Turning the Tables on Cyber Attackers

Whoever said the best defence is a strong offence could have been thinking of protecting the enterprise from “advanced threats”. Given the stealth of today’s advanced attack malware, the scale of data compromise and speed of execution, it has been proven time and again that relying on a passive, defensive security strategy is no longer adequate.

Australian enterprise security professionals are well aware they are under constant attack. They probably have defensive, primarily signature-based systems already in place, from endpoint anti-virus to next-generation firewalls. Many are armed with endless amounts of log data, from firewalls, intrusion detection and protection systems, web-servers, application servers, and so on. However logs do not provide the complete picture and only connect events after the fact. The real security challenge lies in the rapid correlation and interpretation of seemingly unrelated network traffic events.

Even pre-set security alerts, intended to help security teams, can be distracting with false positives, or simply overwhelming with less important alarms. It can be difficult to rapidly identify any given alert as a component of an attack that matters, and prioritise accordingly. The lack of context and the lack of genuine “situational awareness” can make it extremely challenging to spot a real threat solely from the discrete point system data provided by logs and alerts; it is very hard to see the big picture. Constantly reacting to alerts, especially not knowing with confidence their significance or whether the mitigation measures in place are truly effective creates a sense of not being in control.

Today’s advanced attacks aren’t isolated events, nor are they static. They are multistage campaigns that probe a target’s defences, study security reactions and tailor their techniques to “fly under the radar”, or simply work around an organisation’s defences. Advanced attacks are designed to be “stealthy” and obfuscate their tracks. In many cases, alerts are just the tip of the iceberg, the significance of which is realised, if at all, long after the attackers have accomplished their goals.

Imagine A Better Way

Say an organisation knows they are under attack; they may even have some idea of attack vectors based on industry alerts or recent suspicious activity. They certainly have a good idea of their most valuable assets, or likely attack vectors, perhaps phishing related penetration of endpoints, or suspicious activity on active directory servers. What if they could actively hunt for malware and malicious behaviour within their network? What if it was possible to proactively check on these assets, actively seeking out infiltration within their network traffic?

Most organisations have a Security Information and Event Management (SIEM) system in place. However SIEMs are not designed for this type of probing analysis; they are designed to react to pre-defined alerts. If they are triggered at all by stealthy malware, alerts do not give them the full picture, the true threats represented by alerts can get lost in the noise, making it hard to prioritise. Besides with incomplete intelligence, CSOs are constantly reacting to events, playing a game of catch-up. A more proactive response is required for sure.

Security analytics is the proactive analysis of large network data sets in real or near real-time. It allows CSOs to pre-emptively seek out and neutralise potential threats by examining the full scope and depth of network communications as embodied in full packet captures. Armed with security intelligence, awareness of each unique environment and expected network behaviour, security analytics puts enterprise security professionals in a position to get out in front of security events and gain real control.

Powerful, rapid visualisations allow security professionals to proactively look for malicious behaviour and identify Indicators of Compromise (IoC) by quickly interacting with and intelligently sifting through network traffic data. It is possible to quickly and easily “zoom in and out” from years to seconds of specific network activity, on the same screen with a click of a mouse.

Since advanced attacks are designed as long-running campaigns, CSOs need the ability to quickly scrutinise past data to ‘connect the dots’ over time. With more current knowledge of stealthy components or attack indicators accumulated, it is possible to ferret out Zero Day malware in old traffic. This is critical for identifying current risk, where malware might have moved laterally, packages might have been dropped along the way and most importantly, how do they get out in front of the threat?

Strengthen Your Security Posture and Incident Response

Adding a proactive element to their security strategy can also help to strengthen Australian organisations’ security posture over time and make it more difficult for advanced attackers that tend to return again and again. They can implement far more down-to-earth risk assessment based on actual traffic data, as well as enhanced investigative and forensic capabilities, which can improve their Incident Response (IR) procedures.

Every time an actual attack is discovered while it is in progress, security teams learn what areas they are targeting, entry points used, techniques for lateral movement and how they are attempting to exfiltrate data they want.

Proactive security analytics is also a powerful risk assessment tool. As network traffic is better understood, including how it changes and evolves over time, CSOs will undoubtedly spot vulnerabilities. This ongoing, positive feedback loop will also help them to respond faster and protect themselves from future attacks.

Using a proactive security strategy allows CSOs to regain some measure of real control over their networks, because their actions are more effective and they feel more confident. So why have a purely reactive strategy based on incomplete and post facto alerts? If you are under attack, why stay only on the defensive?

About the author

Nick Race is Country Manager for Australia and New Zealand for Arbor Networks, a leading provider of DDoS and advanced threat protection solutions for enterprise and service provider networks.