GUIDE TO DETECTION & RESPONSE - RETHINK YOUR CYBER RESILIENCE STRATEGY E-BOOK - Service Description

Page created by Kathryn Riley
 
CONTINUE READING
GUIDE TO DETECTION & RESPONSE - RETHINK YOUR CYBER RESILIENCE STRATEGY E-BOOK - Service Description
GUIDE TO
DETECTION &
RESPONSE
RETHINK YOUR CYBER RESILIENCE STRATEGY
E-BOOK
GUIDE TO DETECTION & RESPONSE - RETHINK YOUR CYBER RESILIENCE STRATEGY E-BOOK - Service Description
2                                                                                                                                                                                                  F-SECURE GUIDE TO DETECTION & RESPONSE                 3

    GUIDE TO                                                                                                                    “THAT'S NOT TO SAY THAT SKILLED ATTACKERS AREN'T ALSO OUT THERE. BUT, AS A COMPANY
                                                                                                                                THAT'S BEEN INVOLVED IN MORE EUROPEAN CYBER CRIME INVESTIGATIONS THAN ANY OTHER

    DETECTION & RESPONSE                                                                                                        COMPANY IN THE WORLD, WE CAN TELL YOU THAT THERE'S NO POINT IN WORRYING ABOUT
                                                                                                                                THE NSA OR APT28 UNTIL YOU KNOW YOU CAN AT LEAST STOP THESE GUYS.”

    From the field                                              upon joining the collective, have little to no Unix skills to   Naturally, it’s the guys at the top of the pyramid who        mised company networks allows them to cherry-pick
    Over the last few years, you’ve probably heard phrases      speak of. They probably know about five commands in             really benefit from all of this. They’re the ones providing   prime targets for cyber extortion and data exfiltration.
    such as “the tactics, techniques, and procedures crafted    total. Newcomers are taken under the wing of a mentor           the tools, and by pushing all their manual work down-         And any company is a potential target.
    by highly resourced threat actors are falling into the      who provides them with simple tools and training to             stream, they get access to thousands of compromised
    hands of less skilled adversaries”. That’s long speak for   get them started on their new hobby. These mentors              systems. Meanwhile, the newcomers are happy to                The fact that these groups are able to compromise
    “expect a lot more script kiddies to start pwning your      are almost as unskilled as the newcomers - they prob-           proudly identify themselves as “hackers” on their Face-       PCI-DSS-compliant organizations is a testament to the
    systems”. As Dr. Ian Levy from GCHQ recently pointed        ably know about five more Unix commands than their              book pages (alongside other unrelated hobbies such as         fact that purely preventative cyber security solutions
    out, a lot of the attacks we’re seeing nowadays aren’t      apprentices. But they’ve been in the game for a few             windsurfing or snowboarding).                                 simply aren’t cutting it anymore. And the reason why
    “Advanced Persistent Threats”, they’re simple hacks         weeks already, and have a wealth of experience.                                                                               so many companies are now being owned in this style is
    performed by “Adequate Pernicious Toerags”.                                                                                 The toolkits being pushed down the pyramid are usually        due to the fact that they simply don’t have an ounce of
                                                                As newcomers learn the ropes (which usually implies             designed to exploit or brute force common services such       visibility into post-breach activities on their networks.
    Nothing illustrates this phenomenon better than the         that they’ve learned to configure and use a couple of           as SSH and webmail servers. What might surprise you (or
    group we’ve dubbed “The Romanian Underground”.              tools), they’re promoted to mentors, and take on their          not) is that these toolkits, in the hands of completely       That’s not to say that skilled attackers aren’t also out
    This is a group that we have had first-hand experience      own set of apprentices. This hierarchical model closely         unskilled noobs, are being used to compromise even            there. But, as a company that’s been involved in more
    with on a number of occasions while performing inci-        resembles popular pyramid selling schemes you might             PCI-DSS-compliant organizations across the globe.             European cyber crime investigations than any other
    dent response and forensics work.                           have had the misfortune to encounter. Of course, the            The Romanian Underground represent just one of many           company in the world, we can tell you that there’s no
                                                                guys involved in The Romanian Underground aren’t                groups that form part of a growing trend of low-skilled       point in worrying about the NSA or APT28 until you
                                                                looking to become millionaires by selling soap - the            hackers and cyber criminals. The motives of the master-       know you can at least stop these guys.
    The Romanian Underground are, simply put, a bunch           pyramid scheme is a form of gamification, where the             minds behind these groups are, you guessed it, financial
    of IRC chat room buddies who decided it would be cool       goal is to collect as many owned systems as possible and        gain. Acquiring access to a large number of compro-
    to take up the hobby of “hacking”. Most of these kids,      move up the ranks.

                                                                                                                                                                                Spear Phishing
                                                           Spyware
                                                                                                              s

                                                                                                                                                                                Reconnaissance

                                                                                                                                                      Hu
                                                                                                            ck

                                                       Ransomware                                                                                                               Lateral Movement
                                                                                                          ta

                                                                                                                                                        ma
                                                   Banking Trojans                                                                                                              Priviledge Elevation
                                                                                               onducted At

                                           Self-replicating Botnets

                                                                                                                                                          n Co
                                                                                                                                                                                Establishing Persistence
                                            Remote Access Trojans                                                                                                               Data Exfiltration

                                                                                                                                                              nducte
                                                                                                                                        0,1%
                                    Protection common                                                             99,9%                                                            Usually no Protection

                                                                                                                                                                    d
                                                                                              C

                                                                                                                                                                      A
                                              End-point protection                                                                                                              Managed Detection & Response
                                                                                            e
                                                                                         hin

                                                                                                                                                                       t
                                                    Email security                                                                                                              Endpoint Detection & Response

                                                                                                                                                                        ta
                                                           Firewall                                                                                                             Incident Response Services
                                                                                        c

