Threat Landscape Developments: Endpoint Security

Component 1: Critical severity threats and MITRE ATT&CK tactics

In the ongoing battle to guard your organization, deciding where you can dedicate resources is essential. To take action efficiently, you must have a good understanding of your neighborhood system topology, cloud implementations, hardware and software assets, and the safety policies in place. In addition, you must have a knowledge of what’s journeying and surviving in your environment through, and how exactly to respond when something is available that shouldn’t end up being there.

That is why threat intelligence is indeed vital. Not merely can threat cleverness help to defend everything you have, it can let you know where you’re vulnerable potentially, along with where you’ve already been attacked during the past. It can benefit inform where you can dedicate your security assets ultimately.

What threat intelligence may’t let you know is where you’ll be attacked following exactly. The truth is that no perfect solution to predict an attacker’s next proceed there’s. The closest it is possible to come is understanding what’s taking place out in the bigger threat landscape-how attackers are usually targeting organizations over the panel. From there it’s achievable to create those critical, informed choices in line with the data at hand.

This is the reason for this new blog series, Threat Landscape Developments. Inside it, we’ll be looking at action in the threat scenery and sharing the most recent trends we see. In so doing, hopefully to reveal areas where you could have a direct effect defending your assets rapidly, if coping with limited security resources specifically.

To get this done, we’ll dive into various Cisco Safety technologies that keep track of, alert, and prevent suspected malicious activity. Each release shall concentrate on a different product, given the initial view of exercise each can offer, informing you on different facets of the threat scenery.

To start the series, we’ll start out with Cisco’s Endpoint Protection solution. During the period of two blogs we’ll examine what type of action we’ve noticed on the endpoint in the initial 1 / 2 of 2020. In the initial, we’ll look at crucial severity threats and the MITRE ATT&CK framework. Partly two, to be released in the coming days, we’ll dive deeper in to the data, providing a lot more technical detail on danger types and the various tools used by attackers.

To safeguard an endpoint, Cisco’s Endpoint Safety solution leverages a security lattice comprised with each other of several systems that work. We’ll drill into telemetry from one of the technologies right here: the Cloud Indication of Compromise (IoC) feature, that may detect suspicious behaviors noticed on endpoints to check out patterns linked to malicious activity.

With regards to methodology for the analysis that follows, the info is comparable to alerts you’ll see within the dashboard of Cisco’s Endpoint Security solution, just aggregated across organizations to find the percentage of organizations which have encountered specific IoCs as set up a baseline. The info set covers the initial 1 / 2 of 2020, from January 1st through June 30th. We’ll include this in greater detail in the Methodology area at the ultimate end of the post, but for today, let’s dive in to the data.

When working with Cisco’s Endpoint Security solution, among the initial things you’ll notice within the dashboards is that alerts are sorted into four threat severity types: low, medium, higher, and critical. This is a break down of these severity groups with regards to the frequency that companies encountered IoC alerts:
Percentage of low, moderate, higher, and critical severity IoCsPercentage of reduced, medium, higher, and critical severity IoCs
As you may expect, almost all alerts belong to the medium and low categories. There’s a multitude of IoCs within these severities. How serious a risk the activity resulting in these alerts pose depends upon a true amount of factors, which we’ll appearance at more partly two of the blog series broadly.

For now, let’s focus on probably the most serious IoCs that Cisco’s Endpoint Security alternative will alert on: the critical severity IoCs. While these constitute a small part of the entire IoC alerts, they’re probably the most destructive arguably, requiring immediate interest if seen.
Essential severity IoCsImportant severity IoCs
Sorting the essential IoCs into similar groupings, the most typical threat category seen had been fileless malware. The existence be pointed out by these IoCs of fileless threats-malicious program code that runs in memory space after initial infection, than through files saved on the hard disk drive rather. Here, Cisco’s Endpoint Protection solution detects activity such as for example suspicious procedure registry and shots activity. Some threats seen right here include Kovter often, Poweliks, Divergent, and LemonDuck.

To arrive second are dual-use equipment leveraged regarding both post-exploitation and exploitation jobs. PowerShell Empire, CobaltStrike, Powersploit, and Metasploit are usually four this kind of tools seen right here currently. While these equipment can very well be utilized for non-malicious exercise, such as for example penetration testing, poor actors use them frequently. If you receive this alert, , nor have such active cybersecurity workouts in play, an instantaneous investigation is to be able.

