End Security Operations Confusion, Solve the Detection Paradigm with C.O.R.E.

Cost-effective Operational Reliable Efficient, C.O.R.E. Technology Security Series

Cost-effective Operational Reliable Efficient CORE Technology Security involves only what is required to manage technology risks specific to each organization, no more and no less. By emphasizing CORE, declare the objectives and build to those objectives. Regarding security, CORE enables organizations to have 100% accurate asset inventories, proactively manage vulnerabilities, detect threats to each technology, respond to exploits (accidental or otherwise), and maintain business operations while recovery activities are underway. After remediation, CORE Technology Security detects potential technology exploits.

Word to the wise: Organizations should emphasize efforts to complete CORE Detection once Technology Remediation is 100% complete. Spend third-round capital budgets on exploit detection and solutions, where budgets are limited after inventories are done and remediation is in place, on functional detection.

Technology Detection

CORE Detection processes are designed to automate data capture for the CORE Technology Security program. Detection refers to identifying technology attributes that can make managing security more practical and are necessary for visibility to see potential cyberattacks.

All technologies experience performance and operational degradation over time, making it difficult for technical support teams to distinguish routine system degradation from non-routine degradation related to a cyberattack. This detection paradigm must be addressed first to learn how to build detection mechanisms that pinpoint cyberattacks.

The Detection Paradigm

Organizations must be able to see the metaphorical forest through the trees, meaning look at the detection problem as a whole. The problem to be solved is detecting cyberattacks in technologies and networks that inherently communicate openly.

Cyber incident response teams (CIRT) have told technology users to watch for cyber events for decades. When asked how, users are advised to look for slow network connections, degraded system performance, hard drives filling up unexpectedly, memory errors, processor overutilization, etc. Users struggle with this advice because all physical or virtual technologies experience these issues while normally operating over time. Therefore, users cannot distinguish between typical technology issues and cyberattacks when the CIRT's indicators occur.

In reality, users are not likely to detect a cyberattack unless notified. Unfortunately, threat actors use tactics, techniques, and procedures to hide, attack, and thrive in these environments and appreciate poor detection processes and legacy technologies. CORE Detection focuses on crucial activities enabling organizations to find a potential cyberattack by interpreting events that should not occur, correlating with only the essential infrastructure data, and responding accordingly. Whether the technologies are new, mature, or old, technology-responsible personnel must be able to detect non-routine activities, indicating a potential cyberattack.

Align Detection Activities With Lifecycle Management

A standard view of technology lifecycles uses a system development lifecycle (SDLC) approach, including initiation, acquisition or development, implementation or integration, operations and maintenance, and sunsetting or disposal. Organizations and technical teams manage the system lifecycle with support agreements and maintenance plans that help them standardize, bring new technologies online, configure, optimize, maintain, and transition off of them. These teams know that sometimes, hardware fails while software performs flawlessly for a while. In other examples, the opposite occurs.

Organizations should be prepared for hardware or software support and maintenance in case of failure. While some teams might not be tooled to detect cyberattacks, support personnel ensure systems' functionality and availability, above all else. Therefore, it makes logical sense to align CORE Detection with best practices for support and maintenance activities and align to the system lifecycle. Enter the CORE Technology Lifecycle.

All CORE security practices should be observed throughout the CORE Technology Lifecycle, and CORE Detection provides the necessary feedback loop. Therefore, the CORE Principles of Detection must include the following:

optimize security operations, first,
detect all events leading to cyberattacks,
occur at each stage in a technology's lifecycle,
be adequately designed for each use case per each lifecycle stage,
only align use cases with CORE Inventory and Remediation practices,
be automated and
only include solutions and practices that adhere to these principles.

These CORE Detection principles have been engineered to ensure adequate security functions in organizations while providing the most appropriate mechanisms and no others. Technology-responsible personnel should use these principles and the guidance in this document to evaluate mechanisms used in the detection and make better security development and procurement decisions.