                                                                                                                                                                          c
                                                                                       a

                                                                                                                                                                           ks
                                                                                      M

                                                                                                                                ... But targeted attacks have the potential to be a lot more damaging. And most orga-
                                 Commodity threats, and the solutions that protect against them are commonplace...
                                                                                                                                nizations aren’t protected against those at all. Read on to learn more.
4     F-SECURE GUIDE TO DETECTION & RESPONSE                                                                                                                     F-SECURE GUIDE TO DETECTION & RESPONSE                 5

    THE ANATOMY OF AN ATTACK                                                                                                                             “WHEN GDPR AND NIS REGULATIONS ARE
                                                                                                                                                         EFFECTIVE, IT WILL BE MANDATORY FOR

                                                                                                                                        State
                                                                                                                                                         ORGANIZATIONS TO HAVE AN ANSWER TO DATA
                                                                                                                                                         BREACHES.”
    In our experience, most companies only                                    banks and critical infrastructure providers
    discuss cyber security as it relates to the                               (such as energy companies). The same TTPs
    broader topic of risk management. While                                   then get used against heavy industry and
    performing risk analyses, companies identify                              finally, everyone else (manufacturing, retail,                             Commodity threats
    threats or risks relevant to their organization                           SMEs, etc.).                                                               Commodity threats are highly prevalent, and have been for
    and then prioritize them based on likeli-                                                                                                            decades. A company’s chance of encountering commodity
    hood, impact, and cost to mitigate. When                                  Threats to an organization aren’t limited to                               threats is, therefore, extremely high. However, due to

                                                                                                                                        Defense
    addressing cyber threats, we’ve noticed a                                 attacks from the outside. Accidental and                                   their prevalence and long history, there are plenty of good
    potential disconnect between the risk that                                intentional leaks can and do originate from                                software solutions available designed to protect against
    companies perceive and the reality of the                                 company insiders with enough access to                                     these threats. And these solutions work as intended. If a
    situation. We’d like to help clear that up.                               critical or confidential assets. Upstream                                  business is hit by a commodity threat (such as crypto-ran-
                                                                              attacks, where a partner, supplier, or                                     somware), the impact is usually fairly low. Most of the time
    Sophisticated cyber attacks tend to start                                 contractor are compromised by an attacker                                  it’ll be blocked by endpoint protection software. If it does
    at the top and work their way down. It’s                                  looking to establish a beachhead in an adja-                               get through, there are two options – pay the ransom or
                                                                                                                                                         fix the problem. Don’t pay the ransom and a handful of

                                                                                                                                        Infrastructure
    the opposite of “low-hanging fruit”. When                                 cent organization are also very common. In
    new types of attacks are discovered, they’re                              several incident response cases we’ve been                                 staff will lose some productive work time. Pay and, most
    usually attributable to highly resourced                                  involved with, even physical intrusion of a                                of the time, you’ll get the data back. Ransom amounts are
    threat actors (i.e. nation states). These adver-                          company’s premises was used as part of the                                 low by company standards. So, the likelihood of seeing
    saries, by default, go after the highest-value                            attack vector.                                                             a commodity threat is high, the impact tends to be low,
    targets first. As the tactics, techniques, and                                                                                                       and the mitigation cost is basically free (we assume you’re
    procedures (TTPs) used in such attacks                                                                                                               smart enough to be running an endpoint protection solu-
                                                                              Cyber attacks come in many forms, ranging                                  tion already).
    become public knowledge, they trickle                                     from commodity malware (such as ransom-
    down into the hands of less organized cyber
    criminals. New TTPs first see use against
                                                                              ware) to highly skilled attacks performed                                  Cyber crime
                                                                              by nation-state actors. We’ve broken these                                 Cyber crime represents the next category on our risk
    governments, military targets, and defense                                threats down into separate categories.
    contractors. Next on the ladder are usually                                                                                                          assessment scale. This category moves beyond the realm
                                                                                                                                                         of commodity malware threats, and onto targeted attacks.

                                                                                                                                        Banks
                                                                                                                                                         Companies are selected as targets for various reasons. In
                                                                                                                                                         some cases, a victim is chosen because they are “broad-
    High

                                                                                                                                                         casting” themselves via weak or vulnerable infrastructure.
                                                                                                                                                         Other targets are selected simply because the attacker has
                                       John                                                        NotPetya           Regin                              taken interest in a particular organization, for one reason
                                     Podesta’s
                                       Gmail                                             Havex
                                                                                         Trojan
                                                                                                                  Stuxnet/Duqu                           or another.
                                                                           Triton/

                                                                                                                                        Manufacturing
                                                                           Trisis                      The
                                                                                             Shadow- Dukes      Slingshot
                                                                                      US      brokers
                                                                                   Office of
                                                                                  Personnel
                                                                                                                                                         Cyber criminal attacks are often opportunistic - the
                                                                      Yahoo!                           Sofacy
                                                                      Breach                 Hacking-
                                                                                               Team
                                                                                                                                                         attacker has an easy way in, sees an opportunity to make
                                                                               Sony
                                                                             Pictures
                                                                                              breach
                                                                                                                                                         money, and takes it. Cyber crime is by-and-large financially
                                                          Shamoon
                                                                                                                                                         motivated. Once the adversary has breached the target’s
    Focus

                                                  SF                               Panama
                                                 Muni                               Papers
                   Protection offered
                                                 Hack
                                                           Tesco
                                                                                             Bangladesh
                                                                                                 Bank                                                    network, systems or data will be held for ransom. We refer
                                                                       Dridex
                  by typical corporate
                  level of investment
                                                           Bank                                                                                          to this phenomenon as “cyber extortion”. These types of
                                                                                     WannaCry
                                                                                                                                                         attacks are very much on the rise, and can target organiza-
                                                                                            VTech Hack                                                   tions of any size, from SMEs to large enterprises.
                          Necrus       Mirai
                          Botnet      Botnet

