The rise of viral threats and network detection and response
Article by Vectra AI director of security engineering for APJ, Chris Fisher.
This year the globe has had to fight threats on two fronts - the human health threat of COVID-19 and the technology threat of escalating cyber-attacks. As governments have learned through lockdowns and large-scale breaches, managing these threats requires a robust response and early detection.
And businesses have been under pressure, too. Earlier in the year, the Toll Group had a significant ransomware attack, known as ‘Mailto’ — one of the most significant in Australian corporate history. Since then, there have been attacks on both sides of the Tasman, across industries and entities like the NZ Stock Exchange.
When it comes to managing cyber-threats, the traditional focus has been on prevention, but today, good cyber-health requires a more balanced approach as more organisations experience increasingly complex and targeted attacks.
So, what are the options for businesses today?
According to Gartner, AI-assisted network detection and response (NDR) tools, delivered across on-prem, cloud, and IoT, are helping businesses better detect suspicious network traffic compared to more traditional perimeter security tools. This explains why NDR is such a fast-growing market as entities seek to diversify their security investments to include detection and response — not just prevention.
The reason for the growth is obvious — cyber-threats left unidentified can have substantial financial and reputation repercussions as seen over recent years. Perhaps not surprisingly, 2020 has driven increased cyber-criminal activity as more attackers have sought to exploit the unsettling pandemic with advanced cyber-attacks across industries.
During the first six months of 2020, many Fortune 500 businesses were the victim of significant data breaches that saw hackers sell account credentials, sensitive data, and confidential financial records.
And like the virus itself, attackers are moving and expanding their attack surface and getting more effective. Simply building higher walls to fend off cyber-threats no longer works, especially when it comes to slowing down astute attackers and speeding up detections.
The need for speed
Speed is characteristic of today’s attackers from their approach to ‘getting in’ to how quickly they attack and move through an environment. Despite telemetry information, most businesses don’t have the resources to outrun attackers across every environment or the resources to know what information to drill into at the speed now required.
Front-line security analysts are doing their best to collect risk information and respond to threats. Still, attackers are clever — they don’t want to stay in the same environment for too long, they pivot as quickly as possible to avoid the risk of being detected.
Time is ticking
Looking back three or four years, attacker dwell-time was around 90 to 100 days. Attackers would spend several hours identifying an environment they’d landed on. They could even take some days or weeks to do their reconnaissance on a network. But that timeframe has completely shrunk.
It’s now down to within an hour from initial landing to having, for example, domain admin credentials compromised. And they’re pivoting away much quicker because they don’t want to get caught.
The profile of attackers has also broadened, but their profile continues to depend on their motivation. They could be nation-state attackers that threaten to stay in an environment until their objective is complete, through to criminal groups that are financially motivated and demand payment or stealing data and then threaten extortion.
The faster an organisation can move, the quicker they can slow an attacker down because the longer it runs, the more expensive it becomes to an organisation to respond and recover.
Looking at traditional legacy security, signatures or IP addresses are low value for today’s attacker to change. It’s very easy to change the domain of a hash of a file.
What’s more difficult is their techniques and their behaviours, which are incredibly expensive for them to change. And that’s where machine learning gives organisations an edge — it provides the broadest coverage which makes it very difficult for an attacker to evade.
Combating the noise
Attackers are also leveraging new technology such as AI to profile people and streamline their attack process. But traditional threats, like phone style communication, still attempt to get individuals to provide passwords for example and phishing are continuing to evolve.
Attackers are also pivoting into things like business email compromise and Office 365 being a large attack surface.
But the biggest challenge for many businesses is the sheer volume of noise that comes into their security operations centres and being able to determine what is a genuine attack and what’s just general network noise.
Using a combination of both supervised and unsupervised machine learning can help security experts focus in on particular attacker behaviours.
This means experts can prioritise hosts inside that organisation that are the most critical so analysts can focus on slowing the attacker down and buying more time to go through their incident process while reducing attacker dwell-time and getting them out of that network.
The year ahead
As we head towards 2021 and move towards cloud services, bridge time, or how quickly an entity can respond to a breach and identify attacks, remains critical.
It’s not necessarily about identifying every single detection but prioritising hosts or accounts that are causing problems. Once identified, organisations need to be able to respond incredibly quickly and effectively.
With this in mind, organisations should maintain the good endpoint hygiene we have seen recently and focus on the modern network as a data source for detection and response. This is where businesses will get the best benefit and be best able to drive down the noise coming into security operation centres.
Stitching things together
Identifying not just how the attacker got into the environment, but what they did across the network, is growing in importance. Understanding the root cause and how to fix the problem often takes time.
But with AI, targeting, and prioritising, responding based on privilege and risk is better and faster than before.
Looking ahead, its critical businesses have a clear understanding of what their attack surface is and also look out for fundamental attacker behaviour. It has never been more vital for businesses when it comes to remaining secure and sustainable in our rapidly evolving world.