Preventative security simply cannot prevent a network intruder from penetrating a network 100 percent of the time. The best pen testers even guarantee that they can get into a network within two days. I concede that prevention is still necessary; however, it is not sufficient to always stop an attacker. Companies must institute a plan B.
Organizations need to change their mindset to expect that a motivated attacker will get into their network. The trick is finding an active attacker early in the process to thwart or minimize any theft or damage. Legacy security tools and procedures are ill equipped to detect active attackers on a network. In fact, the average dwell times of five months and a long list of major breaches are proof of today’s failings.
To find an active attacker on your network, two fundamental challenges must be solved:
- First, you need to change what you look for and how.
- Second, you need to solve the noise problem.
You will be hard pressed to find an active network attacker through the typical process of catching technical artifacts—pre-defined signatures, hashes, software behaviors, URLs and other signs. Attackers must be detected by their operational activities. These are real threat actors that are conducting a step-by-step campaign to get to valuable assets on a network. Malware may or may not be involved in their work, and uncovering yet another piece will not underscore an in-progress attack.
Once an attacker gets inside a network—most likely through a compromised client or user account—they are in an unfamiliar setting. Their two most crucial directives are to explore/understand the network (reconnaissance) to find assets and a path to access them and then make those “lateral” movements to expand their realm of control and be positioned to get hold of the asset. These “east-west” internal movements are intended to be done in complete stealth. Security systems based on “known bad” technical artifacts simply won’t see these activities.
Similarly, endpoint detection systems are extremely limited in the ability to find east-west operational activity. These activities are inherently network operations. Sure, they are initiated by some user, but they are best seen on the network first and then associated with a specific user process.
Network detection has to look at full network activity rather than limited packet routing information. It boils down to “who is doing what to whom.”
Common reconnaissance operations include port scanning, using SMB to search for open network file shares or searching for various services running on other machines. These things can be best seen as something happening on the network. A further step is crucial, however, to differentiate a normal network activity from something that is both anomalous and malicious.
Lateral movement operations might include remote command execution using PsExe or PowerShell. Again, these things are best spotted on the network with the proper visibility. They also require sorting out from operations that are normal for user and device, so that which is both anomalous and malicious can be detected.
Separating that which is anomalous and malicious speaks to the second major issue in detecting an active network attacker quickly and accurately: noise. Today’s security systems alert on every sign and signal of known technical artifact or various behavioral components, such as each scanned entity in a port scan. As a result, systems produce an overwhelming number of alerts that are dominated by false positives. Security operators are besieged with hundreds or thousands of daily alerts, and most of them are worthless. Finding an alert indicative of an active attack involves nothing short of sheer luck.
A fundamental change to attack detection emphasizes live behavioral profiling. First, establish baseline profiles for all users and IP-connected devices on a network. Start with a deep network view and augment it with specific details from clients. The profiling process can greatly benefit from unsupervised, in-network machine learning. In developing an understanding of what is good or normal, not everything in this initial learning period can be tacitly accepted. Some behaviors will need to be confirmed as good.
Once ongoing profiles are established and validated, the network needs continuous monitoring to detect anomalies. Again, automated machine learning plays a crucial role. Don’t stop there, though. From these anomalies, it’s important to differentiate those things that are truly malicious. Ideally, the system can take a further step in understanding how events may be connected and steps of an actual attack. Through the precision of this process, a system need create only a small number of daily alerts that are easily managed by the security or IT team. At the same time, the alerts should have a high degree of accuracy and usefulness to make the team productive. The result will have a transformative effect on a team or individual’s ability to find an attacker early in the process.
About the Author -- David Thompson serves as the Senior Director of Product Management for LightCyber, responsible for assessing customer and market requirements, conducting sales and channel training and enablement, market education, and overall solution definition. He has been with LightCyber since late 2014.
Thompson has over 15 years of experience focused on information security. Prior to joining LightCyber, he served in Product Management leadership positions for OpenDNS, iPass, Websense, and Voltage Security (now HP). Prior to running product management at Voltage Security, he was a Program Director at Meta Group (now Gartner) responsible for security
