breach detection and response capabilities, with the difficulties and cost associated with building
to bypass those defenses. And they won’t
even need to use malware to gain a foot- nothing really compares to the difficulty they face when their own breach detection and response capabilities,
hold in the organization (contrary to what In most cases, once a company has been trying to hire and retain good cyber security expertise. companies are battling cyber attacks and losing. This
you might have been told, skilled attackers breached, adversaries are able to act with It is estimated that, right now, there are at least two is why F-Secure has spent the last few years devel-
rarely, if ever, use malware). impunity for as long as they wish. It’s not cyber security jobs for every one person working in the oping and perfecting managed detection and response
uncommon for a company to find out field. This problem is expected to become even more services for the varying needs of companies – to bring
they’ve been compromised from a third acute in the future. The only way you’re going to get our world class cyber security expertise within reach
Cyber attacks commonly follow the same party (such as a cert organization). In our valid data from an in-house intrusion detection system of every organization.
pattern. Attackers start by breaching the experience in the field, on average the time (IDS) is by having experts on staff. The same goes for
perimeter of an organization with spear- between a breach happening and being keeping up on threat intelligence, configuring systems,
phishing, watering hole, or man-in-the- Our services don’t just provide human expertise,
discovered is 200 days. Think about that - it red-teaming, and responding to incidents correctly. So, though. They are built on top of threat intelligence,
middle attacks. Sometimes attackers may takes the majority of organizations months you’re probably going to need more than one or two
gain entry by exploiting a vulnerability in a sample analysis, and decision-making technologies that
or even years to figure out they have been experts on your payroll. have been developed in-house for over a decade. And
public-facing system, or even by purchasing hacked.
access to an already compromised system. while an organization could eventually develop their
Once inside the perimeter, adversaries And while you could eventually develop your own own in-house systems and expertise to the levels a very
perform reconnaissance, elevate privileges Any organization not running a breach in-house team, systems and expertise, in most cases we’ve reached, it would take them a very long time.
(by exploiting misconfigured or vulner- detection solution (or not having performed it means taking on a lengthy and expensive project.
able systems), hunt for domain admin a recent investigation) must, in this day and Finally, operating your own 24/7 Security Operations Our managed detection and response services are avail-
passwords (using memory-scraping tools age, assume they’re in a post-breach state. Center (SOC) with adequately skilled resources may able with different service levels and models to fit an
such as Mimikatz), and move laterally onto push the total cost of ownership to the level only the organization’s needs, whether enterprise or midsize. We
interesting systems. They’ll often establish largest enterprises are prepared to invest. invite you to consider the following three alternatives.
Breaches are becoming more and more
persistence using off-the-shelf RATs such commonplace. And this is because adver-
as Orcus, Litemanager, or luminocityLink. saries know that their targets have no idea10 F-SECURE GUIDE TO DETECTION & RESPONSE F-SECURE GUIDE TO DETECTION & RESPONSE 11
OPTION 1: OPTION 3:
Do it yourself (with option to augment your team) Managed Endpoint Detection and Response with a Local Service Provider
Many organizations have the resources to invest 24/7 protect their operations. Such organizations An alternative approach to managed detection and also supported by F-Secure’s experts to handle even
heavily in their own security teams and infrastruc- may find it useful to invest in an endpoint detection response is an Endpoint Detection & Response (EDR) the most complex cases.
ture. But even well-invested enterprises with their and response solution that helps their IT team iden- solution like F-Secure Rapid Detection & Response, Many companies find a local managed service
own SOC may find value in augmenting their own tify attacks during business hours, and also provides which is delivered by certified and trained service provider is the most suitable option to help keep
team with a vendor that exclusively provides cyber coverage outside business hours with automated provider partners. their operating costs low. Based on our experience,
security services. An extended team working along- response to isolate attackers. Such an approach can these tend to be small and midsize organizations.
side your IT team can help you overcome the issue of be enough to quickly determine the scope of an F-Secure trains our local managed service providers
hiring and retaining a big enough IT security team. attack, identify whether or not any personal data to support you in everything from monitoring your
was affected, and be able to meet the regulatory Even if your enterprise is a well-invested with
IT environment’s health and security status, to your own SOC, you may still consider augmenting
Not every company who handles detection and requirements to report data breaches within 72 detecting and guiding you in response actions in the
hours as required by the GDPR. your own team with a managed detection and
response in-house necessarily has staff working case of a breach. The local service provider is backed response service to reach 24/7 availability and below
by automation that can be used to extend their 30-minute detection to response time.
