It’s time to turn the tables on network attackers

In today’s complex network security landscape, it is – unfortunately - necessary to consider the possibility that a network attacker could break into your network and steal or damage data, intellectual property and other assets. But could it really happen to you, if you have the latest perimeter protection already installed?

The reality is that if there is enough motivation, a cybercriminal will target your network. Once a cybercriminal wants to get in, there is only the smallest fraction of a chance that they won’t. No network is 100 per cent protected. Perimeter security might be able to hold off 95 per cent or higher of attempted intrusion attacks, but complete protection is an impossibility, if only through a compromise to a user account or computer using well-researched spear phishing or social engineering.

Penetration (“pen”) testers are commonly used by organisations to test their security. The best pen testers guarantee that they can break into a network within two days. There are far too many ways to find a route to the inside of a network. Even going to a highly reputable website - let’s say a major newspaper or news network - it’s likely that malvertising may lurk there, through a legitimate advertising group, which could be the first step of getting a wedge into computer with access to your network.

Sometimes the installation of malicious software may not even require a user to click on anything, as drive-by installers are becoming commonplace. Malware may not even be involved at all, but there are thousands upon thousands of ways to gain credentialled access to a network. With an almost unlimited number of opportunities, the advantage is clearly in favour of the attacker. A defender has only to miss or fail at one thing, and they have lost the battle.

Once inside a network, an attacker can go to work and stay completely hidden. Less than 1 per cent of enterprises today have the ability to find an active attacker on their network. Some have tools that may pick out signs of an attacker, but these are generally buried under hundreds or thousands of other alerts dominated by false positives. Security systems tend to be notoriously inefficient and inaccurate. They warn about the never-ending presence of malware and each movement of a potentially suspicious activity. As a result, it would only be by sheer luck that one could detect a real network attacker.

Searching for malware will help reduce what is not caught by perimeter security, but it will rarely uncover the steps of an active attacker. The only way to find an attacker requires a fundamentally different approach to security. Instead of looking for the technical attributes of known malware and other exploits, the way to quickly and accurately detect an active attacker is by their operational activities - the things they must do on a network unfamiliar to them to accomplish their objective.

In particular, an attacker needs to explore the new network and expand their realm of control to eventually gain access to valuable assets. These attack activities are difficult to detect unless you have ongoing knowledge of what “good” looks like on a specific network. This comes from continuously profiling all users and devices, understanding their normal activities and habits. From this vantage, it’s possible to detect anomalous activities and determine those most likely to be malicious.

All of this is only practical using advanced machine learning, live, in each network. Using a model of known good makes it possible to find the bad. These techniques of using known good to detect the operational activities of an attacker are new and still not well known. A large number of security professionals are surprised that proven systems exist that work in this way. A bigger problem, though, is a tendency to be stuck in a mentality of preventative security. It’s been the complete focus for security teams for the past 20 years, and these habits are hard to break.

Most security people will acknowledge that preventative security cannot be completely effective and that attackers can get into networks. The FBI and Gartner both fully agree on this point. At the same time, these security pros will put all their effort into coming up with a “silver bullet” that will finally make them fully secure. This dissonance between admitting to one thing and acting a completely different way is bizarre, if not a definition of insanity played out. Over aggressive vendor marketing groups exacerbate the problem by blurring definitions of analytics, detection and behaviour.

So, if your company or organisation offers incentives to an attacker, they can and will get inside your network. The odds are extremely high that you won’t be able to detect the attack until theft or damage has occurred. The industry average for “dwell time,” or the amount of time network invaders can stay hidden, is five months. Some are far longer, where the attacker quietly attains their goals completely unnoticed. Such cases might include a slow, methodical theft of company secrets, customer information or intellectual property. Others might involve using credentialled access from your network to get into the network of a partner, customer or supplier. While others might include siphoning small amounts of money off of various transactions, including payroll and accounts payable.

The hype around data breaches may have become a bit too commonplace and caused some complacency or attenuation, but the seriousness is very real. Fortunately, there is no need to pretend that this problem does not exist and that a solution is out of grasp.

A new approach focusing on ‘known good’ allows organisations to gain a vantage point over network attackers for the first time.

Gonen Fink, Chief Executive Officer, LightCyber

Image source: Shutterstock/GiDesign