ARGUS: Continued Baselining and Intelligence Gathering
Part One of Persistent Threat Modeling described SecureState’s methodologies and program development for intelligence gathering and threat detection. Part Two detailed the primary methods used to feed the latest attacks, C2 analysis, artifacts and persistent techniques into a Threat Modeling and intelligence gathering database. Part Three describes how to bring everything together to provide continued baselining and intelligence gathering.
ARGUS: All-Seeing Solution
The ability to counter and contain advanced threats requires a solution that can rapidly reach out to endpoints, and within the network, to collect evidence and determine incident scope and business impact. ARGUS is a deployable solution that integrates within an organization’s environment and provides forward-reaching capabilities for continued baselining, testing and intelligence gathering, and specifically follows the Persistent Threat Modeling Methodologies discussed in Part One:
- Preparation Controls
- Real-time Monitoring and Intelligence Gathering Controls
- Real-Time Investigation Controls
- Real-Time Host Interrogation Controls
Threat Intelligence Makes Up ARGUS
ARGUS essentially collects threat intelligence using a two-factor approach. First, ARGUS accompanies all penetration assessments to record and track our pentesters and the attacks and responses within the company environment – Attack and Compromise Intelligence. Second, ARGUS incorporates intelligence gathered from prior IR engagements, outside resource intelligence, and previous penetration assessments – Trend and Shared Intelligence.
Attack and Compromise Response Intelligence
ARGUS captures, tracks, and records the entire gamut of an assessment, live attack engagements and in-house exercises from reconnaissance to compromise. Traditional pentests miss the IR perspective and integration while assessing the environment, and do not track their entire test and all responses (whether successful or not). SecureState differentiates itself from traditional testing by coordinating and cooperating with all of our different practices and subject matter experts, and developing a behavioral and threat model that includes cutting-edge attacks, proprietary signatures and attack patterns, responses of compromised systems, and attack vector trends.
Trend Intelligence From IR Engagements and Shared Information
ARGUS incorporates Incident Response engagement results from real-world analysis and tracking from actual compromised systems and networks. Organizations benefit from this approach because SecureState always brings this intelligence within ARGUS during our penetration and IR assessments, thereby injecting knowledge into the environment through prior incident and pentest results, and adding to its modeling database while onsite. SecureState additionally incorporates into ARGUS the intelligence from the security community, partnerships, government agencies, and law enforcement relating to recent attacks, malware reverse engineering, and threat models.
How ARGUS is Used
ARGUS can be used within an organization’s environment to provide continued monitoring and threat building solutions, or as a forward-deployed tactical solution.
Leave Behind Service
The Leave Behind Service incorporates active IR assessments, security community intelligence, law enforcement and government intelligence for continued threat monitoring, while also collecting the live traffic and interpreting threats and trends against the organization. As SecureState continues with pentest assessments, IR engagements, investigations and cutting-edge exploits and development, we keep updating ARGUS to provide up to the minute threat eyes. The ARGUS Leave Behind Service provides the following process flow:
- SecureState feeds intelligence from tests, external sources and IR assessments into ARGUS
- ARGUS supplies this intelligence within the organization
- ARGUS monitors the organization to gather more intelligence
- ARGUS reports new intelligence
- SecureState pushes new intelligence to all ARGUS deployments and the security community
- SecureState repeats the process continually
Additionally, ARGUS can be retained by organizations for remediation, remote IR and continued monitoring after incidents. Organizations get smarter over time by understanding the intelligence both delivered and gathered from ARGUS, and are armed with the ability to refine and model their own intel. Ultimately, the Leave Behind Service integrates enterprise-wide threat intelligence based upon trends, tests, Incident Response, and shared intelligence. This service provides the organization with threat modeling tailored to their business and processes, continued monitoring, and threat and trending reports. The most beneficial byproduct of this service is the ability and capability to provide intelligence to the security community over time.
