Knowing Your Battle Space - Part 1

Over an 5 part series we will detail our approach on how we became better defenders at our organization by adopting a common knowledge framework. We fully leveraged this framework across our entire security organization to accomplish very specific goals that to this day continue to add in our capabilities as defenders. I would like to introduce to all of you what we call Dark Falcon.

Problem Statement

As defenders, there are many times our priorities are being determined by forces outside of our control. We are being guided by urgent projects, never ending vulnerabilities, sensational headlines, and over promised technologies. Meanwhile, real attackers continue to try to exploit our IT infrastructure and our End Users. The sophistication level of an average attack on the enterprise environment is increasing by the day and the average burnout of a defender is increasing by the minute. At some point, you start asking yourself are we always just suppose to lose?

To begin, instead of asking ourselves if we are supposed to lose, we started by asking ourselves the following, what does success look like to us as defenders?

We came up with the following:

  • Understand our entire attack surface in a moment's notice

  • Gain the ability to predict the likelihood of future attack

  • Understand how well our defensive controls are actually working post implementation

  • Profile known attacks being utilized by threat actors and know instantly how well you are protected against those exact attacks

  • Very easily measure the success and fail rate for Proof of Concept security products in a competitive bakeoff

  • Easily be able to assist our C level executives in making very clear business decisions on how money and resources should be used to improve the overall security posture of the company

  • Not ending up in the news for a breach that could have easily been prevented!

Forget the Past

To start to work towards an ideal world for a defender we knew we had to start somewhere. We realized very quickly that our goals for success were so big that the existing problems we had paled in comparison. This was actually quite refreshing. Our current "always loose" mindset was thrown out the window and we only looked forward at that point. It was very clear to us that it was our duty, obligation and responsibility to not only succeed for ourselves but for the entire security community.

The talk that changed everything was BruCON 0x08 - Building A Successful Internal Adversarial Simulation Team, by Chris Gates & Chris Nickerson. That was our introduction to a new approach to measuring our security and to the MITRE ATT&CK framework. We want to take a moment to acknolwedge the work they had done and shared with the community, without that we would not have been able to create and adopt what we have done.

Let's Begin

We started by taking an inventory of what we had to work with and fully documented the capabilities of our entire security stack. This included things like documenting all our security tools, analyzing our network infrastructure and hypothesizing solutions to easily solvable security gaps. Once this was complete, we knew we had to formalize our approach and we did this by adopting the MITRE ATT&CK framework.

MITRE ATT&CK

For those of you who are unaware, MITRE are the folks that are responsible for the handling and reporting of all common vulnerabilities and exposures (CVE’s). In a new effort, MITRE coined the term ATT&CK which stands for Adversarial Tactics, Techniques, and Common Knowledge. They describe this framework as "a threat modeling methodology and suite of models for the various phases of an adversary's lifecycle and platforms that are known to be targeted by cyber threats.”

There is a lot that goes into the MITRE ATT&CK that is beyond the scope of this post. But for the purpose of knowing how we utilized ATT&CK to improve our security it is important to know the following.

MITRE at the time of this post has defined 169 attacker techniques across the Windows, Mac, and Linux operating systems.The theory is that the better you can defend against all these techniques, the more likely your overall security posture will be resilient in defending against adversaries. Upon further analysis, our team fully agreed with this approach and invested all the extra time we had in learning everything we could about MITRE ATT&CK and how we could best utilize the methodology. Attackers have used frameworks very successfully for years, why not defenders?

I Think We Need A Name In Case We Ever Tell Anybody About This

The last piece of the puzzle was figuring out what to call this effort. We decided on Dark Falcon. Not just because it sounds cool but because of the following:

  • Humans have used falcons for many years for hunting

  • Falcons mate for life so they are in it for the long haul

  • They can see better than you

  • Falcons are not picky eaters they hunt thousands of different species for food

  • Falcons are durable they migrate as much as 15,500 miles a year

If a Falcon does not describe the essence of what a true defender is, I am not sure what does.

Part 2

In part 2 of the series we explain how we utilize the MITRE ATT&CK and our logging solution to create a maturity model and help visualize the various tactics in our environment.

Threat Hunting, Situational AwarenessEric Groce1 Comment