It is an unfortunate reality that attackers are becoming far more successful at stealing data and personal customer information from businesses around the world. In October we saw one of the most high profile examples – an attack on TalkTalk, resulting in an estimated 4 million customers affected.
Successfully securing our organisations seems to be getting more difficult, despite the new technologies that promise to help us defeat the latest attacks. There are a number of reasons for this, but possibly the most important is that our adversaries are motivated, innovative people who in many cases have access to the same technologies we use to defend ourselves – allowing them to tune their tactics to evade those defences.
However, there are things we can do; for instance almost all attacks make use of one common resource – our networks – and therefore we should be able to detect and block them, if we are looking at the right things in the right way. The problem is that in many cases our security resources tend to be bogged down in processing events – some of which are false positives and most of which don’t represent key risks to our critical business assets and processes. In short, we aren’t using our best asset – our security people – to their best effect. We are trying to react to an ever-increasing number of events, rather than proactively looking for the threats that matter using the network as our viewpoint.
Don’t get me wrong, the reactive methodology does result in the identification and containment of many threats, but some still get through. These are often the ones that are orchestrated to evade our existing solutions and processes; multi-stage, stealthy attacks with component parts that are designed to look innocuous.
This is where hunting comes in; hunting allows us to augment our reactive processes with a more focused proactive approach and utilises the intelligence and skill of the people within our security teams. Along with data we already have on network and threat activity, to identify anomalous or suspicious communications that may warrant further investigation, it is simply a new entry point to our existing IR process.
So, how do we start hunting? Well the key is to know what ‘normal’ looks like for activity within a given environment. Humans are very good at pattern recognition, if we present data on network traffic and threat trends in a visual way then the people using the systems will become familiar with ‘normal’, and will, crucially, be able to identify changes when they happen. To do this effectively though we need to be focused on the likely targets that attackers will go after.
The first step in hunting is identifying the data or processes of value to the organisation using the network, for example, online customer transactions, and the pathways attackers may take to reach these targets. What is key here is that we have to think like the attacker. Some organisations will hold data that is not considered intrinsically valuable – but it may have a greater utility outside of the organisations, and may still therefore be a target. Once we have identified these key assets, and the pathways to them, we need to familiarise ourselves with normal levels of activity as mentioned above. This will involve exploring the data that we have on what is going on. Although we may not find anything, but the process of looking will help us to identify anything unusual the next time we look.
We can also use intelligence to help focus our activities. If we have intelligence on a particular attack vector, or have previous incidents as a reference, then we can explore the data that we have to ensure nothing related is on-going.
All of the above though relies on one thing – the ability to visualise network and threat activity. The traditional ‘rows and columns’ view presented by security solutions doesn’t help us, and neither do solutions that take a long time to respond to queries. The ability to investigate and explore data visually at the speed of thought is key if we are going to enable our security teams to become more proactive.
Organisations need to turn the tables and become the hunters instead of the hunted. To achieve this, organisations need to become less reliant on technology to defend them. They also need to make better use of their best security assets – their people. Using the network as a view-point – gathering traffic and threat activity information – and then visualising this data is key.
The process of exploring this information, if implemented correctly, is very engaging for security people and it can allow us to find threats that would otherwise slip through, reducing our business risk and enabling a more proactive security posture.
Darren Anstee, Chief Security Technologist, Arbor Networks