By Al Hartmann

Post-Compromise Detection

When Prevention Fails, Detection Is Crucial

The climactic scene in the classic Vietnam War film Platoon depicts a North Vietnamese Army regiment in a surprise nighttime attack breaching the concertina wire perimeter of an American Army battalion, overrunning it, and slaughtering the startled defenders. The desperate company commander, grasping their dire defensive dilemma, orders his air support to strike his own position: “For the record, it’s my call—Dump everything you’ve got left on my position!” Moments later the battlefield is immolated in a napalm hellscape.

Although physical conflict, this illustrates two aspects of cybersecurity—(1) You need to deal with inevitable perimeter breaches, and (2) It can be bloody hell if you don’t detect early and respond forcefully. MITRE Corporation has been leading the call for rebalancing cybersecurity priorities to place due emphasis on breach detection in the network interior rather than simply focus on penetration prevention at the network perimeter. Rather than defense in depth, the latter produces a flawed “tootsie pop” defense—hard, crunchy shell, soft chewy center. Writing in a MITRE blog, “We could see that it wouldn’t be a question of if your network would be breached but when it would be breached,” explains Gary Gagnon, MITRE’s senior vice president, director of cybersecurity, and chief security officer. “Today, organizations are asking ‘How long have the intruders been inside? How far have they gone?'”

Some call this the “presumed breach” approach to cybersecurity, or as posted to Twitter by F-Secure’s Chief Research Officer:

This is based upon the likelihood that any sufficiently complex cyber environment has an existing compromise, and that Fortune 500 enterprises are of magnificently complex scale.

Shift the Burden of Perfect Execution from the Defenders to the Attackers

The traditional cybersecurity viewpoint, derived from the legacy perimeter defense model, has been that the attacker only has to be right once, while the defender must be right every time. A sufficiently resourced and persistent attacker will eventually achieve penetration. And time to successful penetration decreases with increasing size and complexity of the target enterprise.

A perimeter or prevention-reliant cyber-defense model essentially demands perfect execution by the defender, while ceding success to any sufficiently sustained attack—a plan for certain cyber disaster. For example, a leading cybersecurity red team reports successful enterprise penetration in under three hours in more than 90% of their client engagements—and these white hats are limited to ethical means. Your enterprise’s black hat attackers are not so constrained.

To be viable, the cyber defense strategy must turn the tables on the attackers, shifting to them the unachievable burden of perfect execution. That is the rationale for a strong detection capability that continually monitors endpoint and network behavior for any unusual signs or observed attacker footprints inside the perimeter. The more sensitive the detection capability, the more caution and stealth the attackers must exercise in perpetrating their kill chain sequence, and the more time and labor and talent they must invest. The defenders need but observe a single attacker footfall to uncover their foot tracks and unwind the attack kill chain. Now the defenders become the hunter, the attackers the hunted.


MITRE provides a detailed taxonomy of attacker footprints, covering the post-compromise segment of the kill chain, known by the acronym ATT&CK, for Adversarial Tactics, Techniques, and Common Knowledge. ATT&CK project team leader Blake Strom says, “We decided to focus on the post-attack period [portion of kill chain lined in orange below], not only because of the strong likelihood of a breach and the dearth of actionable information, but also because of the many opportunities and intervention points available for effective defensive action that do not necessarily rely on prior knowledge of adversary tools.”

As shown in the MITRE figure above, the ATT&CK model provides additional granularity on the attack kill chain post-compromise stages, breaking these out into ten tactic categories as shown. Each tactic category is further detailed into a list of techniques an attacker may employ in performing that tactic. The January 2017 model update of the ATT&CK matrix lists 127 techniques across its ten tactic categories. For example, Registry Run Keys / Start Folder is a technique in the Persistence category, Brute Force is a technique in the Credentials category, and Command-Line Interface is a technique in the Execution category.

Leveraging Endpoint Detection and Response (EDR) in the ATT&CK Model

Endpoint Detection and Response (EDR) products, such as Ziften provides, offer critical visibility into attacker usage of techniques listed in the ATT&CK model. For example, Registry Run Keys / Start Folder technique usage is reported, as is Command-Line Interface usage, since these both involve readily observable endpoint behavior. Brute Force usage in the Credentials category should be blocked by design in each authentication architecture and be observable from the resulting account lockout. But even here the EDR product can report events such as failed login attempts, where an attacker may have a few guesses to try, while remaining under the account lockout attempt threshold.

For attentive defenders, any technique usage may be the attack giveaway that unravels the entire kill chain. EDR products compete based on their technique observation, reporting, and alerting capabilities, as well as their analytics potential to perform more of the attack pattern detection and kill chain reconstruction, in support of defending security analysts staffing the enterprise SOC. Here at Ziften we will outline more of EDR product capabilities in support of the ATT&CK post-compromise detection model in future blogs in this series.

Get the Blog Here