Left and Right of Boom (by Tim MalcomVetter) Permalink

Prevention is just detection with an action at the end.

-Casey Smith (subTee)

In security operations, or any harm prevention discipline, speed is really important. The faster you can find the bad thing, the better your chances of rolling over a proverbial speed bump vs. hitting a brick wall.

But speed can work against you: Move too fast, and you run a very real risk of responding decisively to the wrong things. False positives are never ideal, but can be made far worse when you take disruptive action on them.

A couple of the concepts I’d take away from this article:

Time to Detect, noting the important relationship between prevention detection: Prevention only exists where there is highly accurate and fast detection.
Time to Verdict, which is a great way to think about triage: The goal isn’t to triage faster, it’s to triage as fast as you can make good decisions.

Cyber Defense Matrix slide template Permalink

I’ve made 100 variations of Sounil Yu’s venerable Cyber Defense Matrix for workshops, presentations, and planning over the years. Here’s the Google Slides template that I use to save time. May it save you time as well.

Identity is foundational to threat detection on modern platforms

alt

On traditional platforms—such as Windows, macOS, or Linux—knowing who is performing a given activity is useful. However, we can identify an overwhelming percentage of suspicious or malicious activity in the absence of this context.

For example, some software, behaviors, command lines, and changes should be investigated irrespective of identity. We can find a lot of bad things with no identity context at all.

On modern platforms—such as SaaS, IaaS, and PaaS—identity plays a critical role in threat detection and response, thus we describe it as identity threat detection and response, or ITDR. Nothing happens outside of the context of an identity. We can find some bad things without identity context, but virtually all behaviors or changes must be contextualized, baselined, and ultimately investigated in the context of an identity.

To make a weak analogy: On traditional platforms, the process is the data source upon which most detections can be built. On modern platforms, the construct of a process does not exist. On modern platforms, a given identity’s session is the process.

And if you believe that identity is indeed foundational to threat detection on all modern platforms, there are a handful of things that are probably also true:

Trust is pinned increasingly to identity first, then to devices.
The browser will become the most important device of all.
Compromise of an Identity Provider (IdP) and/or browser is an end run around most/all controls.
Detecting IdP and/or browser compromise is a job that 99% of orgs can’t do, yet.

The top initial access vectors in 2023, mapped to ATT&CK

In reviewing security firms’ 2023 threat data, a subset of these include insight into the initial access vectors leveraged most frequently in successful intrusions. This is a summarization of findings based on their reporting.

alt

Rank	MITRE ATT&CK Technique ID	Vector	Percentage
1	T1566	Phishing	31.4%
2	T1078	Valid Accounts	24.3%
3	T1190	Exploit Public-Facing Application	22.9%
4	T1133	External Remote Services	12.9%
5	T1189	Drive-By Compromise	5.7%
6	T1091	Replication Through Removable Media	2.9%

Key takeaways

The top 5 of the 6 most prevalent initial access techniques were unchanged from 2022, despite some new reporting sources being introduced in 2023 and some 2022 sources being excluded. The underscores the fact that, like the most prevalent techniques across tactics, there continues to be relatively little year-over-year drift.
Despite the ascendency of Valid Accounts and External Remote Services, and Exploit Public-Facing Application holding ground, it’s not always Phishing, but Phishing still dominates as the most likely initial access technique and email remains the vector of choice for adversaries.
Valid Accounts surged from 9.5% and a three-way tie for 3rd in 2022 to a solid #2 in 2023.
External Remote Services, which may be attributable to widespread remote access and/or RMM abuse, more than doubled year-over-year.

Methodology

To determine the most prevalent initial access techniques leveraged by adversaries in 2023, I relied on data from the following reports:

Deloitte Cybersecurity Threat Trends Report 2024
IBM Security X-Force Threat Intelligence Index 2024
Kaspersky IR Analyst Report 2023
Kroll Q4 2023 Threat Landscape
Mandiant M-Trends 2024
ReliaQuest Annual Cyber-Threat Report: 2024
Secureworks (multiple reports, best found via search-fu)

Because most, but not all of these reports use a standard taxonomy, reported vectors were mapped to the corresponding MITRE ATT&CK Initial Access parent technique.

As with all threat reports, the findings and prevalence are subject to each firms’ visibility and methodology.

Notes on 2023 data on reporting

Vendors in general are shifting away from annual reporting in favor of periodic reporting, with quarterly reports becoming the most common. This complicates data aggregation a bit (e.g., see the link required to find and aggregate Secureworks reports), but may be more useful to practitioners, as trends at a quarterly level are probably based on enough data to be meaningful, while also being timely.

Fewer vendors are reporting initial access observations. Fortunately, there are some industry mainstays that continue to report high quality data in this area based on large samples year-over-year.

I was disappointed to see that NCC Group, which generally provides excellent public domain research and reporting, not only stopped reporting initial access data this year, but also didn’t make mention of a single MITRE ATT&CK technique or provide standardized data anywhere in their annual report.

How to use this information

From my earlier thoughts on this matter:

A good use case for these types of lists–and a way to make them actionable–is to look at tactics starting with initial access and progressing through the intrusion lifecycle. For each tactic, look for common vectors and MITRE ATT&CK techniques (some of this is readily available in the source reports below). The goal is to see whether we can glean good enough insights and do it quickly, assess risks, and take preventative measures.

Open source roundup of cybersecurity models

This is a collection of cybersecurity, risk management, and related models that I’ve collected and/or used over time.

You can find the source on GitHub at https://github.com/keithmccammon/cybersecurity-models. Please fork and submit a pull request if I missed anything!