Most companies run on secrets. If plans, intellectual property, confidential emails, minutes from Board or executive meetings and financial details were fully available to competitors or the general public, how could a firm stay in business? In the age of WikiLeaks and Snowden, secrets have gained a negative reputation, but many — whether they are for national security in thwarting a terrorist attack or for business — secrets are necessary and important.
Companies, for example, need to protect intellectual property at all costs in a competitive market. Sales plans, merger and acquisition proposals, and recruitment details could greatly undermine a company if they are divulged to the public prematurely. HR files, including performance reviews and disciplinary details, are not meant for the eyes of the public. Even corporate emails often contain sensitive details intended only for a specific recipient.
The recent cyber break-in at the National Security Agency (NSA) in the United States puts the issue in the limelight while potentially making cyber weapons and exploits available to the highest bidder. The questions, “Who can be safe?” and “Can anyone keep secrets anymore?” should be on everyone’s mind.
The NSA crisis also brings to the forefront the concept of public cyber-shaming. There are numerous examples of threat actors having a complaint with a business or organisation that seek to steal secrets by breaking into a network and exposing them for all to see.
In the highly publicised network attack at Sony, attackers released company emails on public sites, revealing confidential and sensitive information that is still creating waves and ill will. The cybercriminals concentrated on emails from top executives at Sony studios, and their revelations were brought to the attention of the media. Other secrets made public included personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of then-unreleased Sony films and other valuable or sensitive information.
The infamous Hacking Team in Italy, suffered a targeted network attack and saw over 400GB of company email, passwords, internal documents and source code leaked out through a torrent posted via the company’s own Twitter handle. In addition, the attackers used their access to the Hacking Team’s Twitter account for over 12 hours, posting screenshots of internal emails and other items.
This year’s successful network attack of the Central American Mossack Fonseca law firm and the resulting revelations known as the 'Panama Papers' sent reverberations throughout the world, including the UK. Perhaps a justified vindication of illegal or unethical activity, this nonetheless illustrates the impact of secrets coming to light. The Prime Minister of Iceland was forced to resign and a major reshuffling of political offices occurred in countries as far flung as Malta. Multiple investigations were immediately initiated in countries around the world.
By now, it should be well understood that no network is safe from intruders. Only a small minority of organisations can detect an attacker once they are inside a network. The industry average dwell time still averages five months, allowing attackers to work unobserved as they carefully begin to steal or damage information assets. If this is a war or contest, the cybercriminals are winning in a spectacular way. This is especially frightening if one considers that we are likely in the early stages of such cybercrime and perhaps only seeing the tip of the iceberg in terms of what is possible.
The security industry has long focused on preventative security to defend their network against attackers, keeping the bad guys out. While this is still highly important for security organisations, it is clear that prevention is not enough. Organisations must now expect that sooner or later an attacker will get into their networks. The new challenge is to find them quickly before theft or damage might occur. For most organisations, detection has centered on finding malware that has slipped through defences. Unfortunately, this does practically nothing toward uncovering an active attacker.
Recently LightCyber conducted a study over a six-month period involving analysis of end-user networks totaling 100,000s of endpoints worldwide and it was remarkably clear that malware had almost no role in the active attack. The Cyber Weapons Report showed that 99 percent of post-intrusion cyberattack activities did not employ malware, but rather leveraged standard networking, IT administration and other tools that could be used by attackers on a directed or improvisational basis. These activities are difficult to sort out from legitimate administrative use of such tools or acceptable work done by other employees.
Security for the past 20 years has been about finding something known to be bad, such as malicious software as identified by a signature, hash or particular behaviour. Detecting malicious activities performed by a network intruder requires a new orientation. Instead of using static definitions of objects known to be bad, organisations must learn the expected behaviour for each user and device on their networks. From this baseline, it is much easier to discern anomalies that may be indicative of an attack.
Shifting from known bad to known good is difficult for many security professionals to contemplate. Another major barrier to successfully detecting active attackers involves where to look. Much of the emphasis for security has been to examine endpoints or comb through logs to find the events that would show an attacker at work. Unfortunately, this approach results in far too much irrelevant data or a view that is way too narrow or short-sighted to uncover attack activity.
Once an attacker gets into a network — likely through compromising an employee’s computing device or user account — he or she needs to conduct reconnaissance to understand an unfamiliar network and move to expand their position or realm of control. These are network activities that are best seen by taking in relevant network traffic. An endpoint-only perspective will miss the critical activities taking place across the network. An analysis of network logs can be a great source of detail but often miss crucial events, particularly reconnaissance.
Network attackers can be detected early if one knows where and how to look. Unless organisations make the significant shift to detection of behavioural anomalies, they will lack the means to protect corporate secrets. Otherwise, secrecy will become as outdated as the cassette tape or asking for driving directions.
Jason Matlof is Executive Vice President and CMO at LightCyber, an innovative Behavioural Attack Detection provider. Previously he was VP Worldwide Marketing for A10 Networks through their IPO (NYSE: ATEN).