The following is a guest post from Gonen Fink, Chief Executive Officer of LightCyber.
Every company has secrets, things not meant to be broadcast to the entire world. In the age of WikiLeaks and Snowden, secrets have gained a negative reputation, but many are necessary and important. Companies need to guard their intellectual property or face swift extinction in a competitive market.
Sales plans, merger and acquisition proposals, and financial details could greatly undermine a company if they are divulged to the public prematurely. HR files — including background checks, performance reviews and disciplinary or developmental details — are not meant for the general public. Even corporate emails may contain sensitive details intended only for a specific recipient and no one else.
The recent cyber break-in at the U.S. Democratic National Committee puts the issue in the limelight and forces the question, can anyone keep secrets anymore? But the DNC hack is just the latest in a constant string of high-profile attacks that have exposed organizations’ secrets.
In the much publicized break in at Sony, attackers released company emails on public sites, revealing confidential and sensitive information that is still creating waves and ill will. The cybercriminals concentrated on emails from five top executives from Sony studios, and their postings were brought to the attention of press. Hackers also exposed the personal information of Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company and copies of then-unreleased Sony films, among other things.
In another high-profile breach, the infamous Hacking Team in Italy, suffered a targeted network attack and saw more than 400GB of company email, passwords, internal documents and source code leaked out through a torrent posted via the company’s own Twitter handle. In addition, the attackers used their access to the Hacking Team’s Twitter account for over 12 hours, posting screenshots of internal emails and other items.
This year’s successful network attack of the Central American Mossack Fonesca law firm and the resulting "Panama Papers" sent reverberations throughout the world. Perhaps a justified vindication of illegal or unethical activity, this nonetheless illustrates the impact of secrets coming to light. The Prime Minister of Iceland was forced to resign and a major reshuffling of political offices occurred in countries as far flung as Malta. Multiple investigations were immediately initiated in countries around the world, including a thorough investigation into the international or offshore banking rules in the U.S.
It is now well understood that no network is safe from intruders. Only a small minority of organizations can detect an attacker once they are inside a network. The industry average dwell time still hovers around five months, allowing attackers to work unobserved as they carefully begin to steal or damage information assets. If this is a war or contest, the cybercriminals are winning in a spectacular way.
For too long, the security industry has focused on preventative security to defend their network against attackers, keeping the bad guys out. While this is still an important priority for security organizations, it is clear that prevention is not enough. Now organizations must expect that eventually an attacker will get into their networks, and the new challenge is to find them quickly before theft or damage. To date, most detection has centered around finding malware that has slipped through the organization’s defenses. Unfortunately, this does practically nothing toward uncovering an active attacker.
In a recent study LightCyber conducted over a six-month period involving analysis of end-user networks totaling 100,000s of endpoints worldwide, it was remarkably clear that malware had almost no role in the active attack. The Cyber Weapons Report showed that 99% of post-intrusion cyberattack activities did not employ malware, but rather leveraged standard networking, IT administration and other tools that could be used by attackers on a directed or improvisational basis. These activities are difficult to sort out from legitimate administrative use of such tools or acceptable work done by other employees.
Known bad to known good
Security for the past 20 years has been about finding something known to be bad, such as malicious software as identified by a signature, hash or particular behavior. Detecting malicious activities performed by a network intruder requires a new orientation. Instead of using static definitions of objects known to be bad, organizations must learn the expected behavior for each user and device on their networks. From this baseline, it is much easier to discern anomalies that may be indicative of an attack.
Making this jump from known bad to known good is a hard one for security professionals to contemplate. Another major barrier to successfully detecting active attackers involves where to look. Much of the emphasis for security has been to examine endpoints or comb through logs to find the events that would show an attacker at work. Unfortunately, this approach results in far too much irrelevant data or a view that is way too myopic to uncover attack activity.
When an attacker lands in a network, he or she needs to conduct reconnaissance to understand an unfamiliar network and move to expand their position or realm of control. These are network activities that are best seen by taking in relevant network traffic. An endpoint-only perspective will miss the critical activities taking place across the network. An analysis of network logs can be a great source of detail but often miss crucial events, particularly reconnaissance.
Network attackers can be detected early if an organization knows where and how to look. Unless organizations make the significant shift to detection of behavioral anomalies, they will lack the means to protect corporate secrets. Otherwise, secrecy will become as outdated as a VCR or asking for driving directions.