                                                                                                                                                         We predict that the introduction of the NIS and GDPR regu-
                                           Exploit
                          Crypto
                        Ransomware           Kits                                                                                                        lations will further embolden cyber criminals and cyber
                                                                                                                                        Retail

                                     Crypto-
                                     miners                                                                                                              extortion schemes. Once these regulations are in effect,
                                                                                                                                                         companies may be more willing to fork over a ransom,
    Low

                                                                                                                                                         in order to sweep the news of a breach under the rug
            Low                                                          Skills                                                  High                    rather than face the expensive task of responding to and
                                                                                                                                                         reporting the incident.
                                                        Cyber      Organized                  Nation
                                                                     Cyber   Hacktivists/      State
                                                        Crime        Crime   Researchers      Actors
6   F-SECURE GUIDE TO DETECTION & RESPONSE                                                                                                                            F-SECURE GUIDE TO DETECTION & RESPONSE                 7

                                             Cyber crime can be broken down into roughly two cate-         “TARGETED ATTACKS DON'T CARE ABOUT YOUR ‘NEXT
                                             gories – organized and non-organized. Organized cyber         GEN’ PRODUCT, NO MATTER HOW SHINY THE VENDOR
                                             criminal groups are very close, in terms of sophistica-       CLAIMS IT TO BE. TO BE BLUNT, THE SOLUTIONS THEY’RE
                                             tion, to nation-state actors. The Bangladesh bank attacks     SELLING ARE FIXING THE WRONG PROBLEMS.”
                                             of 2016 are a good example of organized cyber crime.
                                             Non-organized cyber criminals often run as lone wolves.
                                             They have less resources, and their skill can vary. The
                                             Romanian Underground falls into this category.
                                                                                                                            DON’T BELIEVE THE HYPE
                                             Two years ago, we’d have rated the likelihood of falling
                                             prey to cyber criminals as low. Today, the likelihood is
                                             medium, and on the rise. The financial and business                            Getting to the point of why we presented         and response capabilities. And therein lies
                                             impact of a targeted cyber crime attack can vary. In many                      this risk analysis, we’ve noticed that there’s   the problem. Organizations are way too
                                             of the cases we’ve responded to, ransoms demanded by                           still a very strong marketing push towards       distracted to realize that they should start
                                             non-organized cyber extortionists only ran into the tens                       endpoint protection solutions. We’ve seen        investing in breach detection and response,
                                             of thousands of Euros - not a hefty sum for most organi-                       “next gen” vendors claim that their solu-        instead of another layer of protection
                                             zations. But we don’t imagine that any organization would                      tions can prevent targeted attacks. Some         against commodity threats (although the
                                             simply pay the ransom and go about their business. The                         even foolishly claim that breach detection       adversaries would love you to do this). Let’s
                                             knowledge that an intruder is in their network is going to                     is irrelevant, since it’s already “game over”    put it this way - would you rather have your
                                             be enough to call in an incident response team to sort out                     if a threat gets through perimeter defenses.     next incident involve cleaning malware off a
                                             the situation.                                                                                                                  laptop in your sales department or dealing
                                                                                                                            It’s all very misleading.
                                                                                                                                                                             with a full-blown data breach?
                                             If an adversary manages to exfiltrate important data,
                                             the costs of a cyber crime incident can really start to                                                                         But don’t just take our word for it. Gartner
                                             skyrocket. This is especially true if customer data was                        Targeted attacks don’t care about your
                                                                                                                            “next gen” product, no matter how shiny          predicts that “by 2020, 60 percent of enter-
                                             involved. No matter what, a breach is most likely going                                                                         prise information security budgets will be
                                             to incur reputational, legal, PR, business, and internal                       the vendor claims it to be. To be blunt,
                                                                                                                            the solutions they’re selling are fixing the     allocated for rapid detection and response
                                             productivity costs. And the considerations are no longer                                                                        approaches, which is an increase from less
                                             limited to protecting your business and its sensitive data,                     wrong problems.
                                                                                                                                                                             than 30% in 2016.” So, ask yourself this: how
                                             but regulatory bodies like the European Union have made                                                                         much of your budget have you allocated to
                                             new requirements. For example, the EU’s General Data                           Given this huge marketing push from “next        breach detection and response right now?
                                             Protection Regulation (GDPR) requires organizations to                         gen”, we’re not really surprised to see that     We’re guessing it isn’t close to 60 percent.
                                             be adequately prepared to detect, respond and report                           very few companies we’ve spoken to are           In our experience, only 10% of companies
                                             personal data breaches within 72 hours.                                        aware of the need for breach detection           we’ve talked to were even thinking about it.

                                             Nation state
                                             Companies that worry about being targeted by nation-
                                             state attacks typically know who they are. They also know
                                             that defending against a nation-state attack is almost                                    By 2020, 60 percent of enterprise
                                             impossible. Regardless, they’re forced to try (since they                              information security budgets will be
                                             can’t afford not to). The impact of nation-state attacks
                                             can vary from having top secret intellectual property
                                                                                                                                     allocated for rapid detection and
                                             stolen by overseas competitors or governments, to                                        response approaches, which is an
                                             having your nuclear enrichment halted when centrifuges                                  increase from less than 30% in 2016.
                                             are destroyed, like in Iran.

