As we begin a new year, we wanted to address one of the biggest issues we consistently see in our investigations: passive security.
Incident response engagements are an important part of our work and the intelligence-gathering process and their associated reports can be a treasure trove of tactics, techniques and procedures (TTPs) for adversaries, but also expose common gaps and mistakes organizations make.
When we're fighting state-sponsored groups and cartels with millions in revenue to support their attacks, trying to win with passive security isn't a good strategy. One of the most common findings from Cisco Talos Incident Response engagements involves some variation of the technology in place and it detected the activity, yet the actor(s) successfully compromised the organization. The reason almost without fail is that the product wasn't running in blocking mode, something easily prevented with an active approach.
This fight between enterprises and threat actors isn't new – we've been going back and forth for decades, if not longer. As long as we've had security technology that actively blocks, there have been employees and leaders arguing that it shouldn't. Maybe 10 or 15 years ago they could have had an argument, as emerging technology can produce a lot of false-positives, but in today's threat landscape, it's asking for trouble.
Passive detection has its place in specific circumstances where active blocking either isn't possible or feasible; the issue comes when organizations run the majority, if not all, of their security technologies in passive mode, most critically on the endpoint. These last bastions of detection are invaluable for identifying attacks that were successful in evading and actively blocking security technologies that may be deployed to prevent compromise.
Adversaries' sophistication continues to improve
Historically, the threats organizations had to deal with were rarely targeted and primarily the work of miscreants trying to install a bot or some other simple malicious payload. Today, if you are lucky, you are only fighting against scores of affiliates using every technique and vulnerability under the sun to try and compromise the organization with severe impacts, resulting in potentially millions of dollars in ransom or extortion payments as well as collateral brand and reputation damage. In even worse scenarios, enterprises are also facing off against state-sponsored groups with deep funding and associated sophistication and the potential links between them.
These adversaries are sophisticated but they aren't perfect. They still need to run commands and potentially execute tooling to complete their compromise. Commonly, these commands and tools are detected, but if they aren't blocked, it’s not likely to slow the adversary down. What is the point of spending, in some cases, millions of dollars on technology to protect your environment only to have an alert generated at 3 a.m., when no one was looking, as the adversary was gathering and exfiltrating your most valuable secrets? This is especially true for endpoint security, as this is the last bastion of protection an organization has and as the final line of defense it needs to be impactful.
Threat actors are getting more efficient at their goals of data gathering, exfiltration and ransoming. During our research into Truebot, we identified a tool called “teleport” designed to make data exfiltration faster and more covert. This allowed actors to quickly execute commands to gather and exfiltrate potentially interesting data for extortion purposes.
This is just the latest example in a long line of evidence pointing to sophistication and structure. Others include leaked playbooks for how to work through a network quickly and efficiently. These affiliates are good at what they do, and not actively blocking their activity is a mistake.
Skills shortage is real and getting worse
There might be an argument to be made that if you are running a 24/7/365 security operations team then running in passive mode should be sufficient since they can be actioned by analysts. In reality, the limited security team is at capacity just keeping the technology they have updated, running and reporting. While simultaneously having to manage the expectations and demands of leadership on the latest vulnerability or threat that is making headlines. Combine that with the need to meet all compliance requirements for the business and you're already over-extended. This leaves little time for analysts to triage alerts as they are generated. More often than not, an alert is sent to a console with no one looking, and as the saying goes, “If a tree falls in the woods and no one is there to hear it, does it make a sound?”
Likewise generating alerts without taking action doesn't protect the organization, it just sends up a flare that something could be wrong. In the end, you're left with an incident response report that shows the right technology was deployed in the right places and it did its job, but the adversaries were still successful.
Parallels to enterprise patching progress
There is another issue in security or more generally in IT that has some parallels to active security: patching. Looking back five to 10 years, patching was either not being done at all or was required to be "baked in" for three to six months on test systems to ensure it didn't cause any issues or crashes. Flash forward to today and patches have become so stable that organizations roll them out with regularity without issue and home users commonly have patches automatically applied. The same is true for active security today. False-positives can still happen, but the risk continues to diminish as the threats grow exponentially.
Do you want false positives or true breaches?
The other common argument that is brought to the table when discussing active security technology is the threat of false-positives. False-positives are just part of deploying security technology – nothing's perfect, and improper detection is going to happen. Organizations need to ask themselves, “Is it better to deal with occasional headaches of false-positives, or a really big headache when a breach happens?”
It's better to have this conversation with leadership now than after a major incident has occurred. Make sure to support your argument with hard data about the volume of alerts that are generated, the tasking associated with it, and the challenges of operating in today's landscape with one hand tied behind your back while fighting off skilled, determined adversaries. It's 2024 and running passive security is a recipe for disaster.