For businesses in today’s threat landscape, it’s no longer a matter of ‘if’ but ‘when’ they’re hit with an attack, as cybercriminals make use of the latest tools and tactics to try and overwhelm defences or find a weak spot to get onto a network.
All too often, businesses are realising they are the victims of a cyber attack once it’s too late. It’s only after an attack that a company finds out what made them vulnerable and what they must do to make sure it doesn’t happen again.
For many years now, the security industry has become somewhat reliant on ‘indicators of compromise’ (IoC) to act as clues that an organisation has been breached. Every year companies invest heavily in digital forensic tools to identify the perpetrators and which parts of the network were compromised in the aftermath of an attack.
>See also: Why businesses need to go back to school on cyber security
But it’s the ‘aftermath’ that is the problem here – companies are retrospectively assessing the situation once the damage has already been done.
Attackers are becoming smarter and stealthier, therefore the only way to throw them off and shift the cyber security power balance back to organisations is to start proactively addressing the issues that make a company vulnerable to attack in the first place.
Hunted becomes the hunters
With attacks becoming more targeted and sophisticated, it’s time businesses become cyber hunters that stop attackers in their tracks.
It is clear we are now entering an era where it’s no longer enough to simply detect IoCs. Instead, cyber hunters need to arm themselves with intelligence focused on indicators of attack (IoA) – changes in normal system behaviour – to detect signs that someone could have slipped past the companies’ security defences and compromised the network.
This is particularly necessary as a recent global Intel Security survey revealed that only 24% of companies feel confident in their ability to detect an attack within a few minutes. In addition, just under half of respondents admitted that it could take them days, weeks or even months to identify suspicious behaviour.
Collecting, assembling, interpreting and applying many fragments of information early in an attack chain is a sure way for organisations to disrupt advanced and targeted attacks. Having an organisational and situational context further enriches this information to create these IoAs.
Consequently, any suspicious events trigger early warnings, enabling IT departments and the systems themselves to contain and mitigate attack activities before the system is compromised and data is stolen.
Given the importance of identifying these critical IoAs, here are eight common attack activities that IT departments should be tracking in order to gain the upper hand in today’s threat landscape:
1. Destination unknown
Keeping a close eye on any internal hosts communicating with known bad destinations or reaching out to a foreign country outside the company’s business remit is vital. This can be a key sign of cyber malpractice.
2. Inside out
Internal hosts communicating with external hosts using non-standard ports or protocol/port mismatches are also common indicators of attack.
3. Leapfrogging
Publically accessible or demilitarised zone (DMZ) hosts communicating to internal hosts cannot be ignored. This can allow leapfrogging from the outside of the network to the inside and back, permitting data exfiltration and remote access to assets.
4. After hours
Malware detection outside of office hours should also raise a red flag for IT departments. This could signal a compromised host.
5. Pinpointing the perpetrator
Network scans by internal hosts communicating with multiple hosts in a short time frame could reveal an attacker moving laterally within the network. Perimeter network defences, such as firewalls, are rarely configured to monitor traffic on the internal network, but could be used to effectively detect the early stages of such an attack.
6. Raise the repeated alarms
Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over a 24-hour period, such as repeated authentication failures, are a common warning sign of an attack.
7. Cleaning up
Repeated reinfections signal the presence of a rootkit or persistent compromise. If a system is cleaned and becomes re-infected within five minutes, this could signify an ongoing attack.
8. User error
A user account that tries to log in to multiple resources within a few minutes either from or to different regions could be a sign that the user’s credentials have been stolen or that a user is up to mischief within the network.
Connecting the data dots
It all starts with data. Many products and sensors collect huge amounts of raw data but the majority delete the information once it has served its purpose. The architecture needs to ensure the relevant information is collected and shared, not just observed and discarded.
Next, the individual data points must be aggregated to construct an IoA. The type of simple, intermittent data archival carried out by first-generation security and information event management (SIEM) is not sophisticated enough.
Today, organisations need intelligence from security across the network, enhanced with contextual information including time and location, and not silos uncommunicative individual point products.
Just as attacks have evolved over time, so too has the need for connected security solutions in organisations to combat the more advanced threat landscape. Whilst this may not have been a priority in the past, being connected has never been more important as enterprises push to discover and fight new cyber attacks.
Organisations need not live in fear of being the next victim of a data breach. By focusing on IoAs and noticing changes in the network, companies can stay one step ahead of the cybercriminals.
Shifting the organisation’s cyber defence position to the offensive is the only way the power is put back in the hands of the IT departments, giving them the advantage in the fight against cybercrime.
Sourced from Ash Patel, Intel Security