Sponsored: What CISA's advisories really mean for defenders
14:41 Share

Hello everyone, this is Tom Uren and I'm here with another Risky Business News sponsor interview. Today I have with me Brian Dye, who is the CEO of Corelight. G'day Brian, how are you? Tom, living the dream. How are you doing? I'm great. So just a few weeks ago, I wrote a piece for my newsletter about a CISAR red team exercise. And they have these very expansive red team exercises where they get sort of carte blanche to do anything red.

that they need to, and they get a long timeframe. And I really thought it was an excellent report. And I took a few things out of that, but I come from my position as a kind of sitting on top of everything, looking at everything, very much a generalist. Whereas you're the CEO of Corlite, and Corlite makes or maintains Zeek, which is a network monitoring and ground truth type tool. So you're coming from a very...

different position from me and you took some different things out of that report and that

led you down, in a way, a kind of good rabbit hole. So why don't you tell us about that? Yeah, it did. And by the way, that report, that red teaming operation, that silent shield operation, if folks have not read that, that is absolutely worth 15 minutes of your day. It's a wonderful read. But kind of like you, I thought it was incredibly well-written report. And by the way, for me, this is all triggered by a Risky Biz podcast that I think was your coverage of the report, actually. So I went and read it. Once I had read it, the

The next Chrome backlog for me was actually the next CISA advisory. And between those two having scared the daylights out of me, I went and read all the rest of the ones that CISA has done this year. Because I was like, look, wait a minute, there's something going on here. Because if you look at those 10 CISA advisories, the way that CISA is giving us guidance is they're being very clear, very factually correct, very clear.

very deep, obviously, but also they're being very specific about that particular piece of guidance, whether that was a vulnerability or their ransomware reports or the Silent Shield report. And the aha for me was when you look across the 10 advisories they've written to date and you try to look at the whole picture, I think CIS is trying to send us a message. And that message gets a little bit lost on the per advisory view of it. But if you step back, there's

There's some broader themes we can actually take away here. Yeah, yeah. I find that fascinating because it feels to me like a bureaucracy where you've got people with individual responsibilities and they write reports that fall in their lane. And there's someone on the top who's seeing all that and probably thinking exactly the same thing that you are, but it's not their job to write that report. So can you translate? What are they trying to say? Yeah, look, this is a fun rabbit hole to jump into.

I think that what they're saying is a couple things. First, I think they're saying that, look, we have to assume that a determined attacker can and will get inside the network.

right? The Silent Shield report was the most obvious one of those. But if you look at the ransomware reports, you look at some of the advanced threat actor reports, they're all giving us that same advice. And look, and there's some clear reasons for that, right? All those vulnerabilities that you've been reporting on for the past year and a half, those vulnerabilities have consequences, right? There's more undetectable ways

of getting inside networks than there have been in a long time. Second, phishing still works, right? We're still human. So that is absolutely still an initial exploit vector, credential theft still works, right? We're still human. And third, detection isn't just about malware anymore, right? There's a real rise in living off the land, kind of leveraging native tools, and then evading detection. Especially if you go back to that SilentShield report, you realize that was actually done two years ago. So, you know, we're not looking at

current events, we're looking at a readout of something that happened two years ago. And so we can keep pulling this thread, but I think that's the highest level takeaway that CIS is trying to give us, right? Which is there is going, a determined attacker is going to be inside the network.

Yeah, I had thought that amongst defenders that was common knowledge. Are you saying that it's not, or are people sort of willfully blind to that? Well, I think that folks have different perspectives of whether they think that they are enough of a juicy target to actually be under a determined attacker's gaze. So I think that's probably the aha. Everyone conceptually believes it's true. Whether you believe it's true for you personally

Right. I used to work in the think tank space and think tanks are notoriously targets of state espionage. And it was just tremendously common that people would think to themselves, oh, like I'm not that important. Right.

