Detecting a cyber incident takes companies approximately 191 days.* How is it possible for attackers to stay hidden for such a long time? What goes on inside the mind of a cyber criminal? How can modern incident detection technologies take the behavior aspect into account?
F-Secure’s ethical hacker, Tom Van de Wiele, helps answer these question with his unique perspective on how the attackers work. Tom is a professional in red teaming. A red team test’s goal is to simulate the most advanced attacks and to provide guidance and recommendations to the defenders. Tom says:
The attacker only has to find one thing as a way in, while the defender has to defend everything. But the attacker must get everything right while the defender only has to detect one part of the attack.
Let’s find out, what might happen after the initial intrusion.
Quick wins versus long-term, persistent foothold in the company network
Phishing attacks by e-mail or phone and Wi-Fi phishing are common examples of attack vectors. The attacker’s goal is to steal the credentials of his target employees, access the same services they are using and establish an initial foothold in the company network. Tom explains:
Once a certain level of access has been obtained, several aspects need to be balanced: persistence, stealth, and freedom of movement versus losing access, being detected and being contained. The attacker might choose to get to the target as fast as possible or obtain as persistent access as possible to stay within the network for intelligence gathering for later attacks. The continuous trade-off for an attacker is how, and how fast, do I want to move versus what are my chances of getting detected, contained or stopped
Lateral movement to compromise more systems
Next, the attacker seeks to access more systems by abusing the access obtained to certain services: e-mail systems, remote access solutions such as helpdesk related software, corporate VPN or virtualization services. If the attacker is looking for a persistent access, he might investigate internal networks and other systems for lateral movement. Tom Van de Wiele says:
The attacker could try to blend in and add an account to a system, looking just like any employee. Without proper audit mechanisms, it would be very hard to detect him. He might obtain passwords and private keys and re-use them against systems to maintain access either internally or for cloud-based services outside the company.
The attacker can lay low for months and collect information about the network traffic such as infrastructure, broadcast and multicast traffic. Impersonation, i.e. spoofing techniques, can be used to fool other systems into disclosing vital information and authentication tokens, i.e. password hashes. These can then be reused against other systems. If the attacker chooses to risk being detected, they might use port scanning to find other systems and services that might be available. Tom points out:
Using any kind of off-the-shelf technique or method is a prime way of getting detected.
The attackers’ goal at this stage is to escalate privileges to an administrator role to be able to access any system within the network. Once they gain administrator access, they can move freely within the network.
Get ahead of the attackers with behavior-based detection
Most companies fail to detect incidents fast enough. The longer it takes to notice the breach, the more severe the damage, the bigger the cost and the more complex the investigation will be.
The only way to get ahead of the attacker is behavior-based detection. Intruder’s activity may appear like an authorized user’s, which makes detecting it very challenging. Tom says:
Security detection mechanisms rely on finding anomalies in the network, system and application behavior, trying to find anything out of the ordinary. To ensure you do not get detected as an attacker, you want to “live off the land” as much as possible and re-use the infrastructure the organization is using. That means you do not want to introduce any technology or services that might seem foreign to the people responsible for defending the organization.
When it comes to seeking out anomalies and malicious behavior, you should look for patterns of unusual user behavior. For example, a single non-administrator user attempting to log into multiple servers at once, one machine attempting to log into a server under many different accounts, brute force methods such as thousands of login attempts in a suspiciously small time frame, activity that appears to happen at odd times, or an SSH connection originating from a non-technical user’s machine.
Sophisticated attackers know how to evade common incident detection methods. It takes a combination of well-configured analytics tools and the keen, trained eyes of human experts to catch them. Watch this video to see how a cyber security war room operates and what is the secret to detecting breaches within minutes:
In search of the unknown
The experts at F-Secure’s Rapid Detection Center specialize in detecting incidents early. One of the key promises is to inform the customer within 30 minutes from detection. Kamil Donarski from Rapid Detection Center says:
We are able to detect an attack at a very early stage. The hardest thing is to search for the unknown. Every day, new threats are coming. It’s constant development trying to figure out how we can detect such behavior and how we can protect our customers.
The human factor is extremely important because no matter how sophisticated machine learning we use, only humans can understand the customer organizations and their normal behavior. Only experienced analysts can make the judgment, when the activity is normal and when it is not.
Getting cyber security right comes down to speed
When it comes to cyber incident detection, speed is of the essence. Since you can’t stop every perimeter breach, your focus needs to be improving the speed with which you react to issues. If companies would catch breaches within minutes or hours (rather than months) the intruders wouldn’t have nearly enough time to acquire the data, they are after. Speed’s also about making sure you plug similar holes before an intruder tries again.
This may sound like a mission impossible, but there’s hope in winning the race against the bad guys. They are after a certain goal – we just need to catch them before they reach it.
F-Secure Cyber Security Crash Course explains in simple terms what kind of threats are out there and how they can be spotted and stopped. Linda Liukas, a programmer, children’s book author and TED speaker, explores the wonders of cyber security with the best talent in the industry. She even agrees to let F-Secure’s experts hack her. Watch the six short videos to learn what you can do to detect and respond to advanced cyber attacks. Include the Cyber Security Crash Course videos in your security training programme to foster awareness within your organization.
* 2017 Cost of Data Breach Study, Ponemon Institute LLC (sponsored by IBM Security)