As we begin a new year, we wanted to address one of the biggest issues we consistently see in our investigations: passive security.
Incident response engagements are an important part of our work and the intelligence-gathering process and their associated reports can be a treasure trove of tactics, techniques and procedures (TTPs) for adversaries, but also expose common gaps and mistakes organizations make.
When we're fighting state-sponsored groups and cartels with millions in revenue to support their attacks, trying to win with passive security isn't a good strategy. One of the most common findings from Cisco Talos Incident Response engagements involves some variation of the technology in place and it detected the activity, yet the actor(s) successfully compromised the organization. The reason almost without fail is that the product wasn't running in blocking mode, something easily prevented with an active approach.
This fight between enterprises and threat actors isn't new – we've been going back and forth for decades, if not longer. As long as we've had security technology that actively blocks, there have been employees and leaders arguing that it shouldn't. Maybe 10 or 15 years ago they could have had an argument, as emerging technology can produce a lot of false-positives, but in today's threat landscape, it's asking for trouble.
Passive detection has its place in specific circumstances where active blocking either isn't possible or feasible; the issue comes when organizations run the majority, if not all, of their security technologies in passive mode, most critically on the endpoint. These last bastions of detection are invaluable for identifying attacks that were successful in evading and actively blocking security technologies that may be deployed to prevent compromise.