                                                                                                                                                              Gartner 'Special Report
                                                                                                                                                              Cybersecurity at the Speed of Digital Business’
                                                                                                                                                              Paul E. Proctor, Ray Wagner, 30 August 2016,
                                                                                                                                                              refreshed December 2017
8    F-SECURE GUIDE TO DETECTION & RESPONSE                                                                                                                               F-SECURE GUIDE TO DETECTION & RESPONSE                  9

                                                     “ANY ORGANIZATION NOT RUNNING A BREACH DETEC-      they’re being hacked. For many attackers, compro-            While it would seem that attackers have the advan-
                                                     TION SOLUTION (OR NOT HAVING PERFORMED A           mising systems is just as easy as a burglar walking into a   tage, there’s actually a lot that defenders can do to
                                                     RECENT INVESTIGATION) MUST, IN THIS DAY AND AGE,   house with the front door left wide open.                    turn the tables on them. Everything the attacker does
                                                     ASSUME THEY'RE IN A POST-BREACH STATE.”                                                                         is bound to leave a trail of evidence behind them. And
                                                                                                        But here’s something interesting - adversaries actually      while a compromised system may not be able to tell
                                                                                                        hate the idea of getting caught. And they hate operating     you when it’s “owned”, there’s a chance that it logs
                                                                                                        in an environment where there’s a chance they’re being       some evidence. That evidence can be used to spot the
                                                                                                        monitored. That’s why most good attackers will exercise      intruder, or even travel back in time to reconstruct the
                                                                                                                                                                     adversary’s movements.
    FROM A DEFENDER’S DILEMMA TO                                                                        caution. Once inside a victim’s network, a professional
                                                                                                        intruder will tread lightly, while constantly being on the
    AN INTRUDER’S IMPASSE                                                                               lookout for signs that they’ve been detected.                Just imagine the frustration when an attacker realizes
                                                                                                                                                                     that every move they’ve made has been monitored, that
                                                                                                        Attackers know that a good defender won’t react              they’ve exposed their entire toolchain, and that they’ve
                                                                                                        to signs of an intrusion in a panic – they’ll watch the      effectively been sent back to square one. Not a great
    Cyber threats are asymmetric in nature.          They’ll then exfiltrate data using subtle                                                                       feeling for the attacker. And a huge win for the defender.
    An attacker only needs to succeed once to        methods designed to mimic regular user             intruder, gather intel, and then act on the situation
    gain access to a network. Defenders must         behavior.                                          when they’re good and ready. As a defender, successful
    succeed one hundred percent of the time if                                                          detection and effective response will, in the eyes of the    This is, in our opinion, the best approach to cyber
    they want to keep them out. You can’t rely                                                          adversary, constitute a breach of their mission.             defense. Let’s delve into how we achieve that goal.
    on being successful all the time.                Most of the tools an attacker needs are
                                                     built into the operating system itself. And
                                                     attackers are adept at hiding from network-
    And yet this is what most companies are          based IDS systems by hiding in command
    doing. Traditional perimeter defense tech-       and control traffic. It’s almost impossible
    nologies, such as firewalls and endpoint         to detect modern attack techniques simply
    protection software do a good job at what        by analyzing network traffic. In fact, there
    they’re meant to do - namely detecting
    and blocking real-world and commodity
                                                     are too many ways for an attacker to hide.
                                                     All of these techniques fly under the radar
                                                                                                        WHICH STRATEGY IS RIGHT FOR YOU?
    threats. But you can’t expect these solutions    of traditional perimeter defenses such
    to stop advanced adversaries. Any adversary      as firewalls, endpoint protection, and
    worth their salt will craft an attack designed                                                      Of all the challenges that organizations face while          With a lack of skilled defenders on their side, and
                                                     spam filtering.                                    building breach detection and response capabilities,         with the difficulties and cost associated with building
    to bypass those defenses. And they won’t
    even need to use malware to gain a foot-                                                            nothing really compares to the difficulty they face when     their own breach detection and response capabilities,
    hold in the organization (contrary to what       In most cases, once a company has been             trying to hire and retain good cyber security expertise.     companies are battling cyber attacks and losing. This
    you might have been told, skilled attackers      breached, adversaries are able to act with         It is estimated that, right now, there are at least two      is why F-Secure has spent the last few years devel-
    rarely, if ever, use malware).                   impunity for as long as they wish. It’s not        cyber security jobs for every one person working in the      oping and perfecting managed detection and response
                                                     uncommon for a company to find out                 field. This problem is expected to become even more          services for the varying needs of companies – to bring
                                                     they’ve been compromised from a third              acute in the future. The only way you’re going to get        our world class cyber security expertise within reach
    Cyber attacks commonly follow the same           party (such as a cert organization). In our        valid data from an in-house intrusion detection system       of every organization.
    pattern. Attackers start by breaching the        experience in the field, on average the time       (IDS) is by having experts on staff. The same goes for
    perimeter of an organization with spear-         between a breach happening and being               keeping up on threat intelligence, configuring systems,
    phishing, watering hole, or man-in-the-                                                                                                                          Our services don’t just provide human expertise,
                                                     discovered is 200 days. Think about that - it      red-teaming, and responding to incidents correctly. So,      though. They are built on top of threat intelligence,
    middle attacks. Sometimes attackers may          takes the majority of organizations months         you’re probably going to need more than one or two
    gain entry by exploiting a vulnerability in a                                                                                                                    sample analysis, and decision-making technologies that
                                                     or even years to figure out they have been         experts on your payroll.                                     have been developed in-house for over a decade. And
    public-facing system, or even by purchasing      hacked.
    access to an already compromised system.                                                                                                                         while an organization could eventually develop their
    Once inside the perimeter, adversaries                                                              And while you could eventually develop your own              own in-house systems and expertise to the levels a very
    perform reconnaissance, elevate privileges       Any organization not running a breach              in-house team, systems and expertise, in most cases          we’ve reached, it would take them a very long time.
    (by exploiting misconfigured or vulner-          detection solution (or not having performed        it means taking on a lengthy and expensive project.
    able systems), hunt for domain admin             a recent investigation) must, in this day and      Finally, operating your own 24/7 Security Operations         Our managed detection and response services are avail-
    passwords (using memory-scraping tools           age, assume they’re in a post-breach state.        Center (SOC) with adequately skilled resources may           able with different service levels and models to fit an
    such as Mimikatz), and move laterally onto                                                          push the total cost of ownership to the level only the       organization’s needs, whether enterprise or midsize. We
    interesting systems. They’ll often establish                                                        largest enterprises are prepared to invest.                  invite you to consider the following three alternatives.
                                                     Breaches are becoming more and more
    persistence using off-the-shelf RATs such        commonplace. And this is because adver-
    as Orcus, Litemanager, or luminocityLink.        saries know that their targets have no idea
10   F-SECURE GUIDE TO DETECTION & RESPONSE                                                                                                                                            F-SECURE GUIDE TO DETECTION & RESPONSE                    11

