This blog was written by an independent guest blogger.
I live in Toronto, so I always try my best to get to SecTor, Canada’s most important cybersecurity event, every October. Most years, SecTor has taken place in the Metro Toronto Convention Centre. But because of the unusual circumstances affecting the world in 2020, this year the event took place online exclusively. SecTor organizers hope that conditions improve by October 2021 so they can resume hosting the event in-person. I admit I do miss the parties with delicious catering, and seeing people in our industry offline.
But the talks this year have lived up to the excellent standards set by talks in previous years. This year, the main event took place on Wednesday, October 21st, and Thursday, October 22nd. There was so much to cover, even though it was impossible for me to attend all of the talks. First, I’ll start with the talks I attended on day one. Interestingly enough, they all have to do with threat detection and analysis. Enjoy!
Threat Hunting Intelligently
The first talk I attended was titled “Threat Hunting Intelligently.” It was presented by Ryan Cobb, Senior Information Security Researcher at Secureworks.
Here’s the description of the talk, from SecTor’s web app:
“Although times are unprecedented, for threat actors, it is business as usual. Even as times change, good threat intelligence will always be a bedrock of cybersecurity. Join Senior Security Research Consultant and Secureworks’ Threat Hunting lead Ryan Cobb, as he shares what’s on the threat horizon and how the Secureworks team is there to keep customers safe through the intersection of technology, tools, and passionate professionals who provide the ultimate advantage over the adversary. Ryan will present how to combine the insights from threat modeling and intelligence to hunt purposefully and effectively without being limited by what third-party intelligence and strategies can provide for your organization.”
Proper threat hunting procedures can identify indications of compromise (IOCs) efficiently and produce intelligence that can help organizations mitigate a threat before it becomes a huge problem. Improper threat hunting wastes time, money, and effort, and misses data that could be leveraged to improve your organization’s defenses. So I paid close attention to what Cobb had to say. Here is an excerpt from his talk:
“(Threat) modelling is going in and out of vogue over the years has a rich history, especially in Academia. It's a collaborative process where we enumerate threats and prioritize mitigations for them. It's basically a way of looking at your business the technologies that you've chosen and what we know about the threat after from a certain perspective, so we can look at a threat model from the perspective of the after what are the steps. They need to complete to accomplish their goals.
What are the systems we are trying to protect and think about ways those assets to be to be attacked. The outcomes are many threat modeling exercise really should be a prioritized list of hypothetical scenarios and we want to organize them by which are the most plausible to actually occur.
And the steps or other mediations? Hunting is the natural complement to threat modelling, hunting is determining whether some modeled threat actually occurred and went undetected, and hunting is largely focused on collecting and analyzing evidence that supports this hypothesis. So there's a significant overlap between what we do a threat hunting.
The ultimate goal of for hunting is not simply finding the threat in the process of investigating the modeled threat. We are gauging the overall effect of existing data collection schemes and security controls, and our automated detection logic. How effective those would be to detect the threat we’re interested?
I want to preface this by saying that we are huge fans of ATT&CK (a threat modeling framework). We use it extensively. It’s a massive positive contribution to the security industry, the common language for us to map an adversary’s actions against defensive assessments and intelligence.
I’m glad Cobb mentioned ATT&CK! Because that segues nicely into the next talk I attended.
A Savvy Approach To Leveraging MITRE ATT&CK
MITRE ATT&CK is a new methodology for understanding cyber threats. People in our industry are very excited about it. That’s what “A Savvy Approach To Leveraging MITRE ATT&CK” was all about. The talk was presented by Travis Smith, a director of malware research.
