How can companies quickly identify if an intruder is present in their system?

Table of Contents

Problem
Solution
Extended Visibility over every Asset and DAta
Deepened Observability of every Services
Enhanced Detection and Response on every security events/activities
Security Operations Center (SOC)
Cyber Kill Chain
Defense in Depth
Micro-segmentation
Latest Trends
Mailing List

Problem

Today’s cybersecurity landscape is fraught with numerous issues. Hackers often persist on a company’s systems for extended periods before executing their attacks. How can companies quickly identify if an intruder is present in their system?

Solution

There is no silver bullet to detect all the threat internally, but you can take on more proactive stance besides compliance check. Below are a quick listing on areas and tools to review. You do need to have a proper governance and defence workforce to work through the following.

Extended Visibility over every Asset and DAta

You need asset management capability that track all the IT/OT/IOT systems. With the system identified hosted in cloud, on premise or hybrid, you need to have good sense on the security compliance status – meaning baseline hardening, change & patch, availability status. Potential Tool – Cyber Asset and Attack Surface management
You need data management capability that form a regime which you have sight on all your critical data that are the “crown jewel” to the company (and to the adversary/insider). With the system identified storing those data, run thru the confidentiality and integrity status on the key management and privileged access control in place. Potential tool: Key Vault and Privileged Access Management tool

Deepened Observability of every Services

You need to collect telemetry such as log, metric and traces for the application running. It is when anomalous activities are detected that you can activate response timely. This required regime of setting up the proper Logging Fabric that facilitate the log creator (services) to send thru the fabric to the log consumer (event tracker and management). Potential tool: Log pipeline and distribution platform, and SIEM Continuous security monitoring
You need security agents and log events as well. Hence there is need to identify core security guardian protecting your services. They would be the security tech stack that is developed that include the code development pipeline, and security review conducted regularly for every releases. Potential tool: CICD pipeline, Container runtime protection, Endpoint Detect and Response (EDR)

Enhanced Detection and Response on every security events/activities

You need to have a central Security Ops centre that serves as the consumer of the telemetries sent over by the creator. The detection rules are managed 24/7 by tier of responser and analyst. They form the blue team that monitor all activities (security and availability related events) and investigate on risk events detected (insider, APT, data leaks, tamper). External cyber threat feeds will augment the SOC analyst in the investigation and proactively craft correlation rule to detect known (or even unknown) threat. Potential tool: SIEM/SOAR and security playbook, Cyber Threat Intelligence Platform
You need to have active validation of the blue team vigilance and competency to sieve thru the noise on attack signals. The red teams and threat hunters are the experts that simulate the attacker penetration and hidden threat traces that is evaded in the huge log trove. Potential tool: Breach Attack Simulation (BAS), Continuous Threat Exposure Management

A proper strategy for securing asset and sieving out the internal threats have to come hand in hand. Expecting the detection to be covering everything is not viable hence prioritisation on watching over the internet, higher risk system (with sensitive data) should be those of concern.

Security Operations Center (SOC)

I recommend the implementation of a Security Operations Center (SOC). SOC is indeed a strategic approach to bolster an organization’s defense against cyber threats.

An effective SOC acts as the command center for cybersecurity, continuously monitoring, analyzing, and responding to cybersecurity incidents. With threat intelligence integration, the SOC team can stay ahead of potential threats by being informed about cyber adversaries’ latest tactics, techniques, and procedures. This allows for the timely identification of anomalies that could indicate a breach, enabling faster response times and mitigation strategies.

Moreover, incorporating threat intelligence into the SOC ensures that the organization’s security measures are reactive and predictive. It helps in understanding the threat landscape, including identifying potential threat actors and their motivations, which can lead to more robust security postures.

Logging and monitoring the health of the information environment is essential to identifying inefficient or improperly performing systems, detecting compromises, and providing a record of how systems are used. 24×7 Monitoring and Incident Response is a must. The logs should be detailed enough for real-time monitoring and quick incident response. The logs should be in a format that can be easily integrated with SOAR for automated incident response.

Log reviews are an essential function not only for security assessment and testing but also for identifying security incidents, policy violations, fraudulent activities, and operational problems near the time of occurrence. Log reviews support audits— forensic analysis related to internal and external investigations—and support organizational security baselines.