      OPTION 1:                                                                                                        OPTION 3:
      Do it yourself (with option to augment your team)                                                                Managed Endpoint Detection and Response with a Local Service Provider

      Many organizations have the resources to invest        24/7 protect their operations. Such organizations         An alternative approach to managed detection and          also supported by F-Secure’s experts to handle even
      heavily in their own security teams and infrastruc-    may find it useful to invest in an endpoint detection     response is an Endpoint Detection & Response (EDR)        the most complex cases.
      ture. But even well-invested enterprises with their    and response solution that helps their IT team iden-      solution like F-Secure Rapid Detection & Response,        Many companies find a local managed service
      own SOC may find value in augmenting their own         tify attacks during business hours, and also provides     which is delivered by certified and trained service       provider is the most suitable option to help keep
      team with a vendor that exclusively provides cyber     coverage outside business hours with automated            provider partners.                                        their operating costs low. Based on our experience,
      security services. An extended team working along-     response to isolate attackers. Such an approach can                                                                 these tend to be small and midsize organizations.
      side your IT team can help you overcome the issue of   be enough to quickly determine the scope of an            F-Secure trains our local managed service providers
      hiring and retaining a big enough IT security team.    attack, identify whether or not any personal data         to support you in everything from monitoring your
                                                             was affected, and be able to meet the regulatory                                                                    Even if your enterprise is a well-invested with
                                                                                                                       IT environment’s health and security status, to           your own SOC, you may still consider augmenting
      Not every company who handles detection and            requirements to report data breaches within 72            detecting and guiding you in response actions in the
                                                             hours as required by the GDPR.                                                                                      your own team with a managed detection and
      response in-house necessarily has staff working                                                                  case of a breach. The local service provider is backed    response service to reach 24/7 availability and below
                                                                                                                       by automation that can be used to extend their            30-minute detection to response time.
                                                                                                                       availability beyond covering business hours, and is

      OPTION 2:
      Managed Detection and Response with F-Secure for 24/7

      To overcome the difficulty of trying to hire and       with our cyber security experts means all detections                          BUILDING IN-HOUSE BREACH DETECTION
      retain qualified cyber security expertise, F-Se-
      cure offers fully managed detection and response
                                                             come with guidance and if needed, further clarifica-
                                                             tion. The availability of human expertise means your
                                                                                                                                           AND RESPONSE CAPABILITIES IS DIFFICULT
      (MDR) services. What we mean by “managed” is           team will spend significantly less time on detections.
      that there’s a minimal installation process on your                                                                                  We’ve noticed that, for most organizations,        that, systems, rules, and feeds need to be
      side to get things up and running, and after that,                                                                                   setting up in-house breach detection and           constantly improved and modified as the
                                                             Rapid Detection & Response Service doesn’t just                               response capabilities tends to be a compli-        world changes.
      everything from breach detection to response is        provide human expertise, though. It’s a service that’s
      handled by us. Our teams of threat hunters, inci-                                                                                    cated, time-consuming, and expensive
                                                             built on top of threat intelligence, sample analysis,                         endeavor. There are multiple components
      dent responders and forensics experts are available    and decision-making systems with machine learning                                                                                Responding to a breach is usually also a
      around the clock for a fully managed breach detec-                                                                                   that need deploying and configuring. All of        lengthy and expensive process that requires
                                                             and artificial intelligence capabilities that have been                       them are expensive, so purchasing decisions
      tion and response service we call Rapid Detection &    developed in-house for over a decade. And while                                                                                  expert data forensics and incident response
      Response Service (RDS).                                                                                                              take time and research. Different compo-           work. A typical response scenario includes
                                                             an organization could eventually develop their own                            nents may or may not interoperate well, so
                                                             in-house systems and expertise to the levels we’ve                                                                               removing the adversary from the network,
                                                                                                                                           you have to figure that out, too. Then you         cleaning up or restoring affected systems,
      With Rapid Detection & Response Service you will       reached, it would take them a very long time.                                 need to select threat intelligence feeds, and
      have the benefit of F-Secure’s world-class cyber                                                                                                                                        resetting compromised accounts, deter-
                                                                                                                                           there are dozens if not hundreds of those          mining where the intruder has been, and
      security experts monitoring your network 24/7. They    Augmenting your own team’s availability and skills                            available. Deploying and configuring these
      will review all detections within minutes and deter-                                                                                                                                    determining what the intruder has done.
                                                             with F-Secure’s Rapid Detection & Response Service                            systems is a complicated job. And at the end       Most companies don’t have the in-house
      mine severity before alerting your team. False posi-   help to easily reach 24/7 availability with 30-minute                         of all this, you’ll be left wondering if you’ve
      tive detections are flagged immediately to ensure                                                                                                                                       expertise or capabilities to perform these
                                                             service level and receive expert guidance to respond                          got everything covered and whether or not          types of activities, and so must call on a third
      your team only spends time on real threats. Working    whenever under an attack.                                                     all the pieces are talking to each other prop-     party to help.
                                                                                                                                           erly. And that’s just the initial install. After
12     F-SECURE GUIDE TO DETECTION & RESPONSE                                                                                                                                       F-SECURE GUIDE TO DETECTION & RESPONSE   13

