Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

Decoding CISA’s 2024 Advisories: Key Themes & Next Steps | Corelight

Written by Brian Dye | Aug 8, 2024 3:19:53 PM

My weekly dose of Risky.biz led me to CISA’s advisory on SILENTSHIELD, which described their months-long red team exercise and resulting remediation at a federal agency. My browser backlog happened to have their APT40 advisory from just a few days earlier, which was my next read.

Since those were so … sobering … I went back and read all of CISA’s 2024 advisories to date. A broader message—intentional or otherwise—began to sink in: The game has changed and CISA is trying to shake all of us up and into action.

However, the combination of politely factual/tech-neutral wording and per-issue advisories obscures some of their bigger themes (and maybe a bit of their urgency). So let me try to connect some dots across CISA’s 2024 advisories and season them with some direct language which, anger aside, is absolutely necessary.

On the attacker side, there are three themes that all add up to one big reminder: “We have to assume a determined attacker can and will get inside the network.” What’s new is that this is not just “someone else’s” network - with the success rate of so many access vectors, we all now have to defend against what used to be very advanced attacks. Namely:

  • Vulnerabilities have consequences. Applications and network devices are providing attackers with plenty of undetectable access points that are being exploited faster than ever.
  • We are (still) human. So phishing still works, and credential theft still works.
  • Detection isn’t just about malware anymore. Once they are in, attackers are living off the land and using native tools to blend into the environment and evade detection. Bear in mind that the SILENTSHIELD operations were two years ago and it only underscores the punchline here!

When we look across 2024’s ten advisories to date, the three biggest mitigation themes don’t look new or surprising at first glance:

  • Access. Maximize use of MFA, ensure strong passwords, strive for least privilege, etc.
  • Controls. Minimize risk/spread through fast patching and network segmentation in particular.
  • Logging. Ensure you have the data to support IR, threat hunting, and controls verification.

However, when you read more deeply there is a lot in the “logging” area that is network-centric in threat detection (C2 or LM detection, monitoring RDP, finding living-off-the-land activity) and in verifying controls (asset discovery, network baselining, monitoring RDP, restricting port/protocol usage). The underlying message is: “Our defensive priority has to evolve—and the network matters again” because:

  • “EDR is all we need” just isn’t true. Don’t get me wrong, EDR is great. Not just great, but mandatory. We all need it not just deployed, but well operationalized and utilized. But in an “assume breach” scenario we see EDR evaded or disabled (and of course, we can’t have agents everywhere!). So it’s not enough.
  • We’re looking at TIME in the wrong way. A fundamental question on data retention was interspersed in the list of attacker TTP’s used: “How long do we need to be able to look back in time?” The answer from CISA is: “90 days isn’t enough.” The reality is most organizations have much less than that today.
  • Network baselining and logging needs attention … and modernization. Given how often these concerns get mentioned, why aren’t folks doing it? Because often the response is: “We’re fine because we have netflow, some PCAP, and my firewall’s IDS subscription.” Implicitly, CISA is telling us that this response is wrong.

Some additional context from the network front lines

To be clear, I don’t speak for CISA. But at Corelight, we do work with many enterprise defenders who have fully embraced an “assume breach” mindset. As part of that strategy, those security teams have taken a fresh look at both data retention time and network monitoring, resulting in three common “ahas:”

  1. NetFlow and PCAP have had their day. These two complemented Firewall logs well 10 years ago, but the world has moved on. Then, an hour of firewall logs or a few days of PCAP were enough to support investigations. Today, those lookbacks mean you are blind in a matter of days—and in the current environment you often need months.
  2. Take the defender’s advantage. Points where we can observe repeated attacker activity are our best chance to find the attacks that evade perimeter defenses, and that is most clear with command and control (C2) and lateral movement. But our perimeter IDS/IPS doesn’t address those problems; we need more advanced detection tools and broader network coverage to find them.
  3. It’s about “every day”, not just “APT’s”. What do I have, what is talking to what, and what is “odd” on my network are hunting trailheads that will help on almost every tier 2+ investigation, not just when we’re on alert for super-secret-squirrel nation state attackers. That context helps connect the dots across the kill chain and helps analysts define what “normal” is while streamlining their investigations.

These three ‘ahas’ are bringing security leaders to NDR. It’s the logical next step that can accelerate their SOC’s investigations and disrupt advanced attacks. NDR brings a range of advanced detection methods and metadata-based analysis (with rich context only where needed) that defines the “goldilocks” zone of depth and breadth—and delivers rocket fuel for the modern SOC.

Talk to us, or talk to our competitors, but no matter what,let’s acknowledge what CISA is telling us in 2024. The internal network (across both on-prem and cloud) is critical to defending against this next generation of attacks. And last decade’s approach just isn’t good enough.