Skip to main content

Don’t compromise: Indicators of behavior and the proactive future of cybersecurity

(Image credit: Shutterstock / Golden Sikorka)

In the past, organizations were often forced to steel themselves and wait to be attacked. But it’s time to change. Cyber-attacks are becoming ever more expensive and damaging, with the cost of a data breach having risen by 10 percent in seven years. When the cost and risk are so high, tackling cybercrime must involve more than picking up the pieces after an attack and hoping the next one never comes.  

Understanding when and where a criminal has managed to breach the company network is therefore of vital importance. This is achieved by studying Indicators of Compromise (IOCs), but these can only do so much in protecting companies from future attacks. Whilst IOCs can uncover unknown weaknesses in the network and give IT teams useful indications about how criminals are attempting to breach the defenses, they lack a proactive approach that is required to tackle modern cybercrime or halt an attack that is underway. 

Irregular activity in privileged accounts and unusual traffic flows are usually good indicators that the network has been compromised. But wouldn’t it be far more effective to recognize the breach attempts before they are successfully carried out?  

Indicators of behavior (IOB) offer this exact capability. The IOB approach detects traces of activity within the network that alerts the business to an imminent attack or one that is already in progress. The cost of a breach is too high, both financially and reputationally, to risk allowing criminals free rein of the network. An IOB approach can give organizations the edge they need to stop hackers dead in their tracks.

Out with the old 

Indicators of Compromise have undoubtedly served a purpose. They are a useful way to understand commonly used criminal tactics and identify weak points in a network that need addressing. The pieces of evidence left behind in an attack were often the only indication that someone had breached the network – which means businesses could have gone months without knowing they had been compromised. However, in today’s landscape, identifying a breach after it has occurred is too late. The cost of breaches, in addition to disciplinary fines under the General Data Protection Regulation (GDPR) and other similar laws, mean that businesses could suffer millions in losses, all because their security approach was reactive, not proactive.  

Additionally, teams have to set aside sufficient time to sift through every indicator, analyzing each one to understand the journey taken by the adversary. Many of the IOCs are likely to be false positives - alerts to potential threats that turn out to be zero risk. Having to check hundreds of alerts, including the false positives, causes stress for the already overworked teams and adds to the time wasted that could have been spent on analyzing more complex potentially sinister events. Often, attacks get missed due to alert volume, made worse by noise, resulting in events – or patterns of events – going undetected.  

Unfortunately, the limitations do not end there. The next step in the process of investigating an attack involves conducting further assessments once signs of a compromise are found. However, traditional IOCs that normally appear after a breach in the network or on a data center do not always appear when cloud infrastructure has been compromised. This, combined with the fact that these efforts all take place after the attack has happened, paves the way for a new approach. Enter Indicators of behavior…

In with the new 

The main issue with IOCs is that there is little the company can do with the information gathered to prevent future attacks – other than resolve the specific vulnerability exploited. Instead, teams should be monitoring for early signs of irregularities before any damage takes place.  

Indicators of behavior offer proof of how devices, users, inboxes, cloud objects or other human and non-human entities behave. If companies can identify suspicious behavior before it escalates, then that represents early warning, and that in turn translates into significant savings.  

The basis of the IOB model involves understanding what constitutes ‘normal behavior’ within the business. Once this has been established, then teams and technology can monitor for irregularities, anomalies and outliers. Predictive analysis is also important to allow for new, natural behavioral patterns to occur without triggering alerts. Some of the main clues used in this approach are the unexpected appearance of new apps or email accounts, especially if data is being transferred between them.    

There are several signs that teams should look out for, both in inboxes and on the cloud, including unusual amounts of data being uploaded to personal cloud accounts, such as OneDrive or SharePoint. Inboxes should be monitored for irregular activity, such as accounts sending thousands of identical messages in a short space of time or from an unusual location. But again, this is where context is critical. Employers need to understand what counts as normal behavior so that they can quickly recognize anomalies and respond effectively. This applies to cloud activity as well. Being able to see when and where employees access files on the cloud is very important. If an individual based in Britain accesses a file from a location in a foreign country unexpectedly, then something is wrong and further investigation is needed. 

Proactive cybersecurity is the future 

Using IOB is a step towards a proactive security stance, and away from the old reactive approach. They allow organizations to deal with threats and attacks in real-time and prevent loss or damage. Context is fundamental, so as long as businesses take the time to recognize ‘normal’ behavior patterns, an IOB approach can put them in a good position to pick out those unusual and suspicious activities as the threat landscape continues to evolve.  

Working patterns changed significantly when the workforce shifted to remote working overnight. These behaviors are likely to change over the years as businesses continue to look to the future and plan for what best suits their operations. Maintaining visibility over how each employee works and what devices are being used for what purpose will contribute to the fundamentals of IOB.  

Automated solutions, combined with behavior analytics, will be critical for this approach. Being able to identify and block attacks before they have an impact will go a long way in ensuring business continuity in a developing threat landscape. We need to learn to look further upstream to see what’s coming, not just look at the debris downstream after we’ve been hit.

Richard Walters, Chief Technology Officer, Censornet