     FROM DIY TO ROI
     Because expertise, monitoring, threat hunting, and             This is because, in our experience, finding actual threats    In order to process this volume of events,
     response capabilities are covered by F-Secure or our           is like looking for a needle in a haystack.                   you also need reliable, up-to-date threat
     service providers, once you’ve decided to implement                                                                          intelligence. At F-Secure, we have our own
     the service in your organization, all you need to do is
     install simple sensors on your organization’s endpoints.
                                                                    To illustrate with a recent real-world example, in a          in-house sources. And after over 30 years in
                                                                                                                                  the business, we also have a massive histor-
                                                                                                                                                                                               15
     The time from initial deployment and configuration
                                                                    1000-node customer installation, our sensors collected
                                                                                                                                  ical sample collection that even gives us the
                                                                                                                                                                                             Real
                                                                    around 2,000,000,000 events over a period of one                                                                       Threats
     to actual breach detection and response capabilities           month. Raw data analysis in our back end systems              ability to find relevant threats left undiscov-
     is less than a week. In fact, we’ve been told by several       filtered that number down to 900,000. Our machine             ered from currently active threat actors.              Confirmed by
     customers that we have the easiest system they’ve ever         learning systems and Broad Context Detection™ mech-           Our researchers do both threat intelligence            the customer
     worked with.                                                   anisms then narrowed that number down to 25. Finally,         investigations and reverse engineering.
                                                                    those 25 events were analyzed, where 15 real threats          This gives us both high-level knowledge of
     The alternative to deploying a managed breach detec-           were discovered (and verified by the customer).               the global threat landscape and in-depth
     tion and response service is a lengthy (in most cases                                                                        technical knowledge of the threats them-
     3-5 years) and expensive (multi-million Euro) project                                                                        selves. Instead of studying each threat
                                                                    The thing is, if you go with your own IDS/SIEM solution,
     of purchasing, deploying, and configuring dedicated
     systems, and hiring and training a sizeable staff.
                                                                    it’s your organization that will need to process those
                                                                    900,000 events. And that’s why we’ve gone to count-
                                                                                                                                  independently, we identify relationships
                                                                                                                                  between threats, allowing us to understand
                                                                                                                                  the capabilities and motives of an adversary.
                                                                                                                                                                                              25
                                                                                                                                                                                         Detections
                                                                    less customer sites and found threats on their network,       We focus on the puzzle and not just on the
     But a managed approach to detection and response               despite those customers already running very well-            individual pieces.
                                                                                                                                                                                       RDC threat hunters
     isn’t just about a fast return on investment. We’ve seen       known IDS solutions. Combing through the noise and                                                                confirmed anomalies
     many companies go to the trouble of building a SOC and         false positives is difficult, and can cause fatigue in even                                                          and contacted
     setting up an IDS and SIEM, only to still not catch threats.   the most diligent of analysts.                                                                                          customer

                                                     Threat Intelligence
                                                                                                                                                                                        900 000
                                                                                                                                                                                      Suspicious Events
                                          1+ M€                                                                                                                                     After RDS engine analysis
                                                                                                                                                                                         of the raw data
                                          Internal network                                                 IDS
                                                                                                          EDR
                               1+ M€      Detection & Response                                              IR

                               Situational                                                                Soc
                               awareness                                                                 SIEM
                    1+ M€
                                                                                                                                                                                       2 billion
                                                                                                                                                                                    data events / month
                    Preventive
                                                                                                   Endpoint
                                                                                                protection &                                                                          Collected by ~1300
                                                                                                   firewalls
                                                                                                                                                                                      end-point sensors

                0                                                                                                 3-5
                                                                                                                 years
14    F-SECURE GUIDE TO DETECTION & RESPONSE                                                                                                        F-SECURE GUIDE TO DETECTION & RESPONSE                    15

