Hunting in-network attackers requires a different approach to security
- By Gonen Fink
- Jun 06, 2016
The reality is that your network will become a target of cybercriminals, if it hasn’t already. When hackers want to get in, there is only a fraction of a chance that they won’t.
No network is 100 percent protected. Perimeter security might be able to hold off 95 percent or more of attempted intrusion attacks, but complete protection is impossible. One compromised user account or successful spear phishing attack is all it takes for a network to be breached. The FBI and Gartner both fully agree on this point.
Even without malware, there are thousands of ways to gain credentialed access to a network. With nearly an unlimited number of opportunities, the advantage is clearly in favor of the attacker. A defender has only to miss or fail at one thing, and he has lost the battle.
Once inside a network, an attacker can go to work and stay completely hidden. Less than 1 percent of enterprises today have the ability to find an active attacker on their network. Some have tools that may pick out signs of an attacker, but they are notoriously inefficient and inaccurate. They warn about the never-ending presence of malware and potentially suspicious activity, but notifications are generally buried under hundreds or thousands of other alerts, many of which are false positives.
Similarly, searching for malware will help reduce what is not caught by perimeter security, but it rarely will uncover the steps of an active attacker.
Finding an attacker requires a fundamentally different approach to security. Instead of looking for the technical attributes of known malware and other exploits, IT managers can quickly and accurately detect active attacker by their operational activities -- the things they must do on an unfamiliar network to accomplish their objective. Attackers must explore the new network, for example, to expand their realm of control to eventually gain access to valuable assets.
These attack activities are difficult to detect without ongoing knowledge of what “good” network traffic looks like. This baseline comes from continuously profiling all users and devices and understanding their normal activities and habits. From this vantage, it’s possible to detect anomalous behavior and determine those most likely to be malicious. This monitoring is only practical with live, advanced machine learning in each network.
The constant headlines around data breaches may have caused some complacency or attenuation, but the issue is very real and quite serious. The recent Panama Papers incident shows the damage hackers can do even to organizations dedicated to keeping their data private. Fortunately, there is no need to pretend that this problem does not exist or that a solution is out of reach.
Although security businesses acknowledge that preventative security cannot be completely effective and that attackers can get into networks, they often put all their effort into coming up with a “silver bullet” that will finally provide total security. This dissonance between admitting to one thing and acting a completely different way is bizarre.
Agency security professionals must ensure security solutions don’t just repurpose prevention technologies but offer new analytics, detection and behavior monitoring capabilities.
Gonen Fink is the CEO of LightCyber.