With massive data breaches uncovered daily or weekly, it’s hard not to be a bit numb to the urgency and magnitude of the issue. For most organisations, the problem is far from solved. Apathy in place of outrage at this juncture could diminish any help before it gets started. At the same time, misguided efforts will result in continued failure.
A giant Python-esque foot has not yet come down to condemn the ludicrousness of such a broad catastrophe but losses and damage have been mounting. This year, cybercrime overtook physical crime in the UK, marking a profound changing of the times. The National Crime Agency estimates the annual loss to UK businesses of £1 billion in direct costs, although the more realistic number is far greater, particularly considering the cost of stolen intellectual property and business secrets and other loss and damage not typically reported.
Traditional security is clearly not solving the problem. Dwell time—the amount of time required to detect an active attacker on a network—still holds steady at about five months. This means that for most organisations, once an attacker gains network access they can go about their business of carrying out theft or damage without fear of being discovered until well after they have achieved their goals and made twits of us all.
Understanding the problem
Why is it so difficult to detect a network attacker and defeat a data breach? To answer that question, it is essential to more precisely understand the problem.
A network attack usually occurs once a cybercriminal or cyber-activist has compromised a user’s computer or network credentials. All it takes to start an active network attack is to gain access to a single computer or account. From there, an attacker has just about everything within reach.
The initial compromise is difficult to prevent. There are thousands of ways an attacker may get control of a user. Most commonly, social engineering or well-researched, convincing phishing will get a user to yield control. Undetectable malware that is customised for the attack or zero-day malware not recognised by preventative security controls may also play a role. Even malware placed on a reputable website and loaded onto a user’s computer through a drive-by exploit or other means may play a part.
Compromising a user is relatively easy. It’s the most common way a white hat penetration (“pen”) tester might begin a simulated attack. The best pen tests may even guarantee that they can gain network access within two days. If pen testers operating with some scruples can take over a user’s computer so easily, imagine what a cybercriminal without any scruples at all could do.
This sort of user compromise has nothing to do with the primary preventative security an organisation has in place. Next generation firewalls, web gateway devices, network sandboxing and intrusion prevention can’t address this kind of cyber workaround. The firewall may be best-in-class, well maintained, expertly configured and set up with robust, conservative rules, but it will have little bearing on preventing compromise of a user machine or account. The true nature of an attack’s starting place is squarely at odds with the primary focus of security today. For most organisations, nearly everything goes into preventative security, but preventative security can only provide so much protection. Today’s reality is that you have to expect that an attacker will get into the network. The security burden, therefore, shifts to the ability of detecting an active attacker inside the network.
Detecting the reconnaissance
Once an attacker has a foothold, the longest, most involved stage of the attack begins. Now the attacker has two primary tasks. The first involves exploring and understanding the new, unfamiliar network. The second task is to expand their sphere of control to gain access to assets. Both involve multiple iterative steps and need to be carried out so that they are not detected.
Detecting the reconnaissance and lateral movement portions of the active attack stage is best seen through the use of behavioural analytics. If users and devices have been carefully profiled, it is possible to see anomalies of these attack activities against a backdrop of learned good behaviour. The activities involve typical IT and networking tools and commands. They do not typically involve any kind of malware. If one has any kind of post-intrusion detection, it’s important to be looking for operational activities, and not for malware. Hunting malware will have little or no value in uncovering an active attacker. Only finding certain administrative activities will turn up the real attackers. The trouble is that these blend in with legitimate activities and detection can be hampered with excessive numbers of alerts with low accuracy. Both of these hurdles need to be addressed in order to quickly find an attacker. It is not enough to simply find anomalies. Only the anomalies highly indicative of an attack are valuable. Anything else is more of a liability; a distraction from the main objective. Ideally a detection system will produce a small number of alerts that accurately identify an attacker through the use of advanced detection functionality.
Putting these observations together helps form a strategy of how to detect network attackers early before theft or damage can occur:
- Prevention alone is no longer enough. The reality is that a motivated attacker will gain access to a network. The challenge is detecting the attacker once they become active on the network. Few organisations have this ability today.
- When an attacker becomes active, the most prodigious activities involve reconnaissance and lateral movement using common IT and networking administrative tools and procedures. Malware is rarely used.
- Finding an attacker requires not just identifying anomalous activity from learned normal or good; the anomalies must also be highly indicative of an attack.
It is easy to see how early, accurate detection of network attackers could go off course. Tendencies that have been major tenants of security for the past 20 years need to be seriously reconsidered. Clearly, gaining the upper hand on an attacker calls for something completely different.
Alex Moyes, UK Country Manager, LightCyber
Image Credit: Elena11 / Shutterstock