CORE Technology Lifecycle

CORE enables organizations to manage all necessary cybersecurity activities by categorizing CORE Inventory [see endnote i], securing CORE Remediation, and identifying cyberattacks in CORE Detection. When new technologies are brought online, they are added to the inventories with all the attributes required to prioritize and manage security activities for their lifetimes. Similarly, technologies are configured securely, vulnerabilities are remediated, and continual security improvements are made to cope with the ever-changing threat landscape. Organizations must also identify legacy technologies nearing or at the end of life.

According to the CORE Technology Lifecycle, three distinct states exist to continue with the simplicity theme. These include New, Mature, and Old. Here, a distinction is explicitly made by CORE for those technology professionals familiar with existing system development lifecycle models concerned with oversimplification. This is not an oversimplification, as these other models serve a different purpose than security alone.

Three concepts must be explained to comprehend how to use the CORE Technology Lifecycle for detection.

New technologies do not yet exist in the CORE Inventory.
Mature technologies are functioning in the CORE Technology Security program.
Old technologies should be removed from operations.

Here is an example of CORE Technology Lifecycle phases aligned to a System Development Lifecycle (SDLC).

Notice that multiple SDLC phases are aligned with each CORE Technology Lifecycle stage. Don't get pulled into the trap by attempting to identify which cyber activity should align with the activities of each SDLC phase. The SDLC was not developed for cybersecurity and always complicates the cybersecurity process.

CORE focuses only on managing cybersecurity by excluding the traditional SDLC, enabling security to stand independently. The alignment between CORE Detection and the Technology Lifecycle is as easy as viewing the CORE Inventory and Remediation activities for New, Mature, and Old technologies, as shown in the table below.

Six CORE Detection activities can now be aligned with the CORE Technology Lifecycle by detecting technologies that are:

New and not in the inventory,
New and not remediated,
Mature and threatened,
Mature and outdated,
Old and unsupported, and
Old and not removed.

Ultimately, all organizations should aspire to be able to detect all cyberattacks and all activities that could lead to a potential attack. This essential 6-activity chain of events allows for the determination of data points during the CORE processes that can be monitored automatically and are supported by many technologies today. The rest of this document will explain these six detection activities, their data points, and how to perform them, followed by the system specifications for a CORE Detection system.

CORE Detection for New, Mature, and Old Technologies

The importance of CORE Detection is that it leads to actions that must be taken to correct critical technology security conditions that could lead to a cyberattack. For example, technology-responsible personnel should add and remediate new technologies, protect and update mature technologies, and retire and remove old ones. Organizations must build the capabilities to detect cyberattack criteria by distinguishing the technology conditions for these actions. This distinction is made using the data points in the six CORE Detection activities described in this section.

Add and Remediate

New technologies shall be added to the CORE program and remediated before being put into operation. CORE Inventory states that all technologies shall be categorized to assign a value to them that is meaningful to the organization.

Before bringing any new technology online, this categorization ensures its composition is also known for remediation activities. CORE Remediation states that all technologies shall be configured securely and have their vulnerabilities and CVEs remediated quickly to protect against exploitation. CVE stands for Common Vulnerability Enumeration, which is how vulnerabilities are cataloged in scanners and online databases. CORE Detection must be able to identify New technologies and distinguish them from Mature technologies already existing in the program.

Detecting New Technologies

According to the CORE Inventory, there are three types of technology characteristics: Organization, Technology, and Process. Organizations should have added New technologies to their inventories before installing them in production environments.

While categorization involves humans correlating organization and process-related characteristics, technology characteristics and tagging of assets can be automated in a staging area. Staging areas can allow new technologies to be installed in non-production networks, added to inventories, and remediated without weakening the organization's overall security posture. Additionally, organizations shall be immediately notified if New technologies are added to production networks before being characterized; otherwise, these are known as rogue devices.