And I won't be a target of state espionage. So Brian, it seems like, and I agree that CIS is trying to tell us all something. So what does that mean for organizations in terms of how they should behave? What do they need to do? Yeah, and this is where the per advisory format that CIS is using is really interesting because on one hand, if you really do look at all 10 of those and try to roll up, like what are they actually telling us?

Of the 10, five to seven summarize three things they want everybody to do. First is all around access, right? Maximizing use of MFA, ensuring strong passwords, kind of striving for least privilege, all makes sense. Second one, as you might imagine, was around controls, right? Minimizing risk, minimizing spread through fast patching and network segmentation. Those two in particular were ones that highlighted quite a bit.

And the third one is around logging, right? Ensuring that we have the right data to support incident response, threat hunting, controls verification. Now look, kind of like you were saying before, all those sound pretty obvious, pretty repeated guidance. I wouldn't call that kind of security breakthrough information, right? I mean, this is tried and true best practices that CIS has been giving us for years. I think the really interesting nugget is when you actually dive deeper into the logging piece in particular, because

When you dive into logging, not just as a general area, but you look much more specifically, it's notable that there's a lot of network-specific logging recommendations they're actually giving. And the network logging recommendations are in kind of two big areas. One is threat detection.

So there's a lot of commentary on command and control detection, lateral movement, specifics around monitoring RDP, finding living off the land activity. So there's a bunch of very specific things that kind of lead you to network-specific monitoring. And then on the control side, you'll see repeated mentions of asset discovery, network baselining, restricting port and protocol usage, right? So really using the network to give you the data and the evidence you need to go and verify those controls.

And I think the underlying message behind that, and this is the kind of piece you have to decode, is that there's this pendulum that has swung in our industry every eight to 10 years or so between where is the innovation happening, right? And the pendulum has been super EDR heavy for the last eight or 10 years for very good reasons, by the way. Wonderful tech, super

Super effective. Everyone should have it. Everyone should deploy it, as we all know. I'm speaking to the choir here, not just for you, but for all the folks listening. I think what this is trying to tell us is that we've maybe at this point are believing that we can overly rely on EDR and not actually have to worry about the network.

And all these things, whether it's lateral movement, RDP, network baselining, living off the land, those are all things that actually the network is vastly better suited for. So the guidance that I'm seeing is...

we can't overly rely on EDR and we have to realize that that pendulum swings for a reason and that we actually need to take a much harder look at modernizing how we do network monitoring at this point. So one of the things that I picked up on that particular red team report that CISA released is that the organization they were operating in, targeting or conducting the exercise against, they'd become good at detecting their own red teams and

And so they had a very narrow view of what it is we're looking for. And part of the point of the report was, you know, other attackers are going to use other different tools and tactics. And we need to be able to respond to those rather than just keying in on something we know is bad or

So do you think there's that kind of, in a way, you've put together your own view on all these advisories, but we're still missing the bigger piece that needs to put it all together, that kind of holistic view? Yeah, I think you're right on the holistic view. And look, going back to that particular kind of red team report, and again, this particular one was the Silent Shield report, your comment kind of brings up a couple of other punchlines that I think they're trying to communicate to us, right? As you

As you said, if you step back from this thing, if you over rely on just what your own red team does, there's a couple of implications. One is that you've got to realize the different stackers use different techniques. And so you have to have a network baselining and a behavioral baseline to look for deviations, not just of your red team, right? So that was number one. The second one was,

You can't overly rely on any individual tool because the smart attackers will find out what you have deployed and they will find ways around your active controls, right? This is something we conceptually understand. And I think that the guidance they're giving us is that EDR for all the fantastic things about it can also be evaded in certain situations.

