Responding to incidents quickly and shielding organizations from harm are basic objectives that make networks more secure and resilient. This blog post explores how HP Wolf Security’s threat containment technology helps achieve these security objectives, compared to a detection and response strategy.
Security Objective: Quick Response
In security operations, speed is critical. Time metrics are a common way to measure the effectiveness of security controls and processes by seeing how quickly teams detect and respond to threats. Many teams use metrics like mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR) to track their performance over time. The reasoning is the quicker the detection and response, the lower the impact and recovery cost of an incident on an organization. Today, human-operated ransomware can move from initial access to a full network compromise in hours, so reacting quickly is crucial to limit the impact.
During an investigation, network defenders search for suspicious activity across multiple data sources – such as email, network and host – and then correlate the data they’ve gathered into a coherent story that explains what happened and what needs to be done. Unimpeded, a capable analyst can complete an investigation in minutes. But common choke points in the investigation workflow could cost the organization valuable time.
Consider this scenario:
- An analyst spots an endpoint detection and response (EDR) alert for malicious processes spawning from a document opened on a laptop. It’s unclear from the alert whether all the processes were stopped. To decide what to do next, the analyst must confirm if the laptop, and perhaps others, have been compromised.
- To do this, they need to understand what the threat would have done and then look for those signs in their environment. In other words, they need to gather indicators of compromise (IOCs). The analyst issues a command to the EDR agent running on the laptop to retrieve the document that triggered the alert. Fortunately, the laptop is online and the file is pulled over the network after a couple of minutes.
- Next, the analyst must examine the file to understand what it does. They run the file in a sandbox and observe its behaviors. A few minutes later, they obtain a trace containing suspicious URLs that the malware communicates with post-installation and the hash of a file that is dropped to disk.
- The analyst logs into the organization’s web proxy and checks if the laptop has communicated with any of the suspicious URLs. Fortunately, it appears not. To be confident of their assessment, they also check the laptop’s event logs and confirm that no malicious processes are running, nor are there signs of the suspicious file being dropped to disk. The analyst breathes a sigh of relief – but other devices in the organization may be infected.
- They note the file originated as an email attachment. They log into the email gateway, search for the file’s hash and discover emails sent to other employees containing the malware. They identify other sender addresses, subject lines and attachments related to the same malicious spam campaign and write up their findings.
You likely noticed several choke points:
- EDR works by stopping malicious activity as quickly as possible at the expense of capturing a complete trace of how the threat works. The analyst is left with incomplete IOCs and unanswered questions about the threat’s tactics, techniques and procedures (TTPs).
- EDR file retrieval takes time and relies on the host being online. The analyst won’t have access to the file if the laptop is turned off, which is likely if the investigation occurs outside of working hours, the user is travelling or is in a wildly different time zone.
- Running the sample in a sandbox takes time and may not fully simulate the laptop’s environment. Therefore, the malware might produce incomplete IOCs because it does not behave in the same way in the sandbox.
- The analyst must log into multiple appliances and manually search for and correlate the data they are looking for.
- EDR provides limited assurance that all the malicious processes were stopped because they ran on the host and were stopped after the fact.
HP Wolf Security helps speed up this workflow by automating many steps, freeing up analysts’ time. This time when the user opens the document, it runs inside of HP Sure Click Enterprise, HP Wolf Security’s threat containment product. The user interacts with the document in all the ways they expect. However, in the background, the document is running inside a virtualized environment isolated from the host using micro-virtualization technology. The guest environment mimics the laptop, except it does not contain the user’s files and credentials (so any malware has nothing to steal) and has locked down network access to prevent lateral movement.
The guest environment is monitored, so when the user opens the document, Sure Click starts recording a report of any suspicious activity. Since the threat is already isolated in a virtual machine and poses no risk to the host, stopping the threat as quickly as possible is unnecessary. Instead, the malware is allowed to play out like in a traditional sandbox, recording IOCs for the analyst to review. The sample and any files it tries to write to disk are also made available to the analyst in the alert, meaning they don’t need to retrieve the document from the laptop. Lastly, HP Wolf Security automatically correlates email, host and network data into a timeline for the analyst.
Figure 1 – HP Wolf Security threat overview
Figure 2 – Process interaction graph of threat
Figure 3 – Email information connected to threat
Security Objective: Minimizing Exposure to Harm
Besides reacting quickly, another fundamental security objective is minimizing exposure to harmful behaviors likely to hamper an organization’s ability to operate normally. Examples of behaviors could be an attacker exploiting a vulnerability in a software component or an employee doing something risky on a corporate device.
One of the most common undesirable behaviors is users opening malicious links and files – as seen in the scenario above. In the 2023 Data Breach Investigations Report, researchers at Verizon comment that malware is still mostly distributed by email in malicious file attachments, a trend we’ve also tracked for years.
While organizations can’t easily control the threats outside their environments, they can control the conditions under which threats occur in their environments and their response to them.
HP Wolf Security minimizes exposure to harmful behaviors using micro-virtualization to isolate risky user tasks like clicking on links, opening email attachments and downloading files from the web. Robust security means having the right mix of preventative and detective controls based on the behaviors you want to minimize.
To illustrate this, imagine you are a zookeeper tasked with keeping your animals from escaping. What security measures would you use? One strategy that relies on detection would be installing CCTV cameras around the zoo’s perimeter to spot if the animals run loose. Alternatively, a prevention strategy would have you install a fence around the animals to stop them from escaping. Of the two approaches, the more effective strategy relies on prevention because it minimizes exposure to harmful behavior.
If you’re a network defender, you may find it helpful to think about the security controls in your organization in terms of whether they are detective or preventative. Another useful question is to ask, “How are we minimizing the exposure of our endpoints/servers to harmful behaviors initiated intentionally and unintentionally by attackers and our employees?”
The post Accelerating Security Response and Minimizing Network Exposure with HP Wolf Security appeared first on HP Wolf Security.
from HP Wolf Security https://bit.ly/3PzzLkk