The Discovery tactic is one which is difficult to defend against. It has a lot of similarities to the Reconnaissance stage of the Lockheed Martin Cyber Kill Chain. There are certain aspects of an organization which need to be exposed in order to operate a business.

In fact, all of the techniques at this time provide little guidance on how to mitigate this tactic. Application whitelisting is quoted most often, which is a catch-all for most malware.

Discovery: Sacrificing a Pawn in Order to Save the Queen

On a local endpoint, an attacker is going to be able to discover any locally installed software, any system or application level file, or the time of the local system. The only aspect you can control on a local system is limiting what users are exposed. However, to power users, this level of information can still be leaked.

This tactic is less about how you mitigate or detect and more about how threat intelligence can be mapped into the matrix. Of all the tactics in the matrix, this is the least important to focus on. The important aspect to realize here is that sometimes you have to sacrifice a pawn in order to save the queen.

While not explicitly stated anywhere in the matrix, using honey tokens, files, or users is ideal in the Discovery tactic. Placing false information that attackers can discover allows you to detect an adversary’s activities. While there are some dedicated applications that curtail honey tokens, there are also options for monitoring the file system and registry on endpoints, as well.

In Windows, there are a few locations which are of interest when wanting to do some basic honey files. The first are Jump Lists, which are the most recently accessed files on the operating system. Located in (Read more...)