availability beyond covering business hours, and is
OPTION 2:
Managed Detection and Response with F-Secure for 24/7
To overcome the difficulty of trying to hire and with our cyber security experts means all detections BUILDING IN-HOUSE BREACH DETECTION
retain qualified cyber security expertise, F-Se-
cure offers fully managed detection and response
come with guidance and if needed, further clarifica-
tion. The availability of human expertise means your
AND RESPONSE CAPABILITIES IS DIFFICULT
(MDR) services. What we mean by “managed” is team will spend significantly less time on detections.
that there’s a minimal installation process on your We’ve noticed that, for most organizations, that, systems, rules, and feeds need to be
side to get things up and running, and after that, setting up in-house breach detection and constantly improved and modified as the
Rapid Detection & Response Service doesn’t just response capabilities tends to be a compli- world changes.
everything from breach detection to response is provide human expertise, though. It’s a service that’s
handled by us. Our teams of threat hunters, inci- cated, time-consuming, and expensive
built on top of threat intelligence, sample analysis, endeavor. There are multiple components
dent responders and forensics experts are available and decision-making systems with machine learning Responding to a breach is usually also a
around the clock for a fully managed breach detec- that need deploying and configuring. All of lengthy and expensive process that requires
and artificial intelligence capabilities that have been them are expensive, so purchasing decisions
tion and response service we call Rapid Detection & developed in-house for over a decade. And while expert data forensics and incident response
Response Service (RDS). take time and research. Different compo- work. A typical response scenario includes
an organization could eventually develop their own nents may or may not interoperate well, so
in-house systems and expertise to the levels we’ve removing the adversary from the network,
you have to figure that out, too. Then you cleaning up or restoring affected systems,
With Rapid Detection & Response Service you will reached, it would take them a very long time. need to select threat intelligence feeds, and
have the benefit of F-Secure’s world-class cyber resetting compromised accounts, deter-
there are dozens if not hundreds of those mining where the intruder has been, and
security experts monitoring your network 24/7. They Augmenting your own team’s availability and skills available. Deploying and configuring these
will review all detections within minutes and deter- determining what the intruder has done.
with F-Secure’s Rapid Detection & Response Service systems is a complicated job. And at the end Most companies don’t have the in-house
mine severity before alerting your team. False posi- help to easily reach 24/7 availability with 30-minute of all this, you’ll be left wondering if you’ve
tive detections are flagged immediately to ensure expertise or capabilities to perform these
service level and receive expert guidance to respond got everything covered and whether or not types of activities, and so must call on a third
your team only spends time on real threats. Working whenever under an attack. all the pieces are talking to each other prop- party to help.
erly. And that’s just the initial install. After12 F-SECURE GUIDE TO DETECTION & RESPONSE F-SECURE GUIDE TO DETECTION & RESPONSE 13
FROM DIY TO ROI
Because expertise, monitoring, threat hunting, and This is because, in our experience, finding actual threats In order to process this volume of events,
response capabilities are covered by F-Secure or our is like looking for a needle in a haystack. you also need reliable, up-to-date threat
service providers, once you’ve decided to implement intelligence. At F-Secure, we have our own
the service in your organization, all you need to do is
install simple sensors on your organization’s endpoints.
To illustrate with a recent real-world example, in a in-house sources. And after over 30 years in
the business, we also have a massive histor-
15
The time from initial deployment and configuration
1000-node customer installation, our sensors collected
ical sample collection that even gives us the
Real
around 2,000,000,000 events over a period of one Threats
to actual breach detection and response capabilities month. Raw data analysis in our back end systems ability to find relevant threats left undiscov-
is less than a week. In fact, we’ve been told by several filtered that number down to 900,000. Our machine ered from currently active threat actors. Confirmed by
customers that we have the easiest system they’ve ever learning systems and Broad Context Detection™ mech- Our researchers do both threat intelligence the customer
worked with. anisms then narrowed that number down to 25. Finally, investigations and reverse engineering.
those 25 events were analyzed, where 15 real threats This gives us both high-level knowledge of
The alternative to deploying a managed breach detec- were discovered (and verified by the customer). the global threat landscape and in-depth
tion and response service is a lengthy (in most cases technical knowledge of the threats them-
3-5 years) and expensive (multi-million Euro) project selves. Instead of studying each threat
The thing is, if you go with your own IDS/SIEM solution,
of purchasing, deploying, and configuring dedicated
systems, and hiring and training a sizeable staff.
it’s your organization that will need to process those
900,000 events. And that’s why we’ve gone to count-
independently, we identify relationships
between threats, allowing us to understand
the capabilities and motives of an adversary.
