In the cybersecurity world, the concept of "shifting left" refers to focusing on preventing attacks in earlier stages, rather than relying solely on detection and response. Shifting left aims to reduce the overall impact of cyber threats and minimize the resources required to address them. By implementing a balanced approach that combines both detection and prevention measures, organizations can improve their security posture and better protect themselves from the evolving threat landscape.
This past March, InQuest presented a webinar on the topic Think Before You Click: How Your Files Are Exposing You to Malware Every Day. We chronicled the pervasive trajectory of file-borne attacks in the threat landscape, sharing our perspective on how files represent what is perhaps the most important focal point for monitoring and preventing threats that adversaries deliver into our environments:
Whether sent as an email attachment, sitting in your cloud or traversing the Web, file-borne threats have become a proven favorite for delivering malware and phishing campaigns. Constantly shifting from one format to another, the attack surface varies as threat actors develop new ways to infiltrate the end-user gap.
At InQuest, we spend a great deal of time developing effective countermeasures against file-borne threats. Some of our approaches include designing appliances and platforms that provide capabilities for disrupting adversary evasion techniques and advanced file based attacks, a focus on extracting and deconstructing files to atomic components, identifying patterns of vulnerability exploitation in widely used software, and monitoring adversary groups as they leverage malicious software in continually evolving attack campaigns.
Much of our industry's work, and the work of countless defenders in the field, is directed toward detecting threat indicators to identify intrusions in target environments. In this post, we discuss the importance of taking time to focus on preventive controls as part of the organization's security defense program, implementing countermeasures that are capable of disrupting attacks amid the constant detection efforts. We use the term shift left to describe the effect this has. We believe that using a combination of the right technology and practices supporting a strong defensive posture capable of both preventing and detecting attacks early in the threat sequence can help organizations keep pace with an actively evolving threat landscape.
Shifting left by preventing adversary capability use
The term shift left refers to the ability to harden the defensive posture of an attack surface to enable mitigation of threats earlier in the progression of an attack, with a goal to prevent future incidents. It is often used in relation to the cyber kill chain threat model, which shows phases that are often carried out during an intrusion into a system or network, and explains how a strong posture may disrupt an attacker earlier in the operation.
The Cyber Kill Chain
In the kill chain model, defensive controls prove beneficial advantages the further left they take effect, impacting an adversary's attack in earlier phases and helping achieve the shift left effect in an organization's security posture. In this model, attack phases to the left must typically occur (and succeed) prior to phases further to the right. The great thing about models is that the good ones hold pretty true across the board; if you prefer referring to MITRE ATT&CK® instead, a similar progression of tactics also applies.
Over the years of collecting intelligence and responding to security threats, we've made some key observations that relate to the effective use of detection and prevention controls:
- Detecting a given threat is possible in most cases, given the correct visibility, data collection capability, and sufficient understanding of how a threat manifests in an environment.
- Most of the time, threat detection is passive, and implementing detections for a threat usually carries a low risk of undesirable effects or impact. Detections can also typically be implemented quickly, and even non-optimal detections may have little risk of impact. Together, this makes detections attractive to implement as the chosen countermeasure when mitigating threats.
- One possible negative effect that can occur with a heavily detection oriented approach is that of mounting alert counts, resulting in increasing rates of false positives and analysis fatigue. An undesirable reality may be that a detected threat can still be part of a successful attack, ultimately resulting in impact and requiring incident response and efforts to recover from an attack.
- For a significant portion of threats to an information system, mitigating or preventative controls exist that may degrade or deny the use of that threat. While it's certainly true that not every security threat can be prevented, many can.
- While most mitigations are active in nature, meaning they are intended to prohibit a certain action or behavior of a system and may impose restrictions on use of that system, many of these mitigations are controls that can be enacted in a way that doesn't impede operation if implemented in a careful, informed and coordinated manner.
- A successfully prevented attack early in the threat sequence can offset the need for later phase detection controls, in turn preventing potentially thousands or millions of overall alerts and triage efforts and the cost and overhead of resulting response and recovery efforts.