CORE Detection tools should be designed to notify technology-responsible personnel using the following data points.

Data Point 1.1: Core Tag, Yes/No

Organizations may tag their technologies by adding CORE Inventory information to a configuration, binary, registry, or text-based file on each technology. One of the simplest ways to determine if a New technology exists is to detect the CORE Tag. The device does not belong on the network without a CORE Tag. Here is an example with the architecture asset depicted next to the CORE Tag.

CORE advises adding a software-based CORE Tag to all technologies for automated inventorying processes. Technology-responsible personnel can automate inventories fully by adding a CORE Tag; it can include the organization and process-based characteristics, further automating the entire CORE Inventory process through CORE Detection.

Detection observation 1: Technologies without a CORE Tag may be installed and controlled by threat actors to enact a cyberattack, unbeknownst to organizations that own them.

Detecting Vulnerable Technologies

According to the CORE Remediation, vulnerabilities and insecure configurations arise from predisposed hardware and software conditions in all technologies.

Organizations should have remediated all technologies before installing them into production networks. This initial remediation may be performed in the same staging environment used for the inventory tagging. In this sense, organizations shall be immediately notified if New technologies are moved into production environments before being remediated.

Therefore, CORE Detection tools should be designed to capture the following data points related to remediating New technologies.

Data Point 2.1: Architecture Maps
Data Point 2.2: Architecture Security Gaps
Data Point 2.3: Security Benchmarks Applied
Data Point 2.4: Passive Scan Vulnerabilities
Data Point 2.5: Authenticated Scan Vulnerabilities

This data can be captured with modern security scanning technologies that support network packet capturing, vulnerability discovery, and benchmark assessments. New technologies will not meet all of the criteria defined in the CORE Remediation process in the following ways.

Architecture maps will not exist in the existing dashboards or records.
Architectures will not be secured per the CORE program.
Security Benchmarks will not be applied partially or wholly.
Ports, protocols, or services vulnerabilities will not be remediated.
Software patches, operating systems, or firmware versions will not be current.

CORE Detection shall be designed to automate the total capture of this data.

Detection observation 2: Look for technologies without remediation, as these may be more easily exploited by threat actors and used to enact a cyberattack.

Protect and Update

Mature technologies should already be enrolled in organizations' CORE programs. This means that these technologies have already been added to the CORE Inventory, categorized for prioritization, remediated, and periodically updated as new software vulnerabilities are released by Original Equipment Manufacturers (OEM). CORE Detection must be able to identify intrusions and unauthorized activities and distinguish them from routine and authorized technology activities.

Detecting Exposed Technologies

According to the CORE Inventory, organizations must detect threats to all technologies to be successful, considering Organization, Technology, and Process characteristics. Technologies may be exposed to threats anytime and must be monitored for intrusions 100% of the time, making this a difficult task.

To perform full-time monitoring, specialized automated solutions should be used for intrusion detection, event monitoring, system logging, security information and event management (SIEM), and security orchestration, automation, and response (SOAR). A Security Operations Center or SOC monitors these technologies in an organization to detect potential cyberattacks and to prevent them whenever possible.

The SOC should be able to correlate threats to the Organization and Processes with the discovered Technology threats. To do this, technology-responsible personnel must be able to quickly link threat intelligence sourced from outside of the organization with anomalous activities that are occurring on the network. MITRE's Adversary Tactics and Techniques and Common Knowledge (ATT&CK®) framework is the leading, globally recognized reference for this type of correlation because it is based on data from real-world observations.

CORE leverages MITRE ATT&CK® and data captured from technologies to automate cyberattack detection with the following data points pulled directly from the CORE Tag.