25
Detections
less customer sites and found threats on their network, We focus on the puzzle and not just on the
But a managed approach to detection and response despite those customers already running very well- individual pieces.
RDC threat hunters
isn’t just about a fast return on investment. We’ve seen known IDS solutions. Combing through the noise and confirmed anomalies
many companies go to the trouble of building a SOC and false positives is difficult, and can cause fatigue in even and contacted
setting up an IDS and SIEM, only to still not catch threats. the most diligent of analysts. customer
Threat Intelligence
900 000
Suspicious Events
1+ M€ After RDS engine analysis
of the raw data
Internal network IDS
EDR
1+ M€ Detection & Response IR
Situational Soc
awareness SIEM
1+ M€
2 billion
data events / month
Preventive
Endpoint
protection & Collected by ~1300
firewalls
end-point sensors
0 3-5
years14 F-SECURE GUIDE TO DETECTION & RESPONSE F-SECURE GUIDE TO DETECTION & RESPONSE 15
RAPID DETECTION & RESPONSE CENTER RED-TEAMING
At the core of F-Secure’s approach to Threat hunters F-Secure’s detection and response service action, which is a nice way to practice for
advanced threat protection is our Rapid Threat hunters are our first responders. They capabilities are primarily developed using a real incident.
Detection & Response Center (RDC), which monitor the service and hunt for threats. an iterative, red-teaming approach. In short,
is the base of operations for all of our detec- When a threat hunter discovers something we have our guys attack systems, figure out On the subject of red-teaming, we’ve chal-
tion and response services. At RDC, cyber suspicious, evidence is collected to verify what the service didn’t catch, and make lenged third parties to bypass F-Secure’s
security experts work on a 24/7 basis, where the incident. If a real incident is discovered, improvements. Some improvements are detection and response services, but none
they hunt for threats, monitor data and it is given a priority. High-priority alerts are made by hand. Others are learned by our have managed to do so yet. But there’s
alerts directly from our Rapid Detection & generated when there’s a strong indication backend systems during the red-teaming more. There are at least seventy companies
Response Service customer environments, of an ongoing breach, and in these cases, exercises. As part of this process, we docu- out there that claim they can detect and
flag anomalies and signs of a breach, and the customer is immediately contacted by ment and visualize the various attack chains remediate any targeted attack. In our expe-
then work with our customers to respond phone. For non-critical cases, guidance used, which allows the red-teamers to come rience, there are very few that actually can.
to real incidents as they take place. They is sent to the customer by email. Threat up with new, more devious attack methods. How do we know? Well, so far, we have a
also support our certified F-Secure Rapid hunters also keep the customer up to date flawless success rate on corporate exposure
Detection & Response service providers on any ongoing investigations. Our first recommendation to customers assignments (where a customer ordered
when their expertise is needed to resolve who have just purchased F-Secure’s detec- a targeted attack from us). In every single
the most demanding cases. Incident responders tion and response service is to bring in a case, we successfully breached organiza-
Incident responders are assigned complex third party and run a red-team exercise tions running our competitors’ products.
RDC staff have access to our own in-house, cases that customers are unable to handle against our service. Not only does it help you And none of those products detected our
world-class analytical and threat hunting on their own, and may assist the customer verify that everything has been correctly attacks. We’re not going to name any names.
tools, all of our threat intelligence data, and either remotely or on-site. Incident set up, it allows you to see the process in
a wealth of information and knowledge from response personnel can assist with a range
both our Cyber Security Services and F-Se- of technical and non-technical response
cure Labs organizations. In fact, all of these activities, depending on customer needs.