From these observations, we see rationale for a defensive program that balances detection-based as well as prevention-based approaches. Threat detection, like threat hunting, seeks to ensure that an adversary does not achieve sustained impact in an environment or carry out their objectives if an attack is successful. Threat prevention seeks to reduce the capabilities an adversary can successfully employ in an attack, by denying the ability to carry out necessary stages. Taking available opportunities to shift left can harden an organization's posture, helping prevent a number of attacks as the threat landscape continues to develop while reducing impact that can accompany a purely detection-based approach.
Prevention and its enabling effect on detection and response
A common adage in computer and network defense is that prevention fails, meaning that a purely prevention-based approach cannot cover all possible cases. This discussion typically leads to the point that an effective approach prioritizes detection over prevention, since you can typically detect many things, but only prevent some of them. This is generally true; we see the situation as a pendulum that can swing between these approaches. But it is equally true that prevention does not always fail, and also that detection does not always succeed. A defensive strategy that favors either one of these approaches exclusively is seldom the most robust. We believe that the most effective cybersecurity programs accommodate both of these focus areas, ensuring that resources are applied to both.
Other organizations have also documented this approach in recommendations. MITRE discusses this in their publication on recommended strategies for security operations centers. Note the definition of the role of the SOC in businesses and the balance of value they provide (emphasis added):
A SOC is a team, primarily composed of cybersecurity specialists, organized to prevent, detect, analyze, respond to, and report on cybersecurity incidents.
The authors go on to elaborate on elements of an effective operation, including fundamental design level and tactical mitigations:
A typical midsize SOC’s mission statement commonly includes the following elements:
- Preventing cybersecurity incidents through proactive measures, including:
- Continuous analysis of threats
- Scanning for vulnerabilities
- Deploying coordinated countermeasures
- Consulting on security policy and architecture
Countermeasures may refer to any control that contributes to the total defense against a given threat. Effective countermeasures can consist of mitigating controls that can prevent carrying out an action, or it can also be a detective control such as a signature or analytic to identify suspicious activity. By focusing the three elements of people, process and technology toward both sides of this equation, a security operations center can make impactful progress in proactively protecting an organization as well as in detecting and responding to incidents.
It should be mentioned that the term shift left has met with some criticism in the industry. Within the context of engineering design and application security, shift left has been described as a panacea for software development lifecycles that hasn't lived up to its hype. This isn't the sense we're discussing here, though. Rather than seeking a silver bullet for an isolated area of software design, the ability to find ways to prevent attacks by closing down adversary opportunities early in the attack sequence is a matter of risk management, and one that can work across any surface in an organization, and is part of a holistic defensive strategy.
Another compelling point here comes from John Lambert at Microsoft in discussion of the value of prevention outcomes from threat intelligence:
Prevention work is essential. One of the things I like to say is that prevention and detection are not peers. Prevention is detection’s guardian because it quiets the network and gives you the whitespace to find the most important things.
This is as true today as it was in 2015 when John previously shared it; perhaps even more so, given that the last 7+ years of progress in our field has seen considerable improvements in the areas of documentation and capabilities toward the detection of threats. Technologies that scale our data collection and analytics have become robust, the amount of security data that organizations are able to collect and process has grown, and platforms, frameworks and tools for producing detections from that data have evolved considerably both fundamentally and commercially within the industry. Based on the increased amount of reporting of detected threat activity and the proliferation of public detection-oriented resources in software, documentation, and guides, it certainly appears that we have advanced as an industry in our ability to detect threat activity on our networks. Intuitively, if ever there was a time that was critical for defenders to divert resources to appropriate prevention of threats and create whitespace for high value detections, we see it today.
In this first part of our series on shifting left in cybersecurity, we've discussed the importance of balancing detection and prevention measures to achieve a more robust security posture. Check back for the second post in this series where we'll cover practical ways to shift left in your organization.
Free On-Demand Webinar: Think Before You Click
Whether sent as an email attachment, sitting in your cloud or traversing the Web, file-borne threats have become a proven favorite for delivering malware and phishing campaigns. View our webinar on-demand and get firsthand tips about how to safeguard your cybersecurity stack with File Detection and Response (FDR) and stop file-borne threats in their tracks.