There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know.
Who would have thought that former US Secretary of Defence Donald Rumsfeld’s infamous answer to the media would perfectly sum up the current state of malware and cyber security?
Our fundamental response to cyber threats is predicated on known knowns – previously identified malware and attack vectors that have been mapped to document their behaviour. This data is added to a growing database of threat signatures that is used to compare and analyse potentially malicious activity.
Detection usually occurs within key security applications installed at endpoints and gateways. There are also known unknowns – undocumented threats that are caught in sandboxes and mapped on-the-fly to create new signatures. It is a process that takes time, during which endpoints and networks remain vulnerable and malware can gain a foothold.
This tried and tested solution is the bedrock of everything from antivirus software to firewalls and intrusion detection systems (IDS). It is also fundamentally flawed, leading to a false sense of total security. Protection against known knowns does capture a large proportion of viruses, Trojans, rootkits and other malicious code.
However, the most dangerous threat to data, user and system security is not the known known, but rather the unknown unknowns – the threats that have yet to be captured in the wild and mapped. We don’t know if they exist, we don’t have visibility into what they do, and there’s no way signatures can catch them.
The same applies to insider threats. Signatures won’t help you identify and stop an insider challenging the system with legitimate access and legitimate tools. Attack behaviour and deviations from normal activity will not generate a signature match. Defending against the full range of unknown unknowns requires a different, more autonomous approach.
With any good intelligence-driven security strategy, you need a variety of information sources and approaches that involve defence as well as attack. This should involve endpoints using previously verified intelligence (signatures), combined with speculative intelligent warnings. These can include heuristics and other behaviour analysis techniques derived from your own network, hosts and user behaviour. It is the latter that allows us to catch unknown unknowns based on machine learning of general suspicious behaviour traits instead of pattern matching against known threat footprints.
Signatures are valuable for controlling known large-scale, opportunistic threats, such as large common botnets and automated crawlers and vulnerability scanners. Although they are known, these attack vectors still run the risk of propagating at speed and overrunning complete networks. However, the signature model falls flat with attackers who make the effort to avoid detection by redesigning the footprint of their malcode. This makes it harder for signatures to register a match even though the premise of the malware is known. When threats mutate, known cures don’t work effectively.
For example, take the Duqu 2.0 malware, which was identified in June 2015. It is a new version of the Duqu threat, which itself borrows from the infamous Stuxnet worm. The original Duqu did surveillance and collected data in a compromised network. Like its predecessor, Duqu 2.0 uses zero-day vulnerabilities to compromise systems. It also shows the importance of using behaviour-based systems to detect advanced attacks, rather than relying purely on signatures or third-party reputation lists.
Duqu 2.0 performs reconnaissance to map the internal network, uses a Kerberos pass-the-hash attack technique to spread laterally, elevates privileges to a domain administrator account, and uses those privileges to deliver MSI packages to infect other hosts.
If we focus on the actions that an attacker needs to perform to infiltrate a network and steal data, we can detect even the most advanced attacks, not just the ones we already know about. Using network surveillance and monitoring of inbound and outbound traffic flows, as well as internal user and app traffic movements, we can achieve several benefits and deliver a layer of protection long before an attack vector has made progress across the network.
When data science, machine learning and behavioural analysis are applied to network traffic, it’s possible to identify the fundamental actions of an attacker. It alters the process of threat detection for the better:
- Move the point of interception forward from the endpoint, capturing threats in-motion, rather than relying solely on last-line-of-defence solutions on the actual server or client
- Move the focus to detecting potential threats based on exhibited behaviour rather than known signatures
- Provide protection by preventing the progress of the threat, instead of trying to quarantine as a threat activates
This approach identifies all phases of an attack in real time, inside and outside of the core network, including command and control, botnet fraud, reconnaissance, lateral movement and data exfiltration.
The way we have always approached security is not perfect. The key is to be brave enough to embrace change. Pursuing the known knowns may be seen as safe, but it only defends against a percentage of threats.
Proactively tackling the unknown unknowns goes a long way in reducing the percentage of threats that have a viable chance of moving through the network undetected.
Gerard Bauer, VP EMEA, Vectra Networks
Image source: Shutterstock/wavebreakmedia