Data Point 3.1: Critical Infrastructure sector
Data Point 3.2: Geographical region
Data Point 3.3: Location
Data Point 3.4: Group
Data Point 3.5: Hardware Type
Data Point 3.6: Service
Data Point 3.7: Identification
Data Point 3.8: Operating System
Data Point 3.9: Cloud Provider
Data Point 3.10: Cyberattack Monitoring

CORE Detection proposes to increase the efficiency of security operations by identifying data points that help identify threats proactively, based on intelligence, and prioritize recovery steps in the event of a cyber breach, intrusion, or outage. A threat intelligence platform should be able to correlate the data points listed above according to the model below.

CORE Detection shall be designed to automate this data's total capture and correlation using the data pulled from the SOC's CORE Tag and MITRE ATT&CK® tools. This is the most heavily automated utility within the CORE program. The Critical Infrastructure Cyberspace Analysis Tool (CICAT) figure below is a real-world example of how this correlation is done.

REFERENCE, FIGURE 7 “TTP FILTERING,” CICAT CAPABILITY DESCRIPTION JANUARY 2020, MITRE

In the MITRE CICAT example above, a threat actor filter is applied, then tactics, then platforms, and the focus is on the Linux operating system. This is a simple depiction to narrow down the left side of the CORE Threat Intelligence Engine, yet further correlation is required to tie the threat actors with regions, sectors, and industries, which is done using the CORE Tag and actual threat intelligence.

Detection observation 3: Look for threat activity in the sector, region, and location from external threat intelligence, targeting processes based on hardware types and services, and correlate that to technology data in the SIEM using the MITRE ATT&CK® framework.

Detecting Outdated Technologies

According to the CORE Remediation, organizations shall employ a vulnerability management process to apply the software updates necessary to patch the vulnerability gaps as quickly as possible. Once a technology OEM releases a security or performance update, technologies are outdated. It is imperative to automatically identify which technologies require updates, prioritize them, and apply those patches.

Technology-responsible personnel have struggled for years with the prioritization of software updates because it is difficult to tie the vulnerability scores with the criticality of technologies and align with operational schedules.

CORE mandates that this correlation be done automatically by capturing vulnerability data based on the Common Vulnerability Scoring System (CVSS) score metrics as listed in the CVE that align with the information vulnerabilities to CORE Inventories.

Collect the following data points from the vulnerabilities (CVEs) scores and CORE Tag to understand exploitivity.

Data Point 4.1: Attack Vector
Data Point 4.2: Confidentiality Impact
Data Point 4.3: Integrity Impact
Data Point 4.4: Availability Impact
Data Point 4.5: Connectivity
Data Point 4.6: Criticality
Data Point 4.7: Confidentiality
Data Point 4.8: Capability

CORE Inventory requires organizations to categorize technologies, including attributes that correlate with CVE's CVSS metrics, to better understand exploitivity and patching prioritization. For detection, it's crucial to capture this data to prioritize patching and prepare for future risk-based decisions. The list below explains the correlations.

CVSS Attack Vector aligns with the CORE Technology: Connectivity
CVSS Confidentiality Impact aligns with CORE Process: Confidentiality
CVSS Integrity and Availability Impacts align with CORE Process: Criticality

An example of the data provided by a common vulnerability scanner is as follows.

CVSS v3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C…

AV = Atack Vector and N = Network

C = Confidentiality: H = High

I = Integrity: H = High

A = Availability: H = High

The other CVSS metrics listed (AC, PR, UI, etc.) are not required for CORE. More information can be found at https://www.first.org/cvss/.

CORE Detection shall be designed to automate this data's total capture and correlation. This correlation can be automated using a combined vulnerability scanner and CORE Tag data sources.

Detection observation 4: Exploits like zero-days identified, those that do not have official patches, could indicate targets for threat actors, and patching these technologies should be scheduled, preparing for the availability of fixes from OEMs.

Retire and Remove

Old technologies shall be removed from operation. CORE Inventory and Remediation processes depend on CORE Detection to identify Old technologies and distinguish them from Mature technologies to slate for retirement and removal. Identifying Old technologies is not as complicated as the other steps and requires minimal data points. It falls on technology-responsible personnel to use CORE Detection to identify Old technologies and prioritize retirement and removal.