teams work closely in cooperation with We are also familiar with collecting evidence
each other. for law enforcement purposes, should it
be required. MAN & MACHINE
Staff at our Rapid Detection & Response
Center are trained to handle a variety of
tasks. We also train our managed service Forensics experts
At F-Secure we recognized that protecting and models to deliver the service. F-Secure’s
providers in many of these tasks. The main Forensics experts are specialists tasked
our customers from advanced threats team is available 24/7 and can provide world-
tasks fall into roughly three different roles with the most difficult of cases. F-Secure is
requires more than world-class technolo- class services with a 30-minute response
- threat hunters, incident responders, and one of the few organizations globally who
gies built around artificial intelligence. The time after detecting a real threat. Our certi-
forensics experts. can handle a very wide range of forensic
best way to provide an unequalled breach fied managed service providers also have
tasks, ranging from internal network triage
detection and response capability is not to different service levels, like availability only
to deep reverse engineering of unique
build just an advanced threat hunting tool, during local business hours supported by
malware samples. This allows us to handle
it’s to combine both man and machine with round-the-clock automation.
even the most complicated nation-state
machine learning systems and cyber secu-
originated attacks.
rity expertise. We recommend organizations calculate
their return on investment (ROI) with alter-
We recognized early on the difficulties other native approaches before simply jumping
companies had in building their own breach into purchasing a piece of technology, or
detection and response capabilities with hiring a sizeable team required to operate
a DIY approach, and decided to take the the technology. It can be difficult to reach a
managed service route. We also recognize positive ROI for building your own capabil-
the different needs various organizations ities, especially after the necessary human
have, so we designed our managed services expertise has been also considered.
to be available with different service levels16 F-SECURE GUIDE TO DETECTION & RESPONSE F-SECURE GUIDE TO DETECTION & RESPONSE 17
DETECTING BROADER CONTEXT
When a targeted attack occurs, you will context around all relevant events across F-Secure’s detection and response services
need a bigger picture than a detection from impacted hosts. Broad Context Detection™ are also designed to look for the existence of
one impacted host can provide. In order to helps people easily understand the targeted newly discovered threats in historical data.
fully understand the true severity of each attack by visualizing the set of circumstances Retrospective threat hunting is achieved
attack, you will need to discern the broader around an attack, and even provides recom- when new detection algorithms are run
context, and to do it quickly. mended actions for how to respond. Broad against historical data collected from each
Context Detection™ is a prime example of of our customers. This mechanism is espe-
To overcome the issue of having too many F-Secure’s “man and machine” approach cially useful when dealing with attacks from
raw data events for a human to process, F-Se- that empowers people to stop the attack more advanced adversaries (that may have
cure has developed behavioral data analysis swiftly, or even define automated response gone hidden for some time).
to narrow down the data, along with Broad actions when the team is off work.
Context Detection™ mechanisms to build F-Secure’s solution can be deployed during
ongoing incident response work, and is used
as a threat hunting service that can quickly
gain visibility into a network that has already
been breached.
INCIDENT MANAGEMENT AND Finally, the services continue to work outside
INVESTIGATIONS of the corporate network. In a world where
the classical security perimeter is crumbling,
traditional IDS approaches have become
ineffective (since they typically only work
on the edge of the network). These tradi-
tional approaches cannot track threats
ict Pre when devices are outside of the corporate
d network, or when people utilize cloud-based
services. Our endpoint sensor approach
Pre
ve
solves this problem rather effectively. What’s
more, we’ve been working on extending the
nt
service capabilities into cloud services, such
as Salesforce.
nd
De
po
te
Res ct
When a breach is discovered, having access anteed tamper-proof source of evidence
to historical data is the key to building a for incident response and forensic inves-
detailed post-breach event timeline. Since tigators. In the event of an incident, we
adversaries almost invariably wipe data to help the customer preserve any evidence
cover their tracks during an attack, having that is essential in subsequent incident
access to data that is stored off-prem- response actions.
ises means having a pretty much guar-18 F-SECURE GUIDE TO DETECTION & RESPONSE F-SECURE GUIDE TO DETECTION & RESPONSE 19
SUMMARY
We hope this document gave you a glimpse In the event of a breach, affected systems,
into how we see the threat landscape today. accounts, and access controls will be
As we see it, these bullet points pretty much automatically remediated.
summarize the situation:
For now, though, if you are concerned about
• Most organizations simply don’t whether you’re being hacked (and we think
know if they’ve been breached or you probably should be), we highly recom-
not. mend talking to us or one of our certified
• Static defenses aren’t even close service providers about F-Secure’s detec-
to being 100% successful against tion and response services. Because we
attackers. think a managed solution is the way to go.