     RAPID DETECTION & RESPONSE CENTER                                                                    RED-TEAMING

     At the core of F-Secure’s approach to             Threat hunters                                     F-Secure’s detection and response service        action, which is a nice way to practice for
     advanced threat protection is our Rapid           Threat hunters are our first responders. They      capabilities are primarily developed using       a real incident.
     Detection & Response Center (RDC), which          monitor the service and hunt for threats.          an iterative, red-teaming approach. In short,
     is the base of operations for all of our detec-   When a threat hunter discovers something           we have our guys attack systems, figure out      On the subject of red-teaming, we’ve chal-
     tion and response services. At RDC, cyber         suspicious, evidence is collected to verify        what the service didn’t catch, and make          lenged third parties to bypass F-Secure’s
     security experts work on a 24/7 basis, where      the incident. If a real incident is discovered,    improvements. Some improvements are              detection and response services, but none
     they hunt for threats, monitor data and           it is given a priority. High-priority alerts are   made by hand. Others are learned by our          have managed to do so yet. But there’s
     alerts directly from our Rapid Detection &        generated when there’s a strong indication         backend systems during the red-teaming           more. There are at least seventy companies
     Response Service customer environments,           of an ongoing breach, and in these cases,          exercises. As part of this process, we docu-     out there that claim they can detect and
     flag anomalies and signs of a breach, and         the customer is immediately contacted by           ment and visualize the various attack chains     remediate any targeted attack. In our expe-
     then work with our customers to respond           phone. For non-critical cases, guidance            used, which allows the red-teamers to come       rience, there are very few that actually can.
     to real incidents as they take place. They        is sent to the customer by email. Threat           up with new, more devious attack methods.        How do we know? Well, so far, we have a
     also support our certified F-Secure Rapid         hunters also keep the customer up to date                                                           flawless success rate on corporate exposure
     Detection & Response service providers            on any ongoing investigations.                     Our first recommendation to customers            assignments (where a customer ordered
     when their expertise is needed to resolve                                                            who have just purchased F-Secure’s detec-        a targeted attack from us). In every single
     the most demanding cases.                         Incident responders                                tion and response service is to bring in a       case, we successfully breached organiza-
                                                       Incident responders are assigned complex           third party and run a red-team exercise          tions running our competitors’ products.
     RDC staff have access to our own in-house,        cases that customers are unable to handle          against our service. Not only does it help you   And none of those products detected our
     world-class analytical and threat hunting         on their own, and may assist the customer          verify that everything has been correctly        attacks. We’re not going to name any names.
     tools, all of our threat intelligence data, and   either remotely or on-site. Incident               set up, it allows you to see the process in
     a wealth of information and knowledge from        response personnel can assist with a range
     both our Cyber Security Services and F-Se-        of technical and non-technical response
     cure Labs organizations. In fact, all of these    activities, depending on customer needs.
     teams work closely in cooperation with            We are also familiar with collecting evidence
     each other.                                       for law enforcement purposes, should it
                                                       be required.                                       MAN & MACHINE
     Staff at our Rapid Detection & Response
     Center are trained to handle a variety of
     tasks. We also train our managed service          Forensics experts
                                                                                                          At F-Secure we recognized that protecting        and models to deliver the service. F-Secure’s
     providers in many of these tasks. The main        Forensics experts are specialists tasked
                                                                                                          our customers from advanced threats              team is available 24/7 and can provide world-
     tasks fall into roughly three different roles     with the most difficult of cases. F-Secure is
                                                                                                          requires more than world-class technolo-         class services with a 30-minute response
     - threat hunters, incident responders, and        one of the few organizations globally who
                                                                                                          gies built around artificial intelligence. The   time after detecting a real threat. Our certi-
     forensics experts.                                can handle a very wide range of forensic
                                                                                                          best way to provide an unequalled breach         fied managed service providers also have
                                                       tasks, ranging from internal network triage
                                                                                                          detection and response capability is not to      different service levels, like availability only
                                                       to deep reverse engineering of unique
                                                                                                          build just an advanced threat hunting tool,      during local business hours supported by
                                                       malware samples. This allows us to handle
                                                                                                          it’s to combine both man and machine with        round-the-clock automation.
                                                       even the most complicated nation-state
                                                                                                          machine learning systems and cyber secu-
                                                       originated attacks.
                                                                                                          rity expertise.                                  We recommend organizations calculate
                                                                                                                                                           their return on investment (ROI) with alter-
                                                                                                          We recognized early on the difficulties other    native approaches before simply jumping
                                                                                                          companies had in building their own breach       into purchasing a piece of technology, or
                                                                                                          detection and response capabilities with         hiring a sizeable team required to operate
                                                                                                          a DIY approach, and decided to take the          the technology. It can be difficult to reach a
                                                                                                          managed service route. We also recognize         positive ROI for building your own capabil-
                                                                                                          the different needs various organizations        ities, especially after the necessary human
                                                                                                          have, so we designed our managed services        expertise has been also considered.
                                                                                                          to be available with different service levels
16   F-SECURE GUIDE TO DETECTION & RESPONSE                                                                                                                             F-SECURE GUIDE TO DETECTION & RESPONSE   17

                     DETECTING BROADER CONTEXT

                     When a targeted attack occurs, you will         context around all relevant events across        F-Secure’s detection and response services
                     need a bigger picture than a detection from     impacted hosts. Broad Context Detection™         are also designed to look for the existence of
                     one impacted host can provide. In order to      helps people easily understand the targeted      newly discovered threats in historical data.
                     fully understand the true severity of each      attack by visualizing the set of circumstances   Retrospective threat hunting is achieved
                     attack, you will need to discern the broader    around an attack, and even provides recom-       when new detection algorithms are run
                     context, and to do it quickly.                  mended actions for how to respond. Broad         against historical data collected from each
                                                                     Context Detection™ is a prime example of         of our customers. This mechanism is espe-
                     To overcome the issue of having too many        F-Secure’s “man and machine” approach            cially useful when dealing with attacks from
                     raw data events for a human to process, F-Se-   that empowers people to stop the attack          more advanced adversaries (that may have
                     cure has developed behavioral data analysis     swiftly, or even define automated response       gone hidden for some time).
                     to narrow down the data, along with Broad       actions when the team is off work.
                     Context Detection™ mechanisms to build                                                           F-Secure’s solution can be deployed during
                                                                                                                      ongoing incident response work, and is used
                                                                                                                      as a threat hunting service that can quickly
                                                                                                                      gain visibility into a network that has already
                                                                                                                      been breached.

                     INCIDENT MANAGEMENT AND                                                                          Finally, the services continue to work outside
                     INVESTIGATIONS                                                                                   of the corporate network. In a world where
                                                                                                                      the classical security perimeter is crumbling,
                                                                                                                      traditional IDS approaches have become
                                                                                                                      ineffective (since they typically only work
                                                                                                                      on the edge of the network). These tradi-
                                                                                                                      tional approaches cannot track threats

                                   ict              Pre                                                               when devices are outside of the corporate
                                  d                                                                                   network, or when people utilize cloud-based
                                                                                                                      services. Our endpoint sensor approach
                        Pre

                                                           ve

                                                                                                                      solves this problem rather effectively. What’s
                                                                                                                      more, we’ve been working on extending the
                                                             nt

                                                                                                                      service capabilities into cloud services, such
                                                                                                                      as Salesforce.
                          nd

                                                              De
                        po

                                                  te
                                  Res               ct

                     When a breach is discovered, having access      anteed tamper-proof source of evidence
                     to historical data is the key to building a     for incident response and forensic inves-
                     detailed post-breach event timeline. Since      tigators. In the event of an incident, we
                     adversaries almost invariably wipe data to      help the customer preserve any evidence
                     cover their tracks during an attack, having     that is essential in subsequent incident
                     access to data that is stored off-prem-         response actions.
                     ises means having a pretty much guar-
18     F-SECURE GUIDE TO DETECTION & RESPONSE                                                                                                                            F-SECURE GUIDE TO DETECTION & RESPONSE              19

