Attack detection is a historically ineffective field. We’re all used to a signature-based anti-virus alert. We’re also used to ignoring an un-tuned IDS. These existing signature-based tools are great for detecting known attacks: so, when configured correctly, they should definitely form part of your arsenal.However, countless demonstrations exist showing how easy it is to bypass systems that work in this way. By slightly modifying your attack, it no longer matches the signature and no alert is raised – so clearly something else is needed.Newer, more effective approaches include heuristic and anomaly-based detection which looks for what is “normal” and alerts on deviations. Assuming we define “normal” effectively, this is a brilliant next step to take. We are no longer relying on an attacker sending the exact payload we are expecting, now we are watching for them doing something we are not expecting. But it’s not that easy to do this and more importantly the discussion of attack detection tends to focus around tools and appliances. Frequently, when faced with difficult problems, organizations purchase a new tool or system to solve the problem. There are many reasons why businesses go down this route: appliances are capital expenditure, but they don’t need a HR department and if they don’t work, you can quietly put them in the bin without anyone noticing.
In addition to this, tools need to keep their false positive rate low to be useful, so may disregard real threats in favour of minimizing their FP rate – whereas experienced humans can quickly assess whether suspicious activity is worthy of raising an alert and further investigation.
Although tools can make life difficult for an attacker and can provide preventive value, as of 2016, the most advanced detection and prevention tools in the world are by themselves no match for an intelligent human with the right capabilities and resources at their fingertips.
Therefore the only effective way to detect and respond to attacks is by having the right people, with the right mindset.
But again, we should assume our protections aren’t bullet-proof. What if, somehow, an attacker obtains ‘legitimate’ access? If mail or remote access credentials are obtained, no amount of AV or IDS will detect attacker activity; they are now using the system for what it was designed to do. There is no anomaly in the network traffic or malware on the system.
In an advanced attack, the primary goal for the attacker is often to obtain such legitimate access in order to stay under the radar. When we are faced with detecting this attacker, we must examine logs to monitor for suspicious activity. Much like heuristic detection, we are looking for deviations from the norm. If one of our UK users logs in to the VPN at 3am from another country, it’s not a confirmed attack but it is worthy of further investigation.
This approach to detection can be enhanced when multiple log sources are combined. What if the same user has logged into the VPN from the UK during business hours? That event alone is expected behavior and not worthy of alert. If, however, we are also examining our port authentication logs and can see the same user’s laptop is physically plugged in to the network connection on their desk, the VPN access is now potentially a suspicious event.
Or it may not be! It depends on how your business operates. However, by exploring and simulating attack scenarios, we can verify and extend our existing visibility and practise our response such that if an attack should happen, we can have increased confidence it will be caught and dealt with.