Forward Deployed Solution
ARGUS provides enterprise-wide ability to centrally manage, deploy, monitor, collect and investigate response efforts, and provide strategic and tactical abilities that align with the organizations’ overall security objectives and plans. ARGUS incorporates the following integrated services and platforms to collectively provide threat modeling:
- EGRESS Platform: Discover rogue gateways, baseline network activity, monitor for reverse client-server communications
- MONITORING Platform: Provide real-time alerts and active blocking on targeted attacks and compromises
- THREAT INTELLIGENCE Platform: Provide persistent threat intelligence and trends gathered through pentests, IR engagements and outside resources
- DATA CLASSIFICATION Platform: Perform data discovery and mapping, and develop impact-based response plans that address required controls around specified data types
- ATTACK Platform: Perform remote penetration and IR testing concurrently
- VIRTUAL IRT Platform: Validation of threat events, rapid containment and blocking strategies, IRT notification and deployment
- LOGGING Platform: Log aggregation, artifact analysis and correlation analysis
- FORWARD INVESTIGATION Platform: Provide live analysis of suspect system and network activity
- EVIDENCE COLLECTION Platform: Provide evidence repository for data collection and correlation, case evidence management, evidence tracking and correlation
- VULNERABILITY MANAGEMENT Platform: Monthly system health-checks against baseline thresholds (system and network)
- ANALYSIS Platform: Provides sinkhole capabilities, reverse-engineering frameworks, debugging environments, and provides detailed results for identification and containment measures
- CONTAINMENT Platform: Incorporate custom methodologies to follow whenever a suspect system is identified such as: adding suspect systems to specialized groups and segments for auditing and monitoring, log collection, system inventories, and correlation
Did You Know?
ARGUS validates and remediates some of the most common challenges and security shortfalls SecureState identifies during assessments:
- Companies do not know where sensitive data resides, how its transmitted and stored, or what controls exist to protect it
- A thorough and tested IR Plan and Team do not exist
- Unauthorized installation and execution of applications exists
- Lack of egress filtering or segmentation exists
- System inventories and network baselines have not been performed
- Principal of least privileges is not implemented
- Separate policies for acceptable use, standard system configurations and allowed communications exist between company sites
- File access auditing and egress auditing are not implemented
- Application, database, and event logging are not robust enough to audit, track, and record access to specific data entries
- Perimeter and egress monitoring and logging are not robust enough to audit, track and record communications
- Existing SIM collects and stores logs, but does not provide robust correlation of events
- Misconfigurations exist between network and perimeter devices
- Multiple attack-vector entry points
- User awareness and security training do not regularly happen
The Ultimate Approach
ARGUS approaches all of its capabilities and intelligence gathering for primarily one purpose: discovering and protecting the data. The best approach for organizations is to stop trying to secure and harden every end-point and device but to assume every end-point and device is already compromised and your data is at risk. The premise, therefore, should be to find your data and secure it, or validate it’s even needed, and tailor your resources and monitoring efforts to focus on ensuring sensitive and valuable data is safe – not running around trying to secure and contain systems and networks that shouldn’t even have valuable data on them. The solution should be to get rid of data where it’s not needed and reducing the scope of data. SecureState will publish upcoming blogs that tie together discovering and securing data as an initial step towards a mature threat model and integrated enterprise-wide response plan:
- Data Discovery Blog: Inspect and audit systems, devices, and applications for indications of storage, transmission, or access to sensitive and regulatory data. The readiness focus, after identifying sensitive data locations and access points, would be directed at collecting and identifying the primary ways private or sensitive data can be obtained. Additionally, this reviews data transmission, storage, ingress and egress points, and device configuration, as they relate to the storage and delivery of data.
- Data Classification Blog: A company should adopt a common set of terms and relationships between those terms in order to clearly communicate and begin to classify data types. By classifying data, the company can prepare generally to identify what the risk and impact of an incident would be based upon what type of data is involved, and what controls should be implemented to prevent access.
- Data Security Controls Blog: Identify and develop the proper security controls and protective measures to guard the confidentiality and integrity of the data. Information sharing controls, storage and transmission controls, and destruction controls provide the framework for tactically addressing data security.