And the third one, which your point on the red teamers really brought to mind as well, is that they're trying to give us guidance about how we think about time, right? There's a specific comment in that report that one of the things the organization really struggled with was they would sometimes only have days or weeks of logging. And CIS's comment was even 90 days may not be enough. And look, you think about some of the bigger, certainly supply chain breaches or the vulnerabilities, you don't have to just look back in time two, three, four weeks.

to do proper retrospective threat hunting, retrospective threat detection, but also full-scale incident response, you often need months, maybe you even need quarters. So I think that's one of the keys that CIS is telling us to think about differently is just treating time and the time coverage of your logging as a first-class question. How much data do I have? And this is not a network-specific statement, but regardless of the source's data, how much data do I have and how

How much time coverage do I have? Because the moment you have a control that you don't have the data for anymore, you're now effectively blind. Now you're really in trouble. Yeah, yeah. My understanding is that the standard sort of commercial red team type exercises might take place over a couple of weeks.

And so if you're keying in too much on those, like, you know, a couple of weeks of logs is fine because that's all we need to catch our red teams or the people we hire to be red teams. Whereas this particular exercise, I think it went for something like five months.

And then they told the organization. So if you've got three months of logs that have aged off by that point or four months or whatever, you're in a totally different situation about knowing what's going on. Yes. And I mean, take that back to the network side specifically, right? One of the things that we're in a unique position on is that we do work with some really elite defensive organizations, incredibly well-staffed, incredibly savvy, folks that generally

have no illusions of whether they're under very targeted attacks. They know they are under very targeted attacks. And one of the interesting things we find when we work with slightly smaller orgs is that you talk about network modernization and they're like, look, why is this a problem? I've got an IDS, I've got some NetFlow, I've got some PCAP. I'm already doing

what CISA is saying we should do. And I think that's one of the really big disconnects here is that implicitly CISA is telling us that if you think those couple of hours or days of firewall logs or those like four days of PCAP storage that you have, if you think that's actually sufficient to deal with this type of attacker, you're kidding yourself.

So I think that's part of the misconception that folks have that CIS is, in their very polite and very factual way, trying to educate us on, is that if you're thinking, hey, NetFlow, PCAP, and my IDS have the network covered, then what I think CIS is trying to tell us in blunt terms is, that was the right answer 10 years ago.

And it is absolutely not the right answer today because it doesn't give you time. It doesn't give you the range of detection. It doesn't give you the fidelity to kind of find these types of living off the land attacks. It's just as one easy example. Right, right. Okay. So in each of those cases, PCAP, because it's, you know, it's essentially full take. It's very, very rich, but it's just too large to keep for very long.

and NetFlow much smaller but nowhere near as rich so you can keep it for a long time but it just tells you a lot less and so they're all kind of imperfectly covering different time frames. Is that what the sort of message is there?

Yeah, that's 100% right, Tom. And this is the, again, this is the aha that we've seen from these really, really high-end organizations is that they recognized this several years ago, right? They were starting with these two as the baseline and realized, wait a minute, I need the Goldilocks, right? I need something that a data set and not a data set. I

I need the ability to do a much broader range of threat detection, right? Signatures alone aren't enough, right? You need rules, you need behavioral, you need signatures, you need machine learning, supervise and unsupervise, right? You need that whole spread. So this is what the high-end organizations have been doing for the last five to six years already. So they're not the ones that are taking the CISA guidance at this point. It's this translation function that I think CISA is trying to help us with to say, hey, look, this is what the big kids have already been doing. This is why they've been doing it.

And it's trying to get the broader market to realize that the attack profile that the really high end has been wrestling with for the last five to six years is now super broadly applicable to a pretty wide range of organizations. Again, this is not new in our industry, right? Attacks start at the high end and they kind of work their way down. And as a result, we need to take the defensive approaches.

of those high-end organizations. And we need to kind of adopt those much more broadly throughout the enterprise as well. Well, Brian, I'm really glad that you also enjoyed that Red Team report. I thought it was really excellent. And it was really great to get a different perspective from a practitioner about what that report and also associated reports meant. So Brian Dye, CEO of Corelight, thanks a lot. Tom, thank you as always. Really enjoyed it.