Hacking the Mind of a Cyber Attacker

How Hackers Gain Access & How to Arm Your Organization for Effective Defense

We all know that the security industry’s approach to defense is fatally flawed. According to2014: A Year of Mega Breaches, a Ponemon Study published January 2015, 70 percent of breaches go undetected for months and 65 percent of serious breaches evade existing preventative security controls – despite monitoring and alerting systems.

Today’s cybercriminals are commonly slipping into networks undetected and escaping unnoticed. By arming analysts with critical network-traffic based intelligence – the ground truth – and providing security teams with direct authority to take action for alert triage and incident response, organizations can discover how these hackers are invading networks, covering their tracks, and, ultimately, how to stop them.

How Hackers Gain Access

Jim Cushman, President commercial and Products Division, Novetta

Attackers use many techniques to swim in and out of networks without being detected. Common entry methods include watering hole attacks exploiting client-side vulnerabilities, spear-phishingpassword cracking, and Wi-Fi hacking. Cutting-edge malware with anti-analysis capabilities even “know” when it’s in a sandbox, which defeats some of today’s more advanced perimeter defenses.

Once an attacker has gained initial network access, their traffic will be viewed as internal by most, if not all, automated detection systems, allowing them to easily map the target network’s topography with techniques such as ping sweeps or port scans. Many attackers are also equipped with exploit kits and malicious tools, either custom-made or purchased on underground forum markets, as well as legitimate scripts and tools, giving them access to find credentials or target vulnerabilities deeper within a network. They can then begin moving laterally within the network to access valuable information.

The Current State of Cyber Security Defense

In an alarming survey, current and former security analysts reported they spend approximately 70 percent of their days piecemealing data from multiple systems and/or simply determining their alerts are wrong. This leaves a mere 30 percent of their day to actually identifying and countering intrusions.  There are multiple reasons as to why this is the case, but at the most basic level, most cyber defense solutions simply were not designed with an overarching goal to enable an analyst with a timely, truthful, and comprehensive picture of their network — which is critical for rapid alert triage and incident response.

Instead, in a typical analysis, and depending on the possible severity of the situation, an analyst might turn to a dozen different systems attempting to piece together a full story. This is due in part to the fact that most current systems were each built to handle a specific function, such as looking for malware signatures. Additionally, analysts must spend time determining and interpreting the validity of alerts from one system by aggregating and correlating data from multiple systems.

This approach is tedious and time consuming, and it is debilitating in a real-time attack environment. Additional levels of organizational hierarchy, which often impair security teams within a larger organization from quickly acting on intelligence, further inhibits security analysts from responding to threats. Attackers rely on this exact indecision to remain in the network undetected.

Arming the Organization & Analyst

Currently, organizations are facing the universal problems of insufficient network visibility as well as the inability for security analysts to act on threats. Organizations must rethink enterprise security at large by removing the layers of abstraction and empowering analysts to rapidly discover the truth of a situation or circumstance. To this aim, network traffic capture has no layers of abstraction and includes all activity.

This approach allows for visibility across an entire network: analysts can see all devices connected to the network and communicating over a variety of Internet services. Network traffic capture provides an analyst with important data, including the source and destination IP addresses of traffic, the source and destination ports, the number of packets, total bytes, timestamps, and other information that in aggregate can help identify unusual activity. This basic level of visibility can then be enriched with other data sources like malware feeds, passive DNS, netblock owners, and third-party data feeds to provide an exceptional level of context surrounding infrastructure and its use. Rather than relying on automated alert systems that can be bypassed by skilled attackers, advanced tools, or previously unknown techniques, these types of tools and services help analysts monitor the data for anomalies, analyze logs, and investigate unexpected traffic to and from sensitive systems.

This monitoring system allows an analyst to quickly and effectively investigate further the scope and severity of the activity. Empowering analysts with sophisticated, rapid ad hoc queries of network data – not automated DPI or behavioral alerts – with immediate access to the original traffic would go a long way toward solving our collective cyber security problem. Additionally, when paired with a clear, direct security framework, security organizations within an enterprise are able to not only detect and report but also to act quickly and effectively to mitigate threats.

Jim Cushman, President commercial and Products Division, Novetta

editor@infotechlead.com