• Attackers are overly cautious about And here’s why:
being caught.
• Building good breach detection • You’ll have full detection and
and response capabilities is diffi- response capabilities up and
cult. running within days of initiating
• Red-teaming is the only way to deployment.
properly test your defenses. • You won’t need to hire your own
THREAT HUNTING AND DATA SCIENCE cyber security experts, build your
own systems, or run your own
What we’ve seen happening over the last few response operations – we’ve got
Unlike the traditional approach of creating and applying Our analytics systems perform a number of tasks, from years reflects a new reality. And right now, that covered.
a set of detections based on known “bad” behavior, we analyzing and learning behaviors in monitored envi- building detection and response capabilities
run actual attacks against our systems and train them ronments to reducing false positives. Different anal- is a complex task involving many separate • We promise to contact you swiftly
on what “good” behavior looks like. We then flag every- ysis techniques are better suited for different tasks. components and moving parts. And a lot of after spotting any real incident on
thing else for further analysis and false-positive filtering. For instance, an expert system is best suited to find manual work. your network.
This, we believe, is the approach that most other breach the sort of behavior caused by common attack tools
detection vendors will also settle on in the future. and by the TTPs employed by cyber criminals. These We expect that down the road, components If you’re interested in reading more, we’ve
include PowerShell commands and malicious URLs and and technologies will be pieced together got a three-part e-book series that goes
Threat-hunting systems need to be able to adapt to IP addresses. Machine-learning systems are designed to create self-adapting automated systems into the consequences of a breach in more
changes quickly. Everything in a monitored envi- to spot previously unknown bad behavior, such as that are able to learn from any new stimuli detail, how companies are building their
ronment is in flux. People and devices come and DHCP hijacks, spoofing, and other stealthy evasion they encounter. Such systems will automat- own breach detection and response capa-
go. Operating systems and software get patched. tactics. We also utilize different multi-level combi- ically run network discovery, vulnerability bilities, and our tips on doing this stuff
New threats and TTPs emerge. Due to the nature nations of expert systems, statistical analytics, and assessment and patching, and perform yourselves. We also have numerous blog
of this flux, traditional IDS solutions tend to be machine learning. post-breach response and remediation posts on subjects including cyber crime,
“noisy” and prone to false alarms. These same tradi- activities. When intrusion or post-breach detection and response, and details behind
tional solutions are also always one step behind the We’ve found that simple statistical analytics are best TTPs are discovered, these systems will be the technologies and processes that F-Se-
threat landscape. suited for eliminating false positives, and by applying automatically reconfigured to prevent that cure uses. All of these can be found via
these methods, we currently eliminate approximately mechanism from being used in the future. F-Secure’s website.
In order to tackle this problem, our data scientists, 80% of all irrelevant alerts. The way we’ve built these
working alongside the experts at RDC, have designed systems and the way they interact with each other is
and built a series of backend statistical analysis, machine quite unique, and something we’ve not seen elsewhere
learning, and expert systems to support our analysts. in the industry.
The core of F-Secure’s backend is very simple, and all of
the complexity is embedded in surrounding algorithms. This combination of artificial intelligence and cyber
This approach enables very fast deployment times for security specialists is about the most efficient and
new detection algorithms (in minutes) and allows us accurate configuration we could come up with for
to adapt to changes quickly. With F-Secure’s detection working with the event data we receive. And it allows
and response service in place, there’s never a need to us to spot attacks before they have a chance to do
wait for the systems deployed on your own premises damage or access business-critical data.
to receive updates — all the logic is in our backend
systems.We see things others don’t ABOUT F-SECURE Nobody knows cyber security like F-Secure. security labs for a singular approach called For three decades, F-Secure has driven Live Security. F-Secure’s security experts innovations in cyber security, defending have participated in more European cyber tens of thousands of companies and millions crime scene investigations than any other of people. With unsurpassed experience in company in the market, and its products are endpoint protection as well as detection sold all over the world by over 200 broad- and response, F-Secure shields enterprises band and mobile operators and thousands and consumers against everything from of resellers. advanced cyber attacks and data breaches to widespread ransomware infections. F-Se- cure’s sophisticated technology combines Founded in 1988, F-Secure is listed on the the power of machine learning with the NASDAQ OMX Helsinki Ltd. human expertise of its world-renowned
You can also read
