Network-sniffing, automation, machine learning: How to get better threat intel
When two 'innocent' events on the network are anything but
IT teams can get away with poor service management, outdated software development methods and outdated apps running on legacy tin, but they might want to think twice before skimping on cybersecurity. If you don't stay on top of this stuff, while you might not be found out today or tomorrow, eventually, your customers’ personal details might just turn up on Pastebin.
Or... you could end up getting locked out of your own systems, as over 200,000 organisations can attest. In May 2017 the devastating Wannacrypt ransomware worm infected millions of computers in 150 countries - on the first day of the outbreak alone. The miscreants used a backdoor exploit of Windows SMB – a networking protocol that has been obsolete for 10 years or more - discovered by and stolen from the NSA, to prey on weak targets, which typically displayed a combination of unsupported Windows versions and bad patch management practices. Several organisations had to close or scale down services because their staff were locked out of their systems. Better security practices would have stopped WannaCrypt in its tracks.
Of course, hindsight is a wonderful thing but government figures suggest that UK companies must deal with cybersecurity as a matter of urgency. The UK Government’s Cyber Security Breaches Survey 2017 found that almost seven in 10 large businesses identified a breach or attack last year. Businesses holding electronic data about their customers were far more likely to be compromised than those that did not. Fifty-one per cent of the former suffered a breach, compared to 37 per cent of the latter.
That could be a problem for companies as the General Data Protection Regulation (GDPR) comes into force in May 2018. Organisations that fail to protect individuals’ sensitive data risk a fine of €20m or 4 per cent of their revenues, whichever is the greater.
How can businesses understand and deal with online threats before they become yet another cybersecurity headline? Enterprise security teams must go through several different states of maturity to get to the point where they can forecast a range of sophisticated attacks and head them off before they become an issue.
The simplest cybersecurity operations still focus on the perimeter, watching who tries to gain entry and blocking unauthorized parties. This approach just won’t cut it in a modern threat environment, though, where enterprise networks aren’t ringfenced that way, and users exist both inside and outside the firewall.
Instead, more mature companies are thinking not only about who navigates network boundaries, but what they do when they are inside. Analysing network behaviour enables security professionals to spot potential threat vectors, even from authorized accounts.
This approach moves security teams along the right track, but to be truly capable when protecting an organization against modern threat actors, they must go a whole lot further.
For a start, cybersecurity teams must be more like detectives than beat cops. Rather than simply spotting potential threats and stamping them out, whack-a-mole style, they must work out where the next ones are coming from.
That calls for analysing incident data from system logs and piecing together actionable intelligence about attackers. In 2017, it isn’t enough to spot potential enemies and block them; you must understand them, too. Modelling attacker behaviour helps to predict emerging threats and get better at preventing them.
Companies trying to do this on their own face a problem. The cyber threat landscape is evolving incredibly quickly. The AV–TEST Institute (an independent anti-malware testing organization) registers 390,000 new malicious programs each day. They use unique approaches to hiding themselves. They exploit systems and install payloads onto enterprise networks in varied ways. They communicate with their owners differently.
Some hide in memory and don’t even install themselves on hard drives. Some use DNS requests to tunnel stolen data out of an enterprise. Some use Twitter as a means of command-and-control, while others move laterally through the organization using innocuous tools such as PowerShell. Attack techniques are becoming more devious – and more diverse – by the day.
As threats proliferate, managing threat intelligence programs internally becomes increasingly difficult. Even sophisticated security teams are finding it necessary to augment their own skills by calling on external resources such as threat intelligence vendors.
This can help companies head off threats before they become a problem, but limited resources still hamper security teams. They still have to make sense of it all, and there are only so many alerts that you can look at in a day.
This was one of the problems that enabled attackers to hit Target in 2013, in spite of extensive threat monitoring capabilities. Internal security staff had all of the shiny toys, but they simply couldn’t keep up with all of the blinking lights. They had to triage some alerts, and unfortunately, one of those that really mattered slipped through the net.
Cybersecurity teams today face two connected challenges that will push them towards bringing in a mixture of external expertise and automation technologies.
The first lies in dampening the signal-to-noise ratio and extracting actionable intelligence from an ocean of incident data. This is harder than it sounds. In some cases, events in the network that seem innocent enough on their own can pose a clear and present danger when taken together.
Combining the information in your system logs and security incident and event management (SIEM) systems with a comprehensive threat intelligence service is the way forward here. Threat intelligence sharing networks can help, but individual vendors that specialize in this stuff will also have their own. They will be adept at packing threat intelligence as a value-added service for the enterprise, mapping threats to companies, based on the characteristics of each, and helping security teams prioritize countermeasures.
The second challenge lies in acting on that intelligence. The velocity and volume of security incidents is growing, and attacks can wreak havoc before security staff can take defensive action. Automating incident response is a nascent but growing concept, and lies at the far end of the cybersecurity spectrum. Vendors are typically turning to machine learning as a tool to help spot security incidents and fix them without necessarily getting the go-ahead from staff. It’ll make the CISO feel better when the SOC doesn’t have to wake her up at 2 in the morning, but it’ll probably take a bit of trust building, too.
This kind of automation isn’t a drop-in solution, though. Getting to that point requires a level of sophistication that many companies haven’t yet achieved. Even getting appropriate cross-organization visibility of log data will be a challenge for many firms. It’s going to be a series of baby steps for many.
The journey to maturity for a cybersecurity team is daunting and complex, and getting into those rarefied layers, where you’re extracting intelligence and automating responses, will probably require external help.
The very nature of threat intelligence demands visibility far beyond your own network, and collaboration of some kind is inevitable if you want to do it properly.