According to a recent survey of security professionals by ISACA, one in five enterprises has experienced an APT attack, but only one-third of those who have been attacked could determine the source.
In addition, only 15 percent of enterprises believe they are very prepared for an APT attack, while two-thirds of respondents say it is only a matter of time before their enterprise is hit by an APT attack in the future.
A determined attacker will get in. Many networks are already compromised. Despite spending fortunes on perimeter and anti-malware defense attackers get into some of the best defended, highest budget, highest profile networks, like Sony, Target, Epsilon, Experian and more.
Our defenses need to adapt. The first suggestion is to change one’s mindset. Chris Inglis, former deputy director of the NSA, has said “Start with the assumption that the bad guys are already in your network.”
Working from that assumption, the next major reality shift is to accept that existing accounts are compromised and are being misused. The 2013 Verizon data breach report stated that 76% of network intrusions exploited weak or stolen credentials. As defenders then we must shift from focusing on the perimeter and trusting our employees, to a “trust no one” approach.
Activity for every account should be reviewed for misuse and risky behavior. We must look for combinations of behaviors that are unusual, which implies we must know what normal behavior looks like. We must shift from the impulse to find a “silver bullet” that sees THE event, to watching for combinations of multiple indicators of compromise.
In order to see activity as part of a pattern, we must correlate event data (Firewall, IDS, Anti-Virus), with an account so we can see the bigger picture rather than isolated events from individual devices. The user who accesses the network from multiple locations with dynamic IP addresses that vary from day to day and device to device as he uses his smart phone, laptop, desktop, server and various applications is common. We must correlate activity from each device back to the single user identity or we may find the original infection but miss the secondary activity and data loss. There are way too many trees to look at each one, we have to see the pattern that is the forest. Unfortunately, most of the data security analysts work with today is IP based with no identity information (firewall, IDS, Anti-Virus…). SIEMs and newer data analytic tools like Securonix, can automate IP to user mapping.
The next recommendation is to profile normal behavior and watch for rare or unusual events. A account logging in from an IP address never used before executing a transaction in an application they’ve never run before often indicates misuse or compromise of an account, provided the baseline of normal behavior is accurate and complete. Specialized analytic tools that can learn “normal” and detected “weird” are required unless you have an army of security analysts with time on their hands.
Barring the ability to profile normal behavior and investigate unusual activity, a very specific and tactical option is to bring in third party threat intelligence (HP RepSM, McAfee GTI, Threatstream…), and compare source and destination on IP events against these known malware sites. We can then watch for “ET phoning home” when an protected IP address tries to connect to an evil doer’s address, or vice versa.
There are about twenty basic rules every network defense needs that follow the principal “everything counts in large amounts” and do any two things wrong, go to the top of the list (multiple indicators of compromise). Add a proactive approach to regular log analysis and security device tuning, and a few new techniques for finding rare and unusual events, while correlating activity back to a user, and the odds of detection and prevention skyrocket.
Cybersecurity expert David Swift is a security industry veteran of more than 25 years and a chief architect at Securonix .