Turning the Tables on Network Attackers Requires Re-thinking Security
David ThompsonOne of the most pressing issues facing security today is the problem that network attackers can circumvent preventative security and go to work on a network completely undetected as they explore, establish a greater sphere of control and steal or damage assets. The industry average for dwell time—the amount of time required to detect a network attacker—hovers around five months. Even then, the victimized organization only makes the discovery 15% of the time; it is usually found by a law enforcement agency after the crime has been realized. The number is probably an underestimate, as many attacks are not reported, and some last for years.
Why Attackers Go Undetected
Today less that 1% of enterprises have the ability to find an active network attacker. The dark truth is that unless an attacker is detected during the initial intrusion, most companies are not equipped to find an invader. This represents a major failure of the security industry.
Ask your CISO, or yourself, do you currently have the means to tell if there is an active attacker on your network? If so, how and with what kind of certainty? 99% of security leaders will have to admit that they don’t have this ability.
Can it happen to you? Maybe you have an attacker already inside your network? The best pen testers will guarantee that they can break into any given network within two days. A properly motivated attacker will find a way in. They have a nearly unlimited number of possibilities, and a good number of them will involve a compromise to a user account or machine, if only through spear phishing or social engineering. A defender only has to make one mistake or have one single deficiency to assure the success of an attack.
So it’s likely that you will get a network intruder. It’s also likely that you won’t know about it until it’s far too late. What’s at stake if you aren’t particularly worried about a leak of personally identifiable information (PII) because you don’t deal with consumers?
The Stakes Are Big and Getting Bigger
To a large degree, the world is only seeing the tip of the iceberg of what’s possible with a network attacker. There have been a few hints of what could happen, and it’s worth reviewing these.
Loss of intellectual property (IP) is an important concern. Although there is little news coverage of such activity, it is frighteningly common. There is no standard or expectation to divulge such crime to the public, unless it is a material event for a public company, and even then the notification practices are murky. Most companies would prefer to keep it under wraps. Corporate espionage is widespread, and companies are victimized every day. The cost of IP loss from American companies has been hundreds of billions of dollars and the loss of more than two million jobs according to a recent 60 Minutes segment.
Another threat is looming. Instead of the outright theft of trade secrets, cybercriminals can potentially access and manipulate data or alter a software-based product to create a backdoor or ticking time bomb that they can use for extortion or theft. Back in 2004, Microsoft Windows 2000 source code was obtained from a Microsoft partner and leaked out broadly. The scenario could have turned out differently where a cybercriminal could have secretly gained direct access to Microsoft, found the source code and modified it. In 2011, perpetrators accessed technology for RSA’s SecurID two-factor authentication product. Again, an unthinkable disaster was averted, but it doesn’t take much imagination to consider what could have been.
Requires a Fundamentally Different Approach
So what can a company do? Clearly the traditional security approach is not good enough. Being able to detect an active attacker on the network takes a fundamentally different approach that requires re-thinking of three major security tenants or practices: a new model of what and how to identify dangers; using the network as the starting point; and creating a system that will only issue a small number of alerts that are very focused on attacker activity.
A New Model for Security
The first “re-thinking,” and most significant, involves a new model for security. Today most solutions are based on a model of “known bad.” This means that a security solution needs to be aware of an exploit or threat and know how to identify it using a signature, hash, Indicator of Compromise (IOC), URL or domain or defined behavior for a software routine or application.
The known bad model is essentially reactive and requires an exploit to first be tried on potential victims. Once the exploit is discovered, security researchers find a technical artifact to identify it and then add that static definition to their software tool to block such threats in the future. The first number of victims end up getting compromised, but, ideally, this process occurs quickly and definitional updates can be rapidly created, distributed and applied among the customer base for that product. This means that the majority should benefit and have protection sometime after the initial discovery.
The known bad model is only really suited to malware and does very little to detect and stop a targeted attack being run by a real threat actor. When organizations put all of their focus on tools based on a known bad model the result is what largely exists today: network attackers going unnoticed for an average of five months with successful data breaches that put their victims on the front page of newspapers and cost them millions of dollars.
The only effective way to find an active attacker on the network is by their operational activities—especially the “east-west” steps of reconnaissance and lateral movement that are essential in understanding a network new to them and positioning themselves to get at valuable assets. Such activities can be detected using a model of “known good” or “normal,” such as Behavioral Attack Detection.
This known good model assumes nothing other than an attacker will eventually find their way to your network. Besides that, there are no preconceived or defined signs or conditions to check against. Good or normal are not defined in advance. They have to be learned based on the real users and devices and their usual activities within a particular network. Every company and every network will be different. The learnings produces continuously updated profiles of users and devices. From these profiles, one can detect anomalies, and with advanced machine learning it’s possible to refine the anomalies into just those with a high likelihood of being malicious. Machine learning can also be used to understand that multiple events may be associated and provide greater confidence in quickly and accurately detecting an attack.
Start with the Network
The second major shift in “re-thinking” to find an active network attacker is using the network as a starting point to find their activities. Basely on the likely assumption that an attacker is already in the network, the most effect approach is to see what they are doing on the network to explore, expand control and access assets. It’s difficult to see these things from an endpoint because there is a limited view of the network and no context outside of the endpoint.
Starting with a network view is critical. That is why we partner with Gigamon to optimize the intelligent delivery of select traffic to our platform. The GigaSECURE Security Delivery Platform simply and efficiently directs network traffic to our LightCyber appliance for passive network monitoring.
Stop the Flood
The third required shift involves changing the model for security alerts. Today’s systems alert on any sign of malware or individual events flagged in logs. The result is a brain-numbing number of hundreds or thousands of daily alerts that is dominated by false positives. Finding a useful indication of an active attack would require pure dumb luck.
Instead, a system designed to detect attackers should create a small handful of alerts that are both focused and accurate, pointing directly to an attack. Generally, there are numerous signals that can be indicative of attack activity and, when presented in together as a single alert, the result is accurate and actionable. A security operator can immediately respond, most likely catching the intruder early in their process.
Additive Ability
This new approach appends existing security rather than replaces it. Organizations still need preventative security, since it will stop some 95% of threats. Of course, 95% or even 99% is not good enough since that gives plenty of room for an attacker to find a way into your network. Most of these opportunities will likely come from compromising a user account or machine. Humans are often the weakest link, especially with well-researched social engineering or spear phishing. Gaining valid credentials makes it easy for an attacker to establish a foothold and begin a stealthy operation culminating with theft or damage to your assets.
Once an attacker is inside, they are fundamentally at a disadvantage since the won’t know anything about the network. When companies lack the ability to find an attacker letting them go undiscovered for months, that disadvantage quickly gives way to an impressive advantage. Without Behavioral Attack Detection, attackers have a high probability of accomplishing their goals. Many may never be discovered, and some could stay active for years without being seen. With the LightCyber Magna platform for Behavioral Attack Detection, the tables can be turned, however, so the organization can regain the inherent advantage. With this shift, companies need no longer be powerless victims of attack activity.
