Darwin is Alive and Kicking: Evolving Beyond “Intrusion Prevention” towards “Attack Detection”

September 30th, 2015 by admin

Darwin chair drawingLet me start by declaring that I’m a big believer in evolution theory (shocker!), and that Charles Darwin is alive and kicking in IT security markets in 2015! Why, you ask? Because every major incumbent vendor is “evolving” their messaging from a prior mantra of “Blocking” and “Preventing” attacks towards a new mindset of breach “Detection” that recognizes the stark reality that not all attacks can be prevented.

With the massive growth in breaches that have occurred over the last 24 months, it’s hard for anyone other than the most obstinate of security professionals and vendors to deny the fact that 20 years of blocking and prevention technologies have failed – at least in part. While prevention technologies are a critical first step to stop the vast majority of known bad actors and malware from breaching your network, they are clearly not sufficient. Millions of user accounts have been breached…Ashley Madison, Office of Personnel Management, Internal Revenue Service…and that’s just in the last few months.

Unfortunately, all the hysteria and anxiety has driven some legacy, prevention-oriented vendors to quickly try to change their spots and adapt to this new reality. A number of recent IT security vendor marketing pivots to inappropriately capitalize on this anxiety causes me to clearly define the differences between existing threat “Prevention” technologies and the rapidly emerging demand for new “Attack Detection” technologies.

Let’s start with the basics. Twenty years of IT Security industry focus on threat “Prevention” results from a mentality that all threats could be stopped if only we could build sufficient “defense in depth,” or “layered security,” or “higher and wider walls.” The fundamental presumption being that with enough layers of security systems you could identify an attacker in real-time (or near real-time) and prevent the attackers’ initial intrusion attempt to compromise a host or user account on your network. This mentality is reflected in the widely referenced “Cyber Kill Chain” model developed by Lockheed Martin, which focuses almost entirely (71%, in fact!) on the initial “Intrusion Attempt Phase” of the attack.

Lockheed Martin Cyber Kill Chain chart-1

The reality, however, is that the Cyber Kill Chain—and the legacy vendor community that embraced this perspective for two decades—disproportionately focuses security resources on the “Intrusion Attempt Stage” that literally takes only a few seconds or minutes, while focusing inadequate attention on the “Attack Phase” that can extend for months on average. Mandiant (ironically, now owned by FireEye) published their Beyond the Breach report, which confirmed this by documenting the average 229-day dwell time for Attackers that had successfully bypassed the intrusion prevention layer. Once attackers can bypass Prevention systems, they can operate with unfettered access on the network. As shown in Graphic 2, a time-adjusted version of the attack life cycle shows a much longer and more realistic “Attack Phase” when the attacker must perform hundreds and thousands of reconnaissance and lateral movement activities to successfully perpetrate the objective. Legacy threat prevention systems are generally blind to (i.e., worthless for) detecting these phases of the attack.

Lockheed Martin Cyber Kill Chain chart-2

Now that the industry acknowledges that targeted attackers are successfully bypassing threat prevention infrastructure, it must look in the mirror and ask itself the obvious question: If we can’t rely on 100% comprehensive prevention, how do we detect these attack operations once they are on the network? And, are there any automated security tools available to help us do this?

The rapid emergence in the use of the Attack Detection term represents a fundamental change in mindset compared to the legacy presumption that comprehensive threat prevention is possible. The term “Attack” refers to the active stage that begins once the attacker has compromised a networked host or user account (i.e., it presumes that a successful “Intrusion” has occurred). An attack is a very long process (eight months according to Mandiant!), and is not a single event coincident with the completion of the attack. “Detection,” as opposed to “Prevention,” assumes that attacks will occur and refers to techniques that have been developed to monitor network events, user events, and endpoint state to find the signs of these attack activities after the initial intrusion is complete. The obvious distinction to make is that “Detection” techniques should not use the same malware-hunting techniques employed by “Prevention” vendors. If the attackers have successfully found a way to circumvent prevention systems that look for static technical artifacts, then they are likely going to be able to continue to defy detection once on the network.

If a technology does not identify the operational behaviors of active attackers on the network and the endpoint, then it’s not a “Detection” product. Be wary of any vendor that claims to have “Detection” technologies in their arsenal, but can only point to technologies that identify malware and command and control traffic based upon some statically-defined signature, blacklisted domain/threat intelligence, hash, or malicious file behaviors (all of which are now referred to by a fancy new name, Indicators of Compromise or IOCs).

I pity the user community who must wade through the sea of marketing distortions. I also pity the legacy threat prevention vendors who have no choice but to evolve their message beyond exclusive focus on threat prevention given the realities of the market today.

Just like a leopard can’t change their spots, a vendor can’t change their market positioning without product features to support it. Evolution takes millions of years. Even in our industry’s famed “Internet Years”…that’s a very long time.

Leave a Reply

Your email address will not be published. Required fields are marked *