Detecting Unsupported Technologies

According to the CORE Inventory, each computerized technology comprises physical or virtual hardware with software components, i.e., operating systems, firmware, and drivers supported by OEMs for a limited time. CORE also states that organizations should buy off-the-shelf technologies versus no-name, customized ones to ease management and support. OEMs provide support agreements and easy mapping between models and the hardware and software components.

Technology-responsible personnel shall be able to identify technologies nearing the end of life and mark them for retirement and removal using these data points.

Data Point 5.1: Manufacturer
Data Point 5.2: Model
Data Point 5.3: Operating System
Data Point 5.4: Virtualized
Data Point 5.5: WIFI
Data Point 5.7: Wired

Unfortunately, technologies do not typically flag themselves for retirement; this requires input from OEMs and 3rd party tools. Technology-responsible teams can find lifecycle information on OEM's websites and automatically track these lifecycles to highlight technologies in their CORE Inventory. This flag can be a "Retire: YYYYMMDD" [see endnote ii] on the CORE Tag, indicating that this is slated for removal, as in the example below.

Replace the "YYYYMMDD" text automatically with a date when removal is slated. Removal dates can be determined using CORE Prioritization, and the tag update should be pushed out through the security configuration technology defined in CORE Remediation.

Detection observation 5: Technologies no longer supported are prime targets for threat actors as they are easier to exploit, escalate privileges, and pivot.

Detecting Unremoved Technologies

According to the CORE Remediation, security gaps exist throughout a system lifecycle and, if not remediated, may be exploited at any time. In this sense, technologies that contain off-the-shelf software no longer supported by OEMs, like old versions of Microsoft Windows, should be replaced if needed. This is especially true for industrial control systems with 20-year-plus lifecycles having operating systems, firmware, and drivers that lose OEM support after an average of 5-10 years. CORE recognizes that removing all technologies at or near the end of life is impossible for operational reasons. CORE also acknowledges that technology-responsible teams can't review all OEM publications, correlate support lifecycles with technologies, and identify all unsupported technologies at all times. Fortunately, tools like the CVE End of Life Vulnerability Assignment Process provide CVDs for Old software.

Organizations can identify data points for Old technologies on their networks using vulnerability scanning tools and CORE Tags.

Data Point 6.1: Retire
Data Point 6.2: EOL CVE ID

CORE Detection uses these data points to provide checks and balances if the vulnerability scanners miss the EOL CVE IDs or technology-responsible personnel don't update the CORE Tags. This should make finding Old technologies much more straightforward and effective. Organizations must still develop plans to remove these technologies from their operational environment through lifecycle management, which must be prioritized through processes outside CORE's scope, like management of change or commissioning and decommissioning processes. These external processes should take in the results of CORE Detection to identify the necessary changes and plan accordingly.

Detection observation 6: Technologies installed in operations with the EOL CVE ID indicate to threat actors that complacency exists, making organizations targets for exploitation.

Full CORE Detection Automation

CORE Detection includes the prescription for data collection using automated tools like network assessment scanners, event and system log collectors, and vulnerability scanners. The decision of which tools to purchase and use might still be difficult. CORE provides these data points and sources to simplify determining tool requirements.

When functioning adequately, the detection cycle should appear as depicted below.

Summary

This write-up included the third step to managing technology risks in an organization. With the CORE Detection practices learned here, organizations can focus on efficient, effective, and manageable monitoring actions while simultaneously building automation into the overall CORE Technology Security program. The output of CORE Detection is only the fundamental data collection points necessary to detect cyberattacks and to get the security job done.

Endnotes

[i] CORE Categorization is now called CORE Inventory to meet the simplification intent of the CORE Technology Security vision.

[ii] The CORE Inventory is being revised to include the "Retire" attribute in the CORE Technology Inventory.