The following is a guest article from Scott Millis, chief technology officer of Cyber adAPT, Inc.
John Chambers, the man whose hand was on Cisco's tiller for 20 years, is reported to have said, "There are two types of companies: those that have been hacked, and those who do not know they have been hacked."
It has become a truism. Just about every organization now accepts it is no longer a matter of "if" they suffer a breach, but "when" and, more importantly, how they can isolate and mitigate the threat.
2016 was a record breaking year for reported data breaches, up 40% from 2015. In August last year, Yahoo confirmed at least 500 million Yahoo user details had been stolen in 2014.
This begs the question: how do you build a security strategy in a world where whatever you do, threats cannot be kept out? The answer lies in taking a new approach. Traditionally, organizations have focused on their perimeter. Essentially, they have built big walls to keep out the bad guys. In striving to keep the enterprise safe, these walls have become bigger and more resistant.
But those walls are not impermeable. You can bet your bottom dollar malware and other threats can get past the biggest, best-built barriers surrounding the perimeter of an organization's network.
This is because the way in which attackers approach the perimeter has shifted. Criminals often get in using legitimate usernames and passwords to avoid detection. These can be gained through phishing, key stroke loggers or even good old fashioned shoulder-surfing. Of course, there is also the chance of a malicious insider.
This is compounded by technical developments such as virtualization, cloud and mobile. Virtualization makes servers, applications and data both fluid and mobile. Cloud puts data beyond the traditional confines of a network and mobile means data is pushed out to any number of end points, via a carrier network, often with no more security than a PIN. These endpoints also have Wi-Fi, Bluetooth and apps, which open up huge security holes.
For all these reasons, it is time to stop proverbially staring forlornly along the fence and start searching the grounds. As Chambers' truism reminds us, the invaders have already breached defenses such as firewalls, anti-virus and intrusion detection systems. At best they are sitting dormant, waiting to pounce. At worst they are stealing, viewing and causing trouble, totally unfettered. In fact, on average an attacker can sit unnoticed on a network for 146 days. Clearly, a lot can happen in that time. Information can be extracted, identities forged, cash stolen and infrastructure broken, all of which can spell disaster.
This is why the best defense is to analyze network traffic and detect suspicious activities. This does not mean just checking files to see if they match the profile of known threats, but looking at what traffic is passing over the network and whether it suggests malicious intent. It means looking for patterns of behavior.
Sniffing out the intruders
The difference between typical malware and a human is obvious in this case, and the traffic and resulting log files should be a warning. Not just that something nasty is on the network, but that nasty thing is starting to do something. As soon as you know it is doing something — or trying to do something — you can stop it in its tracks. Fast.
This is the approach all organizations should be taking: looking for suspect activity, not suspect files. By taking this high-speed, analytical view of network traffic, you can understand what is good and what is bad, allowing you to pick out anything that got past the perimeter. The result is the ability to see more attacks, more quickly, and importantly, reduce false positives. This is important, because security teams spend so much time checking to see if something really is malicious. It drains resources and pulls teams away from the more important priorities.
This methodology also allows security teams to focus on malware that really is a threat – not every bit of redundant malware floating around that's inert or inactive. It's a bit like learning to live with slugs in your garden. You can probably deal with them if they are not doing any damage. But if there are flesh-eating ones, you want to get slug bait.
However, understanding what constitutes suspicious activity takes a great deal of expertise and understanding to codify and implement. But it is possible. To do so, you need to get inside the head of the attacker and understand their motives and intent.
Broadly speaking, there are a handful of things that a hacker is trying to do:
- Steal credentials
- Extract funds
- Undertake reconnaissance
- Shut something down (such as critical infrastructure)
- Embarrass someone
To achieve any one of these, there are many different tactical pieces of malware, which change and become ever harder to identify over time. Regardless of the malware being used, there is a process that often looks very similar. If you can understand the intent and the process that goes with it, you can spot suspicious activity that is indicative of the intent and stop the attacker in their tracks. The example of malware connecting directly to an IP address is just one of many.
Organizations need to work with experts to identify these processes and the types of traffic they create. They need to keep up with the cybercriminals and how they operate once they are inside a network. They need to constantly extend the breadth of detectable behavior patterns and identify the cause and spread of attacks to power remedial action. Of course, this is a huge investment for an in-house team, which is where security vendors can step in.
While still important, perimeter security is increasingly losing its ability to protect. Building bigger and better walls will stop a proportion of attackers, but it is increasingly expensive with diminishing returns. The real effort needs to be turned to the grounds within those walls i.e. the network.
Doing so will take bravery, but if we do not, organizations run the risk of disaster and security professionals will have lost the battle. And probably their jobs.