“What’s your question?” – Next Generation Analysis in the Compromise Landscape

By Alex Cox, Sr. Researcher, RSA FirstWatch team

The FirstWatch team recently had its team planning meeting, where we discussed plans for the year, current events and experiences.   One of my teammates and fellow analysts, Pat Belcher, raised an interesting point in regards to security analysis, consulting and understanding your environment.

Threat analysts, as a general rule, are often concerned with the minutiae of the day-to-day threat landscape.  Who was hacked this week? Do we have malware involved for this incident? Do we have indicators for the incident?  What about exploits?  Do we need patches?  This is all key information related to properly defending a network, but often, taking a step back and looking at the environment holistically PRIOR to the incident helps to understand where the gaps may be.

This is what I call “The Question”.   As an analyst gets more experience, he’ll eventually understand that certain questions, even though they aren’t “directly” related to an incident, often give the analyst an insight into security posture as a whole and maybe in a counter-intuitive fashion.

Pat’s question was “Can I plug my computer into your network?” What he found was that if the answer is “No”, the environment he was working in was likely overly restrictive, and counter-intuitively, the defenders probably didn’t have a good idea of what was actually occurring on the network and may have problems.

Likewise, when I was consulting with customers, my question was “How is your malware problem?”  This was forged in my mind during a previous job, where an ineffectual SOC and threat management process glossed over the malware problem instead of confronting it.

My question was answered in one of two ways:

“We don’t have a malware problem.”   Or  “We’re not sure.”   What I found was the folks that said “We’re not sure” often had a better handle on their overall security posture than the folks that thought they didn’t have a problem at all.

Historically, the security landscape has evolved around this model, that “No” is the default answer and that this will keep the network safe.   Obviously based on the threats and intrusions that we’ve seen in recent history, the “head in the sand” approach is ineffective.

Today’s analysis approach should use a few key concepts that bear repeating:

1)      Assume you are already compromised

While this is a frightening concept to many organizations, it is the stark reality of the threat landscape.  The bad guys are better at getting in than we are at keeping them out.   Understanding this is a critical concept for the defender.

2)      Understand your allowed paths

All modern businesses require paths to the internet in order to conduct business.  Things like email, web browsing,  b2b connections, remote connectivity, etc. contribute to the success of the business.   These allowed paths also give attackers the ability to remotely control compromised machines while attempting to blend in with legitimate traffic.

3)      Technology solutions alone won’t address your problems

A combination of advanced analysis technologies, talented people and accurate intelligence give you the best chance of quickly identifying attacks.  This is contrary to the long-held industry marketing approach that “this magic technology box alone will fix your problem”.   The magic technology box is only part of the solution.

Apply these concepts and come up with your own “Question”, and the next time you have a security planning session, use your question to reevaluate.  You might be surprised what you discover.

Happy Hunting!


Alex Cox, MSIA, CISSP, GPEN, GSEC is a Senior Consultant and Security Researcher with RSA FirstWatch team responsible for advanced threat intelligence research. Alex has worked more than a decade in IT with a background in desktop architecture, emerging threat research, network forensics and behavioral malware analysis.

No Comments