There are layers, and at some point, you start to cry
Turning 40 this year has really upped my Dad Joke game. My kids gave me a book of them for my birthday and I’ve committed more than a few to memory to use when the fancy strikes. Sadly, my kids are still too young to fully appreciate most of them, and my wife definitely rolls her eyes, but I like to tell them regardless. After all, there’s a fine line for a joke to become a dad joke. “When does a joke become a dad joke?” you ask. When the joke becomes a parent. (read it out loud again)
I tried several of these out in a recent talk on the topic of “Detecting & Defending Across your Threat Landscape” at the ISMG Southeast Summit in Atlanta. Unfortunately, the recording cut off several of my opening jokes (maybe the A/V team wasn’t fans of my humor), so I’ll work them into this blog along with an overview of my talk. My opener was about an email I got the other day claiming to teach me how to read maps backwards — turns out it was just spam.
Besides the dad jokes, I broached a serious topic about what a struggle it is to do accurate, effective TTP (Tactic, Technique, Procedure) based detection in Cybersecurity. MITRE ATT&CK has done a fabulous job of helping the industry better articulate adversary behaviors and has given us a common taxonomy to do so. In thinking about detection strategies, David Bianco’s Pyramid of Pain taught us that the highest value detections are TTP-based, but that is easier said than done. In today’s world of LOLBAS (Living Off the Land, Binaries And Scripts), detections for specific adversary techniques in isolation can be just as likely to flag legitimate developer or administrator activity as true malicious activity. This presents a problem in trying to detect TTPs.
Speaking of malicious activity — what’s the best way to catch a runaway robot? Use a botnet.
Unfortunately, MITRE ATT&CK only goes so deep with specifics for techniques, so it leaves quite a bit of work for the rest of us to do in order to actually detect TTPs. We have to detect behaviors that could be benign or malicious, and we have to find a good way to distinguish the difference. If we want to get to the top of David Bianco’s Pyramid of Pain and detect those TTPs, we need to leave behind IOC (Indicator of Compromise) based detections, which are short-lived and much less valuable.
Speaking of pyramids, what do you call an excavated pyramid? Unencrypted.
In my talk, I laid out an idea that several of my Anvilogic colleagues have been developing: “flipping the pyramid” in such a way that actually enables true TTP detection. The diagram below describes the concept of an upside-down pyramid, which shows how we base all our detections on a two-stage framework consisting of “Threat Identifiers” and “Threat Scenarios.”
Which brings up a good point — why do triangles look down on circles? Because they’re pointless.
Breaking up detections into these two stages is critical for normalization, efficient searching, and realizing very complex searches that would be virtually impossible to attempt against raw data. By listening to my talk, you’ll see me walk through an example of what individual threat identifier detections and a full-blown threat scenario detection look like using some actual adversary behavior. I hope you take a few minutes to listen and even pick up a dad joke or two for your own use…because the only difference between a dad joke and a bad joke is that one starts with a “d” and one starts with a “b.”
Ready to learn more about Anvilogic?
Kickstart your security operations
Anvilogic provided the necessary threat detection automation for our small SOC, adding a significant force-multiplier advantage for my team.