[BreachExchange] How to detect a hacker before they steal your company's data

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jan 9 18:58:11 EST 2017


http://betanews.com/2017/01/09/hacker-cyber-attack-detection/

With massive data breaches uncovered daily or weekly, it’s hard not to be a
bit numb to the urgency and magnitude of the issue. For most organizations,
the problem is far from solved. Apathy in place of outrage at this juncture
could diminish any help before it gets started. At the same time, misguided
efforts will result in continued failure.

A giant Python-esque foot has not yet come down to condemn the
ludicrousness of such a broad catastrophe but losses and damage have been
mounting. This year, cybercrime overtook physical crime in the UK, marking
a profound changing of the times. The National Crime Agency estimates the
annual loss to UK businesses of £1 billion in direct costs, although the
more realistic number is far greater, particularly considering the cost of
stolen intellectual property and business secrets and other loss and damage
not typically reported.

Traditional security is clearly not solving the problem. Dwell time -- the
amount of time required to detect an active attacker on a network -- still
holds steady at about five months. This means that for most organizations,
once an attacker gains network access they can go about their business of
carrying out theft or damage without fear of being discovered until well
after they have achieved their goals and made twits of us all.

Understanding the Problem

Why is it so difficult to detect a network attacker and defeat a data
breach? To answer that question it is essential to more precisely
understand the problem.

A network attack usually occurs once a cybercriminal or cyber-activist has
compromised a user’s computer or network credentials. All it takes to start
an active network attack is to gain access to a single computer or account.
>From there, an attacker has just about everything within reach.

The initial compromise is difficult to prevent. There are thousands of ways
an attacker may get control of a user. Most commonly, social engineering or
well-researched, convincing phishing will get a user to yield control.
Undetectable malware that is customized for the attack or zero-day malware
not recognized by preventative security controls may also play a role. Even
malware placed on a reputable website and loaded onto a user’s computer
through a drive-by exploit or other means may play a part.

Compromising a user is relatively easy. It’s the most common way a white
hat penetration ("pen") tester might begin a simulated attack. The best pen
tests may even guarantee that they can gain network access within two days.
If pen testers operating with some scruples can take over a user’s computer
so easily, imagine what a cybercriminal without any scruples at all could
do.

This sort of user compromise has nothing to do with the primary
preventative security an organization has in place. Next generation
firewalls, web gateway devices, network sandboxing and intrusion prevention
can’t address this kind of cyber workaround. The firewall may be
best-in-class, well maintained, expertly configured and set up with robust,
conservative rules, but it will have little bearing on preventing
compromise of a user machine or account.

The true nature of an attack’s starting place is squarely at odds with the
primary focus of security today. For most organizations, nearly everything
goes into preventative security, but preventative security can only provide
so much protection. Today’s reality is that you have to expect that an
attacker will get into the network. The security burden, therefore, shifts
to the ability of detecting an active attacker inside the network.

Detecting the Reconnaissance

Once an attacker has a foothold, the longest, most involved stage of the
attack begins. Now the attacker has two primary tasks. The first involves
exploring and understanding the new, unfamiliar network. The second task is
to expand their sphere of control to gain access to assets. Both involve
multiple iterative steps and need to be carried out so that they are not
detected.

Detecting the reconnaissance and lateral movement portions of the active
attack stage is best seen through the use of behavioral analytics. If users
and devices have been carefully profiled, it is possible to see anomalies
of these attack activities against a backdrop of learned good behavior.

The activities involve typical IT and networking tools and commands. They
do not usually involve any kind of malware. If one has any kind of
post-intrusion detection, it’s important to be looking for operational
activities, and not for malware. Hunting malware will have little or no
value in uncovering an active attacker. Only finding certain administrative
activities will turn up the real attackers. The trouble is that these blend
in with legitimate activities and detection can be hampered with excessive
numbers of alerts with low accuracy.

Both of these hurdles need to be addressed in order to quickly find an
attacker. It is not enough to simply find anomalies. Only the anomalies
highly indicative of an attack are valuable. Anything else is more of a
liability; a distraction from the main objective. Ideally a detection
system will produce a small number of alerts that accurately identify an
attacker through the use of advanced detection functionality.

Putting these observations together helps form a strategy of how to detect
network attackers early before theft or damage can occur:

- Prevention alone is no longer enough. The reality is that a motivated
attacker will gain access to a network. The challenge is detecting the
attacker once they become active on the network. Few organizations have
this ability today.
- When an attacker becomes active, the most prodigious activities involve
reconnaissance and lateral movement using common IT and networking
administrative tools and procedures. Malware is rarely used.
- Finding an attacker requires not just identifying anomalous activity from
learned normal or good; the anomalies must also be highly indicative of an
attack.

It is easy to see how early, accurate detection of network attackers could
go off course. Tendencies that have been major tenants of security for the
past 20 years need to be seriously reconsidered. Clearly, gaining the upper
hand on an attacker calls for something completely different.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170109/4dc67732/attachment.html>


More information about the BreachExchange mailing list