Three Paths to Better Network Evidence
Analysts, threat hunters, and management teams need the right evidence for a variety of reasons. There isn't a workaround for "I don't have the data!"
August 3, 2022
Evidence has always been the bedrock of a sound investigation: the difference between "we know" and "we think." Between "case closed" and "I'll get you the next update in an hour." Upon that foundation, we are faced with last year's breach of red team tooling, large-scale events like log4shell and Sunburst that bypass our detection coverage, and continually expanding attack surfaces. As a result, those same defenders are realizing that evidence isn't just an asset - it is a strategy. Specifically, they are treating evidence as a pillar of modern security strategy, alongside solid protection coverage, MITRE alerting coverage, and automation ratios. Measuring and improving evidence coverage and quality results in higher case closure rates, lower MTTR, and narrower breach disclosure. The challenge is, how do we get there? From working with savvy defenders, we see three main approaches depending on who has assumed a strategic leadership role in the SOC:
Technology evolution
The most straightforward path, often led by the security engineering team, is as a natural evolution of the toolset supporting the SOC. For engineering-led organizations, they have often spent the last few years modernizing their SIEM, deploying EDR, and (in varying degrees) implementing automation through a case management or SOAR platform. These investments have usually provided real gains in both detection coverage and staff efficacy, but when teams look at the attacks that bypass their current defenses, they often find that limited network telemetry is the root of the problem. This often leads them to deploy an NDR solution as the next best step in their technology stack, as the network provides high-fidelity evidence coverage that is complementary to their existing stack. So, they end with a focus on evidence but get there through a technology stack evolution.
Threat hunting
The most common path is not technical but organizational. Defenders with an established SOC and incident response program have been investing in threat hunting (either as a team, role, or function) as a best next step to mature their cyber capabilities. While most think of threat hunting for its primary goal (finding attacks that have bypassed current detection mechanisms), the discipline provides a range of benefits that extend well beyond that. The most common benefits are (a) turning threat hunt results into new detection analytics, (b) finding operational anomalies that improve uptime or policy compliance, (c) understanding the environment better to accelerate daily incident response, and (d) providing a career path and improving retention for senior technical talent. Regardless of the goal, threat hunters quickly find that most of the evidence an organization has isn't what they need. When the bulk of available evidence is alert based, they are left with only "pre-judged" evidence - the exact opposite of what they need. Threat hunters need behavioral evidence - the ground truth of what really happened. That focus often leads them to the network (and technology like Zeek), as network visibility often provides the linkages across existing data sets and allows them to pursue investigations that alerts might trigger as well. This path ends with a stronger view of an evidence-based security strategy, as the threat hunting teams will often measure the coverage of their evidence.
Exposure analysis
The least common, but I would argue the most enlightened, path to this strategy is event-based and often driven by the management team. To quote an organization I met with recently, "Sunburst made us realize that we had no way to find out what our exposure was, so we knew we had to make an investment in visibility and coverage." When we are faced with the reality of large-scale events like Sunburst or log4shell, it is the management team that has to face the questions of "what do we know" and "are we sure?" That leads teams to treat their evidence like they are already treating their MITRE TTPs: a heat map that shows both coverage and efficacy. This path, because of its top-down support and strategic lens, leads to the most complete form of an evidence-based strategy as the team will track both coverage and efficacy of the evidence.
In the end, the path is less important than the result in this case. Analysts need the right evidence for both day-to-day questions as well as critical incident response events. Threat hunters need the right evidence to look for anomalies and test hypotheses. Management teams need the right evidence to answer the hard questions from both executives and legal counsel. No matter how you get there, I'd strongly suggest starting now because there isn't a workaround for "I don't have the data!"
Brian Dye is CEO of Corelight.
Related articles:
About the Author
You May Also Like