The third-most seen IoC group is another category of dual-used tools frequently. Credential dumping may be the process used by malicious actors to scrape login credentials from the compromised computer. Probably the most commonly seen of the tools in the initial half of 2020 will be Mimikatz, which Cisco’s Endpoint Security answer captured dumping credentials from storage.

All told, these 1st three categories comprise 75 % of the critical severity IoCs seen. The rest of the 25 percent includes a combine of behaviors regarded as completed by well-known threat varieties:

    • Ransomware threats such as Ryuk, Maze, BitPaymer, and others
    • Worms such as for example Qakbot

and Ramnit

Another way to consider the IoC data is to apply the tactic categories organized in the MITRE ATT&CK framework. Within Cisco’s Endpoint Safety solution, each IoC contains information regarding the MITRE ATT&CK methods employed. These techniques can offer context on the goals of various areas of an attack, such as for example moving by way of a network or exfiltrating confidential information laterally.

Multiple tactics can connect with an individual IoC also. For instance, an IoC that addresses a dual-use device such as for example PowerShell Empire addresses three tactics:

With this overlap at heart, let’s look at each tactic as a share of most IoCs seen:
IoCs grouped by MITRE ATT&CK tacticsIoCs grouped by MITRE ATT&CK tactics
By the most frequent tactic far, Defensive Evasion appears within 57 percent of IoC alerts seen. This isn’t unexpected, as actively wanting to avoid detection is really a key element of modern attacks.

Execution also frequently appears, at 41 percent, mainly because bad actors launch more malicious program code during multi-phase attacks often. For instance, an attacker which has established persistence utilizing a dual-use device may follow-up by downloading and executing a credential dumping device or ransomware on the compromised personal computer.

Two tactics used to get a foothold commonly, Initial Access and Persistence, can be found in fourth and third, turning up 11 and 12 % of the proper time, respectively. Communication through Command and Control rounds out the very best 5 tactics, appearing inside ten percent of the IoCs seen.

Critical tactics

While this paints a fascinating image of the threat scenery, things are more interesting when merging MITRE ATT&amp even;CK strategies with IoCs of a crucial severity.
Essential severity IoCs grouped by MITRE ATT&CK techniquesVital severity IoCs grouped by MITRE ATT&CK methods
To begin with, two of the techniques were not observed in the critical severity IoCs at all, and 2 more registered significantly less than one %. This removes a third of the tactics from focus effectively.

What’s interesting is the way the frequency has already been shuffled around also. The very best three remains exactly the same, but Execution will be more common amongst important severity IoCs than Protection Evasion. Other significant movements when filtering by vital severity include:

  • Persistence appears inside 38 % of critical IoCs, instead of 12 % of IoCs general.
  • Lateral Movement jumps from 4 % of IoCs seen to 22 percent.
  • Credential Access moves upward three spots, improving from 4 percent to 21 percent.
  • The Impact and Collections strategies both see modest boosts.
  • Privilege Escalation plummets from 8 percent to 0.3 %.
  • Initial Accessibility drops off the checklist entirely, appearing fourth previously.

This wraps up our high-level rundown of the IoC data. Therefore armed with this particular given information about the normal threat categories and methods, what can you perform to guard your endpoints? Below are a few suggestions about what to look at:

Restriction execution of unidentified files

If malicious files can’t be executed, they can’t perform malicious activity. Use team plans and/or “allow lists” for applications which are permitted to perform on endpoints in your atmosphere. That’s not saying that each control available ought to be leveraged to be able to totally lock an endpoint down-limiting end-user permissions as well severely can cause entirely different usability difficulties.

If your company utilizes dual-use tools for pursuits like remote management, do severely limit the real number of accounts which are permitted to run the various tools, only granting temporary access once the tools are needed.

Monitor processes and the registry

Registry process and modification injection are two primary techniques utilized by fileless malware to cover up its activity. Monitoring the registry for unusual changes and searching for strange process injection attempts will go quite a distance towards preventing such threats from gaining a foothold.

Monitor connections between endpoints

Keep an optical eye on the connections between different endpoints, in addition to connections to servers within the surroundings. Investigate if two machines are connecting that shouldn’t, or an endpoint is speaking with a server in a manner that it doesn’t normally. This may be an indicator that bad actors are trying to move laterally across a network.

Partly two, we’ll dive deeper in to the data, considering LOLBins, top OS attacks, and the very best IoCs for threat types such as for example ransomware, adware, credential stealing, and cryptomining. This info might help further solidify an actionable arrange for allocating cybersecurity resources to the areas being targeted by bad actors. Keep tuned in for more soon!