Tuesday, February 20, 2018

Meta changes in endpoint defense: Airframes vs Drones

As the video I stole this images says "The more autonomy and intelligence you put on these platforms the more useful they become!" You know what's a lot more autonomous than an F-35? A drone! :)

One clear shift in defense occurred when Crowdstrike and Mandiant and Endgame (and now Microsoft, etc.) built platforms for companies to do detailed introspection of their computing fabric. For the first time ever serious attackers were getting caught in the act. 

This technology, despite the buzzword hype, is quite simple: A kernel inspector, streaming metadata to an aggregation system, optionally a network sniffer doing same, and algorithms that run on the data to generate actionable results. The expensive part here is the kernel inspector, which is stupidly hard to make reliable, portable, and secure! 

This recent MITRE/CrowdStrike piece demonstrates clearly the effectiveness of this approach against a modeled nation-state adversary who has not themselves tested their implant against CrowdStrike Falcon. 

These mega-implants/"endpoint protection agents" are essentially as expensive to build as airframes. In addition, every vendor produces multiple airframes which escalate in complexity when they detect anything wrong on an endpoint. But what you don't see right now is a lot of ingestion of open-source-style telemetry for your pre-escalation defenses. 

For example, this blogpost details using ELK+OSQUERY+KOLIDE to build an off-the-shelf, scalable, and completely free suite that rivals the instrumentation abilities of some of the more complex market products for "threat hunting". This is essentially the drone-analogy to the endpoint protection market. In many cases, these sorts of toolchains completely avoid the need for a kernel-level inspector, which avoids every bluescreen being "your fault". In many cases, Operating System vendors have upgraded the built-in capabilities of their platforms so that it's not necessary and in other cases, you just go without the deeper levels of data.

Just as drones changed air war forever, I expect these sorts of widely deployed defensive toolkits to change cyberwar, if for no other reason than we can assume they will penetrate the mid and low-end markets, as opposed to just the high end that the major endpoint protection players cover. Also like drones, these sorts of things didn't even exist a couple years ago, and now they are fairly fully featured. 

Of course, DARPA has a role to play here, as it did with the stealth technology behind the F-35. Much as the best part of Cyber Grand Challenge is less the attack tools and more the corpus of targets, we really really really need a massive "corpus" of behavioral/network/etc data from a real company, sanitized such that different detection algorithms can be trained and tested. 

No comments:

Post a Comment