July 10, 2024
10 Min Read
In this post we will focus on how we can align our cyber resilience goals to real-world threats and implement a strategy to adapt to multiple failure points if our endpoint defenses are impaired during an attack. We will start by reviewing some key principals of NIST Special Publication (SP) 800-160, Volume 2 that will help us to define our resilience goals. Next, we will leverage the MITRE ATT&CK Framework to understand the attack path an adversary would take and some techniques that could be used to disrupt or disable endpoint detection and prevention controls. Armed with this information, we can now develop a resilience strategy that incorporates the advanced capabilities of the Absolute Secure Endpoint platform which will enable us to withstand and recover from these types of attacks.
Before we begin, we first need to understand that no matter how well prepared we are, there is aways the potential that an adversary is going to out-maneuver our detections and defenses. This is regardless of how well our security staff is trained, the thoroughness of our processes, and the capabilities of the technologies we have implemented.
Secondly, we need to accept that attackers can and will try to maintain persistence in our environments for an extended period of time before they are detected. A notable example of this behavior can be observed in the 2020 SolarWinds Orion incident where it took over 100 days to detect the intrusion after an adversary gained initial access to the victim’s environment. This is not an uncommon characteristic of software supply-chain attacks such as this one, which are known for their excessive dwell times. Even worse than an excessive dwell time is the fact that an intrusion may never be detected. We need to be cognizant of this since many of the cyber resiliency techniques and approaches that we may consider for implementation will make this same assumption.
Reference: New Findings From Our Investigation of SUNBURST
After accepting that an advanced adversary may have and most likely will have the capability to circumvent our detection and prevention controls, the next step is to develop a flexible strategy that meets the four high level goals of cyber resiliency. These goals, which define the “what” of a cyber resiliency solution, should align with the organization’s overall risk management strategy and are as follows:
Adversity in the context of these goals refers to any stealthy, persistent, sophisticated, and well-resourced adversary (i.e., the APT) who may have compromised system components and established a foothold within an organization’s systems. Once our goals are defined, the next step is to select and prioritize the “how” of our cyber resiliency solution, which are the techniques and implementation approaches that we use to achieve the four resilience goals. The next section will walk through some examples to see how this can be accomplished.
Per the MITRE web site, the “MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.”
In this exercise we are going to use the MITRE ATT&CK framework to understand the TTPs (tactics, techniques, and procedures) that an adversary would use to evade our endpoint defenses and then map those to our four resilience goals. This starts with understanding the attack life cycle, which generally flows from left to right using various tactics to achieve a specific goal.
Looking at the Attack Life Cycle below, we can see that once reconnaissance has been completed, the attacker we need to find a way to gain a foothold into the target’s environment. Typically, this initial access will be gained from a successful phishing attack, exploitation of a vulnerability in an exposed system, or even by purchasing stolen credentials from an initial access broker (IAB). Once the initial access has been achieved, an attack path that incorporates carefully selected TTPs will be followed to reach the final objective, which is typically the exfiltration of sensitive data and in some cases, deploying post-exfiltration ransomware.
The specific tactic that we will be using for this focused area of our resilience strategy is going to be Defense Evasion, which is roughly the halfway point in the attack path. There are a few reasons why an attacker may pause at this stage in the attack. One reason being that there is concern over creating events and artifacts that might indicate their presence in the environment, the other being the possibility of an EDR (endpoint detection and response) tool that is prohibiting them from proceeding. A skilled adversary will assess detection and prevention mechanisms and determine the best approach forward that enables them to achieve their goals while maintaining stealth.
We have now arrived at our first goal of cyber resilience, which is anticipating that an adversary will attempt to impair our defenses. Using the MITRE ATT&CK Framework, we can drill down further to see some of the specific techniques and tactics that an adversary may leverage to accomplish this. Some of the techniques that have been used successfully in the past to bypass endpoint defenses such as AV and EDR are listed below.
After anticipating everything that an attacker may do to circumvent our endpoint security tools, let us move on to how we can withstand and recover from this attack, meeting two more critical goals of the cyber resilience engineering framework. The first question to ask here is how are we going detect this type of attack if the adversary has been able to successfully impair our defenses and we never received any alerts from our endpoint tool?
This is where Absolute comes to the rescue. Absolute technology is embedded in the firmware of over 600 million devices spanning most major manufacturers and will survive attempts to disable it, even if the device is re-imaged, the hard drive is replaced, or the firmware is updated. This means we have an advantage over the adversary when Absolute Persistence technology is activated, since they are generally limited to attacks targeting vulnerabilities and weaknesses in applications or the operating system.
We want to ensure that we are monitoring the health of our installed security applications across the entire fleet and configure alerting for when our endpoint detection and prevention controls are experiencing degradation. Next, we want to ensure that our applications are configured for automatic repair and reinstall if an attacker has disabled, corrupted, or uninstalled our endpoint security tool using the Resilience features of Absolute Secure Endpoint.
What if repairing or reinstalling is not an option due to a vulnerability in the endpoint security tool for which no known mitigation exists? We might also be in a situation where we have lost supporting infrastructure for endpoints due to a ransomware attack or issues with a service provider. This presents a very precarious situation where we are not able to regain control of our endpoint devices, and the attacker continues to maintain persistence. We also lose the ability to perform remote investigation, containment and recovery actions. Our only remaining option is manual intervention with physical access to the device.
With our modern hybrid workforce distributed over many geographic locations this becomes an almost impossible situation to recover from – unless that is we apply the remaining goal of cyber resilience, which is the ability to adapt! With Absolute’s always-on connectivity back to the to the Secure Endpoint console, we can detect, respond, and recover even if the device has been fully compromised. Absolute has the capability to remotely deploy alternative security tools and agents out of band, and if this is not an option, run powerful query and remediation scripts from the Secure Endpoint console.
Now that we understand how to align real-world threats with cyber resilience goals and implement a solution to adapt to multiple failure points, this information should be used to build out an incident response playbook of last resort. This playbook should walk through all the steps required for preparing for an incident where our primary security controls have been disabled and take into consideration that an attack has compromised or disrupted normal capabilities that are used to manage the endpoint fleet. Some key activities to consider include:
To ensure that endpoints supporting key business functions can be restored during and after adversity, leveraging Absolute’s resilience capabilities as an integrated component of incident response, business continuity, and disaster recovery processes is a must. With the ability to monitor and report on the health of the endpoint security stack, organizations can keep track of over 80 security-focused applications, which includes endpoint detection and response, unified endpoint management, and DLP. Interactive reports and widgets provide detailed insights into overall application health, the reasons for failures on individual devices, and the status of remediation attempts. In addition, automated remediation processes can swiftly repair and restart failed security applications, reinstall removed applications, and upgrade them to compliant versions. Even when traditional tools fail, resilient self-healing endpoints can ensure application updates are performed successfully.
Share this article
