For decades, cyber security has been built around the idea that once the attackers have breached your network or organisation, it’s game over. But what if it isn’t?
Mostly the products offered by the cyber security industry have been designed with this idea in mind: keep the attackers out.
As Jason Matlof, Executive Vice President at LightCyber, says, the attacker being inside the network isn’t game over, however.
“Over the lifecycle of the attack, when an analyst looks, the dwell time has been measured to be around 6 months,” he says.
This means that the cyber security industry has spent years simply focusing on the first few seconds or minutes of a much longer process.
“Once they get in they have to figure out how to get operational control. Where are the privileged accounts, the databases, the servers that they need to get to the ultimate objective?”
This ultimate objective could be patient or financial records, credit card databases or any other valuable information. The point is that the attacker, once inside the network, is still several steps away from achieving their goal.
Unsurprisingly, much discussion of cyber security fails to make this distinction. The focus is always on the breach, possibly because this is the most interesting phase from a technical perspective.
For LightCyber and some other vendors, though, the key is the next phase, where the attacker does all kinds of things. First is the initial intrusion, followed by sending information to a command-and-control server, reconnaissance, lateral movement across the network and finally exfiltration.
This means that the attacker serves up a feast of potential indicators to anyone watching.
It is this simple fact, combined with the inadequacy of firewalls, which has led to the birth of what is called behavioural attack detection.
The firewall is built around a constantly updated list of threats that it excludes from entering the network. It works backwards from the known exploit, whether files, URLs or packet signatures, to building protection against it into the gateways to the network.
But as Gerard Bauer, EMEA VP of Vectra Networks, the main threat is actually the ‘unknown unknowns’: the threats that have yet to be captured in the wild.
“We don’t know if they exist, we don’t have visibility into what they do, and there’s no way signatures can catch them,” he says.
It is this gap in the traditional firewall-style technologies that behavioural attack detection aims to fill; in fact, they all stress that it is filling a gap, not replacing it.
“We always say the prevention technologies are necessary but not robust enough to be sufficient,” says LightCyber’s Matlof.
So what is behavioural attack detection? The approach looks beyond the initial breach and tries to detect typical attacker behaviour within the network. It does this through what Matlof calls a ‘known good’ approach.
LightCyber deploys an appliance in the network and creates a behavioural profile of all the machines and user accounts to create a baseline of what’s expected on the network.
“We look at where people typically go on the inside of the network. For example, an employee from one department goes to these domains, marketing goes to these domains.”
The anomalies from the learned baseline are what indicate the attacker.
“We’re looking for a machine doing things that the computer doesn’t normally do which are indicative of attack phases going on.”
“This user doesn’t typically scan the network, why is his machine doing that? The machine normally uses the user’s own credential, why is it being used to brute force other passwords? The machine is talking to a domain on the internet, which no-one else from the organisation has accessed, suggesting a command and control site.”
“The damage is not done until there’s some form of exfiltration. That is on the order of weeks or months to do.
“By changing the model you’re giving the defender the days and the weeks to stop them before the damage is done.”
In general, as a general principle, known goods and whitelisting approaches are gathering momentum alongside traditional blacklisting.
Rob Sobers, Director at Varonis, says that “whitelists tend to be both easier to maintain and more effective at blocking dynamic attacks.”
He says that in application security specifically, it is “not terribly difficult to build a whitelist that specifies which applications are approved and safe to run.”
But known good techniques are not perfect either. Giovanni Vigna, CTO and co founder at Lastline, notes that “anomaly detection has been ridden by both false negatives (because malicious activity does not generate anomalies) and false positives (because benign activity generates anomalies).”
The key is that the known good and known bad approaches are perfectly compatible, and that some combination of the two deployed together will have the best change of success.