Cyber Kill Chain

Understand the concept behind the Cyber Kill Chain. Lockheed Martin developed the Cyber Kill Chain to reposition the advantage toward defense. Typically, the defender has the disadvantage because they must plug every security hole, whereas the attacker only needs to find one hole in the security framework to be successful. The Cyber Kill Chain tries to turn this around by helping defenders stop an attacker at any point in the chain, disrupting the attack entirely.

The Cyber Kill Chain’s phases of threats are as follows. Keep in mind that some threats may not necessarily need all seven stages:

Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command and Control
Actions on Objectives

https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

Defense in Depth

Apply Defense in Depth. Defense in Depth is a security strategy that positions the layers of network security as network traffic roadblocks; each layer is intended to slow an attack’s progress rather than eliminate it outright.

The idea behind the defense is that people get only the access they need to complete their jobs, no more and no less. This often rubs executives the wrong way, especially at smaller companies. This is because executives at smaller companies, especially company owners, feel they should have access to everything. While this is an understandable feeling, it doesn’t follow the best IT security practices, as it gives one person access to more systems than they need.

Defense in Depth is a solid technique for ensuring that when an account is compromised, that account can’t compromise an entire company. While requesting access to files or systems data company at which you are an executive is annoying, security isn’t about making accessing files and systems easier.

https://www.cisecurity.org/insights/spotlight/cybersecurity-spotlight-defense-in-depth-did

https://www.studynotesandtheory.com/single-post/defense-in-depth

https://thorteaches.com/cissp-defense-in-depth/

https://wentzwu.com/wp-content/uploads/2020/07/CISSP_PROCESS_GUIDE_v2.1.pdf

https://www.imperva.com/learn/application-security/defense-in-depth/

Micro-segmentation

Micro-segmentation (multiple security zones, granular access controls) can allow security architects to divide data centers into unique security segments (as far down as individual workload levels) but requires integration and understanding of where your applications are located to improve and manage them. For example, Network segmentation – identify East-West, North-south traffic.

NIST has published Special Publication (SP) 800-215, Guide to a Secure Enterprise Network Landscape.

Sample in Network Segmentation:

Improved Security. Network traffic can be isolated and/or filtered to limit and/or prevent access between network segments.
Better Access Control. Allow users only to access specific network resources.
Improved Monitoring. It provides an opportunity to log events, monitor allowed and denied internal connections, and detect suspicious behavior.
Improved Performance. Broadcast traffic can be isolated to the local subnet. With fewer hosts per subnet, local traffic is minimized.
Better Containment. When a network issue occurs, its effect is limited to the local subnet.

https://www.illumio.com/cybersecurity-101/microsegmentation

https://csf.tools/reference/critical-security-controls/version-7-1/csc-14/

https://apexassembly.com/wp-content/uploads/2019/03/Tufin-network-segmentation-white-paper.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-215.pdf

Latest Trends

To keep yourself updated on the latest trends in software vulnerabilities and cybersecurity issues. Examples include:

Fortinet Blog: http://blog.fortinet.com
Naked Security: http://nakedsecurity.sophos.com
Securosis Blog: https://securosis.com/blog
Uncommon Sense Security: http://blog.uncommonsensesecurity.com
Paul’s Security Weekly: http://securityweekly.com
TaoSecurity: http://taosecurity.blogspot.com
schneier https://www.schneier.com/
Kaspersky https://opentip.kaspersky.com/

Mailing List

Keep yourself updated about security. You can subscribe to mailing lists to receive instant or digest updates on vulnerabilities and trends. Some lists are geared more toward attackers than security specialists, but the information from these lists can tip you off to potential problems. Examples include:

CERT-UK cybersecurity alerts: https://www.cert.gov.uk/resources/alerts/
The information security breaches survey, carried out annually to assess breaches in UK-based organizations: https://www.gov.uk/government/
Internet Storm Center Handlers Diary: https://isc.sans.edu

Because security intelligence originates from many different sources and it can be difficult for analysts and tools to consume it, various initiatives are underway to provide that information in standard formats that computers as well as humans can read. Many of these standards are associated with various registries that provide security information. Examples include:

Malware Attribute Enumeration and Characterization (MAEC)
Cyber Observable Expression (CybOX)
Structured Threat Information Expression (STIX)
Trusted Automated Exchange of Indicator Information (TAXII)
Common Weakness Scoring System (CWSS)
Common Weakness Risk Analysis Framework (CWRAF)
Open Indicators of Compromise Framework (OpenIOC)
Common Attack Pattern Enumeration and Classification (CAPEC)
The Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK)