Identity is foundational to threat detection on modern platforms

alt

On traditional platforms—such as Windows, macOS, or Linux—knowing who is performing a given activity is useful. However, we can identify an overwhelming percentage of suspicious or malicious activity in the absence of this context.

For example, some software, behaviors, command lines, and changes should be investigated irrespective of identity. We can find a lot of bad things with no identity context at all.

On modern platforms—such as SaaS, IaaS, and PaaS—identity plays a critical role in threat detection and response, thus we describe it as identity threat detection and response, or ITDR. Nothing happens outside of the context of an identity. We can find some bad things without identity context, but virtually all behaviors or changes must be contextualized, baselined, and ultimately investigated in the context of an identity.

To make a weak analogy: On traditional platforms, the process is the data source upon which most detections can be built. On modern platforms, the construct of a process does not exist. On modern platforms, a given identity’s session is the process.

And if you believe that identity is indeed foundational to threat detection on all modern platforms, there are a handful of things that are probably also true:

  • Trust is pinned increasingly to identity first, then to devices.
  • The browser will become the most important device of all.
  • Compromise of an Identity Provider (IdP) and/or browser is an end run around most/all controls.
  • Detecting IdP and/or browser compromise is a job that 99% of orgs can’t do, yet.

The top initial access vectors in 2023, mapped to ATT&CK

In reviewing security firms’ 2023 threat data, a subset of these include insight into the initial access vectors leveraged most frequently in successful intrusions. This is a summarization of findings based on their reporting.

alt

Rank MITRE ATT&CK Technique ID Vector Percentage
1 T1566 Phishing 31.4%
2 T1078 Valid Accounts 24.3%
3 T1190 Exploit Public-Facing Application 22.9%
4 T1133 External Remote Services 12.9%
5 T1189 Drive-By Compromise 5.7%
6 T1091 Replication Through Removable Media 2.9%

Key takeaways

  • The top 5 of the 6 most prevalent initial access techniques were unchanged from 2022, despite some new reporting sources being introduced in 2023 and some 2022 sources being excluded. The underscores the fact that, like the most prevalent techniques across tactics, there continues to be relatively little year-over-year drift.
  • Despite the ascendency of Valid Accounts and External Remote Services, and Exploit Public-Facing Application holding ground, it’s not always Phishing, but Phishing still dominates as the most likely initial access technique and email remains the vector of choice for adversaries.
  • Valid Accounts surged from 9.5% and a three-way tie for 3rd in 2022 to a solid #2 in 2023.
  • External Remote Services, which may be attributable to widespread remote access and/or RMM abuse, more than doubled year-over-year.

Methodology

To determine the most prevalent initial access techniques leveraged by adversaries in 2023, I relied on data from the following reports:

Because most, but not all of these reports use a standard taxonomy, reported vectors were mapped to the corresponding MITRE ATT&CK Initial Access parent technique.

As with all threat reports, the findings and prevalence are subject to each firms’ visibility and methodology.

Notes on 2023 data on reporting

Vendors in general are shifting away from annual reporting in favor of periodic reporting, with quarterly reports becoming the most common. This complicates data aggregation a bit (e.g., see the link required to find and aggregate Secureworks reports), but may be more useful to practitioners, as trends at a quarterly level are probably based on enough data to be meaningful, while also being timely.

Fewer vendors are reporting initial access observations. Fortunately, there are some industry mainstays that continue to report high quality data in this area based on large samples year-over-year.

I was disappointed to see that NCC Group, which generally provides excellent public domain research and reporting, not only stopped reporting initial access data this year, but also didn’t make mention of a single MITRE ATT&CK technique or provide standardized data anywhere in their annual report.

How to use this information

From my earlier thoughts on this matter:

A good use case for these types of lists–and a way to make them actionable–is to look at tactics starting with initial access and progressing through the intrusion lifecycle. For each tactic, look for common vectors and MITRE ATT&CK techniques (some of this is readily available in the source reports below). The goal is to see whether we can glean good enough insights and do it quickly, assess risks, and take preventative measures.

Open source roundup of cybersecurity models

This is a collection of cybersecurity, risk management, and related models that I’ve collected and/or used over time.

You can find the source on GitHub at https://github.com/keithmccammon/cybersecurity-models. Please fork and submit a pull request if I missed anything!

Functional models

Cybersecurity Framework (CSF) by the National Institute of Standards and Technology (NIST), U.S. Department of Commerce

Cyber Defense Matrix by Sounil Yu

Intrusion and/or adversary analysis models

AI Risk Repository by MIT

ATLAS by the MITRE Corporation

ATT&CK by the MITRE Corporation

Cyber Kill Chain by Lockheed Martin

D3FEND by the MITRE Corporation

Diamond Model by the United States Department of Defense (DoD)

SaaS Attacks by Push Security

Maturity models

Consumer Authentication Strength Maturity Model (CASMM) by Daniel Meissler

CSIRT Maturity Framework by the European Union Agency for Cybersecurity (ENISA)

Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) by the CTI-CMM team / working group

Cybersecurity Capability Maturity Model (C2M2) by the United States Department of Energy (DoE)

Cybersecurity Maturity Matrix by Keith McCammon

Cybersecurity Maturity Model Certification, by the United States Department of Defense (DoD)

Detection Engineering Maturity Model by Kyle Bailey

Essential Eight Maturity Model by the Australian Signals Directorate (ASD)

Red Team Maturity Model (RTCMM) by Brent Harrell and Garet Stroup

Security Incident Management Maturity Model, by the Open CSIRT Foundation

Zero Trust Maturity Model by the Cybersecurity & Infrastructure Security Agency (CISA)

Shared responsibility models

Artificial intelligence (AI) shared responsibility model by Microsoft

AI Security Shared Responsibility Model by Mike Privette

Shared responsibilities and shared fate on Google Cloud by Google

Shared responsibility in the cloud by Microsoft

Shared Responsibility Model by Amazon Web Services

Threat, risk, resilience and other management models

AI Risk Management Framework by the National Institute of Standards and Technology (NIST), U.S. Department of Commerce

CERT Resilience Management Model by Carnegie Mellon University

FAIR Risk Management by the FAIR Institute

OCTAVE by Carnegie Mellon University

Risk Management Framework by the National Institute of Standards and Technology (NIST), U.S. Department of Commerce

Threat Assessment and Remediation Analysis (TARA) by the MITRE Corporation

A technology adoption model for cybersecurity teams

This article is adapted from a presentation (charts + talk track) I’ve maintained over the years as a tool to help myself and others understand how technology adoption drives the work we do in cybersecurity, and where we are in the technology adoption cycle at any given time. Charts revised late 2023.

Cybersecurity isn’t an isolated problem space. Cybersecurity as a discipline exists to safeguard data, typically by securing the underlying technologies used to access it. And because adoption of new technologies will always outpace our ability to secure them to the degree we’d like, cybersecurity is an inherently unsolvable and cyclical problem space.

This is one reason I enjoy studying cybersecurity and risk management maturity models. “Better at security today than we were yesterday” is an admirable mantra for any cybersecurity team. However, one thing I’ve learned about this type of modeling is that it helps us understand and improve upon the work, but typically doesn’t help us understand the inputs—technologies adopted by the business and users—that ultimately drive it.

Technology adoption cycle overview

This model focuses instead on where a given technology is on its journey from initial availability through to the low-level understanding required to effectively secure it. The primary use case is planning and alignment within a given organization, based on the technology stack and security controls at a point in time. By plotting key technologies relative to one another and along a continuum, it can be easier to track progress, maturity, depth of understanding, and more.

alt

Availability

First, technology becomes available to users. The major mobile app stores alone publish somewhere north of 1,000 new applications daily, and this is to say nothing of websites, SaaS applications, and other services beyond the mobile ecosystem. The proliferation of new software in particular is staggering, and generative artificial intelligence (GenAI) is driving the cost and time required to launch new applications and services down by the day.

Here it’s also worth noting that most cybersecurity practitioners are employed to protect businesses, but there’s no meaningful or predictable delineation between “business” and “consumer” technology. The prevalence of “bring your own device” (BYOD) is a clear indicator of this phenomenon, as are the countless businesses that leverage social media platforms, individuals who keep personal appointments on their work calendar, and more.

Adoption

Naturally, users start to adopt these new technologies. And not always because they should, but because they can.

The launch of the first iPhone is the canonical example of this phenomenon: Overnight, seemingly everyone had an iPhone. And while enterprises could ignore some noisy software engineers clamoring for access to corporate email and productivity apps on their new iPhones, they couldn’t ignore the CEO.

Adoption happens, and because it’s largely a function of availabilty coupled with consumer or user demand, if often occurs without the broader technology and/or security team’s awareness.

Management

Largely in response to adoption, enterprises make some attempt to manage technology. That is, to get a handle on who’s using it, how, and for what. Early “management” may be little more than a crude accounting of who’s using the tech, and an attempt to control the blast radius should something go wrong.

Early attempts to manage a new piece of technology will usually focus on the “bookends”: How the software is accessed (e.g., via identity and access management), and how the software is managed (e.g., whether it can be installed, or by removing it if unauthorized). For a piece of technology with sufficient access to sensitive data, these are imperfect but important first steps towards management.

Understanding

Once we dedicate resources to managing a given technology, our understanding of the technology improves, out of some mix of necessity and curiosity. This is where a lot of wildly valuable automation, control, and security tools (often free and/or open source) begin to materialize.

Many of the leading solutions in the device management, monitoring, and myriad other spaces were born during this evolution from basic management of an emerging technology to a better, deeper, and more meaningful understanding of how it’s being used, what it’s accessing and how, and ultimately how it can be better monitored and/or controlled.

Security

We can’t secure what we don’t understand.

Only once a technology becomes well understood will enterprises and controls mature to effectively secure it. This is where hackers and the cybersecurity community shine. Taking a technology from “we can keep a lid on it” to “we know more about this than the people who made it” is a hallmark of hacker culture and the cybersecurity industry that often pays its bills.

We’re still not “done”, but technology that reaches this phase is generally well studied and a robust set of controls are available. It also stands to reason that these technologies also have a well developed threat model and may be frequently targeted by adversaries, who are naturally interested in widely adopted, entrenched technologies.

alt

An illustrative look

Plotting the modern tech stack

Here’s a illustration of what this looks like in practice, using a common set of technologies:

alt

In general, technologies farthest to the “left” will be characterized by one or more of the following:

  • The inner workings of these technologies aren’t well understood and/or documented
  • Threat models are not widely understood or accepted
  • Observability may be lacking (i.e., APIs or other means of accessing access, usage, and security event data aren’t robust, and sometimes do not exist at all)
  • Lack of robust built-in or third-party security controls

Grouping technologies by family or type

This same phenomenon also applies to types of technology. In fact, determining whether we’re dealing with an evolutionary (e.g., our 1,001st project management tool) or revolutionary (e.g., ChatGPT) technology is how we spot a leading indicator that we’ll have a lot of net new work to do.

alt

As you reflect on the above illustrations, note a few things:

  • It took us decades to do a passable job of securing the “traditional” technologies on this chart (Windows, macOS, and Linux).
  • In less than one decade, most everything else on this chart was introduced, and each time the cycle began anew.
  • In a single year (2023), the widespread adoption of GenAI put that technology on the fast track through this cycle, but also had the rare side-effect of causing us to reevaluate most existing technologies, as GenAI was adopted by end users and much of our existing technology stack simultaneously

Takeaway: Technology adoption will always outpace security

The takeaway here is not how we adopt technology, but that technology adoption will always outpace security, and this is best thought of as a primitive and not a failure.

For every technology that progresses through this cycle, expect countless new inputs. And expect that a problem that we’ve solved for in the context of a particular technology or domain will need to be revisited and implemented in new ways, either because technology or assumptions change, but also because we work in an adversarial industry, and the enemy never rests.

Using this model

Hopefully this model is useful, irrespective of where you are in your cybersecurity journey.

For those looking to enter the field, it may help you understand what to expect.

For those actively involved in cybersecurity, either as dedicated professionals or as one of the millions of technologies for whom cybersecurity is “other duties as assigned”, it can be a useful framework for visualizing and/or forecasting technologies that impact your work.

And in general, it highlights the single biggest externality affecting our profession. Understanding that this is how it works may help you avoid some of the burnout and nihilism that plagues our industry, as many practitioners strive for “perfect” or “done”, rather than striving for balance given that the cycle is supposed to continue.