                                                                                                                               SUMMARY
                                                                                                                               We hope this document gave you a glimpse        In the event of a breach, affected systems,
                                                                                                                               into how we see the threat landscape today.     accounts, and access controls will be
                                                                                                                               As we see it, these bullet points pretty much   automatically remediated.
                                                                                                                               summarize the situation:
                                                                                                                                                                               For now, though, if you are concerned about
                                                                                                                                 • Most organizations simply don’t             whether you’re being hacked (and we think
                                                                                                                                   know if they’ve been breached or            you probably should be), we highly recom-
                                                                                                                                   not.                                        mend talking to us or one of our certified
                                                                                                                                 • Static defenses aren’t even close           service providers about F-Secure’s detec-
                                                                                                                                   to being 100% successful against            tion and response services. Because we
                                                                                                                                   attackers.                                  think a managed solution is the way to go.
                                                                                                                                 • Attackers are overly cautious about         And here’s why:
                                                                                                                                   being caught.
                                                                                                                                 • Building good breach detection                • You’ll have full detection and
                                                                                                                                   and response capabilities is diffi-             response capabilities up and
                                                                                                                                   cult.                                           running within days of initiating
                                                                                                                                 • Red-teaming is the only way to                  deployment.
                                                                                                                                   properly test your defenses.                  • You won’t need to hire your own
     THREAT HUNTING AND DATA SCIENCE                                                                                                                                               cyber security experts, build your
                                                                                                                                                                                   own systems, or run your own
                                                                                                                               What we’ve seen happening over the last few         response operations – we’ve got
     Unlike the traditional approach of creating and applying        Our analytics systems perform a number of tasks, from     years reflects a new reality. And right now,        that covered.
     a set of detections based on known “bad” behavior, we           analyzing and learning behaviors in monitored envi-       building detection and response capabilities
     run actual attacks against our systems and train them           ronments to reducing false positives. Different anal-     is a complex task involving many separate         • We promise to contact you swiftly
     on what “good” behavior looks like. We then flag every-         ysis techniques are better suited for different tasks.    components and moving parts. And a lot of           after spotting any real incident on
     thing else for further analysis and false-positive filtering.   For instance, an expert system is best suited to find     manual work.                                        your network.
     This, we believe, is the approach that most other breach        the sort of behavior caused by common attack tools
     detection vendors will also settle on in the future.            and by the TTPs employed by cyber criminals. These        We expect that down the road, components        If you’re interested in reading more, we’ve
                                                                     include PowerShell commands and malicious URLs and        and technologies will be pieced together        got a three-part e-book series that goes
     Threat-hunting systems need to be able to adapt to              IP addresses. Machine-learning systems are designed       to create self-adapting automated systems       into the consequences of a breach in more
     changes quickly. Everything in a monitored envi-                to spot previously unknown bad behavior, such as          that are able to learn from any new stimuli     detail, how companies are building their
     ronment is in flux. People and devices come and                 DHCP hijacks, spoofing, and other stealthy evasion        they encounter. Such systems will automat-      own breach detection and response capa-
     go. Operating systems and software get patched.                 tactics. We also utilize different multi-level combi-     ically run network discovery, vulnerability     bilities, and our tips on doing this stuff
     New threats and TTPs emerge. Due to the nature                  nations of expert systems, statistical analytics, and     assessment and patching, and perform            yourselves. We also have numerous blog
     of this flux, traditional IDS solutions tend to be              machine learning.                                         post-breach response and remediation            posts on subjects including cyber crime,
     “noisy” and prone to false alarms. These same tradi-                                                                      activities. When intrusion or post-breach       detection and response, and details behind
     tional solutions are also always one step behind the            We’ve found that simple statistical analytics are best    TTPs are discovered, these systems will be      the technologies and processes that F-Se-
     threat landscape.                                               suited for eliminating false positives, and by applying   automatically reconfigured to prevent that      cure uses. All of these can be found via
                                                                     these methods, we currently eliminate approximately       mechanism from being used in the future.        F-Secure’s website.

     In order to tackle this problem, our data scientists,           80% of all irrelevant alerts. The way we’ve built these
     working alongside the experts at RDC, have designed             systems and the way they interact with each other is
     and built a series of backend statistical analysis, machine     quite unique, and something we’ve not seen elsewhere
     learning, and expert systems to support our analysts.           in the industry.
     The core of F-Secure’s backend is very simple, and all of
     the complexity is embedded in surrounding algorithms.           This combination of artificial intelligence and cyber
     This approach enables very fast deployment times for            security specialists is about the most efficient and
     new detection algorithms (in minutes) and allows us             accurate configuration we could come up with for
     to adapt to changes quickly. With F-Secure’s detection          working with the event data we receive. And it allows
     and response service in place, there’s never a need to          us to spot attacks before they have a chance to do
     wait for the systems deployed on your own premises              damage or access business-critical data.
     to receive updates — all the logic is in our backend
     systems.
We see things
others don’t
ABOUT F-SECURE
Nobody knows cyber security like F-Secure.    security labs for a singular approach called
For three decades, F-Secure has driven        Live Security. F-Secure’s security experts
innovations in cyber security, defending      have participated in more European cyber
tens of thousands of companies and millions   crime scene investigations than any other
of people. With unsurpassed experience in     company in the market, and its products are
endpoint protection as well as detection      sold all over the world by over 200 broad-
and response, F-Secure shields enterprises    band and mobile operators and thousands
and consumers against everything from         of resellers.
advanced cyber attacks and data breaches
to widespread ransomware infections. F-Se-
cure’s sophisticated technology combines      Founded in 1988, F-Secure is listed on the
the power of machine learning with the        NASDAQ OMX Helsinki Ltd.
human expertise of its world-renowned
You can also read