Here’s the description of the talk, from SecTor’s web app:
“MITRE ATT&CK has shifted the balance of power from attackers to defenders. For the past few years, defenders have been increasing their security tooling and are detecting more adversarial techniques than ever before. Detecting events in your environment is only the first step. Going forward the focus isn’t going to be on if you detect or how you detect, but rather what you do with the alerts coming in. What you do with alerts is what will set your organization up for success. How do you identify and reduce false positives or even false negatives? How are alerts triaged to differentiate between opportunistic versus more advanced malware? What procedures are in place for handling an outbreak? These questions and more are going to help dictate what happens after the breach. Digital forensics, incident response, and even threat hunting will all play important roles. In this session, Travis will go over key areas of importance and how to get started in identifying and implementing policies and procedures to set your security team up for success.”
So how can implementing MITRE ATT&CK methodology be useful to your organization’s blue team? Here’s an excerpt from Smith’s talk:
“You can quickly identify which alerts that you want to work on. That’s what you should be focusing on. Then the final components that you want to touch on, for detections to assess criticality, right? So you have your asset inventory. You should be able to be bring in your asset inventory in your decision-making process when looking at any or all of these alerts.
In some cases you’re going to be tasked with looking them, at maybe you'll take two events simultaneously, both could have the same severity. The only difference being is what assets you're finding them on. And having the context around the inventory of your assets is going to help scope the process of incident response on which one to investigate first, right? Maybe Java was found on a kiosk machine, not as critical. Then finding maybe some APT (advanced persistent threat) level piece of malware, targeted with a phishing campaign. I'm seeing a piece of malware that is reaching out to a malicious IP address on the CEO's laptop, right? Those are two different pieces of detections that you'd want to then bring in that asset inventory.”
The classification of data assets can be a useful way to determine which IOCs you should prioritize!
Security Metrics that Matter
The final talk I attended on day one was presented by my friend Tanya Janca. Last year when she presented, she was with her former employer. But this year she has her own company, We Hack Purple. We Hack Purple specializes in educating people about application security, from both a defensive and offensive perspective. Tanya also hosts a We Talk Purple podcast that I’ll be appearing on in November. And she has a book coming out soon which is useful for newbies to application security, titled Alice and Bob Learn Application Security.
So Janca’s talk this year was titled “Security Metrics that Matter.” Obviously not all metrics have equal value, and you will need to practice good judgment to determine how to prioritize security data. That’s what her talk was all about.
Here’s the description of the talk, from SecTor’s web app:
“We measure so that we can improve and report. Reporting is for our bosses and job security. Improvement is for us. As an outnumbered security professional, you will never, ever have enough time, money and resources to add every layer of defence you wish you could, which means we need to work smarter. Learn about which metrics truly matter, and which vanity metrics you can learn to safely ignore, so that you can work the most effectively at protecting your organization.”
Janca is a very enthusiastic and highly experienced speaker. Here’s an excerpt from her talk:
“We (my security team) had found a source (of threat data), you figured out what it was and then had I had a meeting note. The executives were like, ‘Tanya, come upstairs in an hour to talk with you about this,’ and I had solved it in that time. I got to report to them. Types of categories and incidents, that's super important. If you can start to spot threats, was your incident process followed, or was it not followed? Were tools available or were they not available? Are the types of incidents being repeated, or is it a new type of incident? what are you detecting? You're actually really awesome. Did other teams know what to do, and that other teams cooperating with you? Because I have had teams not cooperate.
So to clarify, reporting is for management. Metrics is for us (security professionals), and by that I mean ‘boots on the ground’ people who are actually making security happen. Basically, we are outnumbered as security professionals drastically, and we're never going to have enough time and money and resources to do every single security activity. We wish we could. And every added layer of defense is better, you would think, but they're not all created equal and that's why we need to work smarter. That's why metrics really matter. That's why they need to balance out which security metrics you can ignore, which are important to know, which ones are extremely valuable, which ones you should compare, and which ones you just can't really compare ‘cause they're apples and oranges.”
I learned so much on day one of SecTor 2020, and I didn’t even leave my apartment that day! Isn’t the internet amazing? Although as introverted as I am, I’m hoping next year’s event can be hosted in-person again.
But I’m not done yet! My event coverage concludes in my next post, where I cover day two of SecTor 2020.