We used to be proactive and assume that the firewall and anti-virus were protecting us. This was a pretty reliable defense method against cyber-attacks because nearly all infections immediately made their presence known by wreaking havoc with either the local computer or with the network. That isn’t so much the case anymore. We have entered the next phase of cyber threat detection where we assume all networks are infected. Today defenses need to include an incident response system.
We work with a few dozen banks and financial institutions and most of them wisely assume that at any given time, something somewhere is infected. The malware could stay incognito for days, even months before the handler out on the internet commands their participation in either an Internet attack or to perform reconnaissance work on the local network.
“For a bank, in the current situation it is safer to assume that all of its customers’ PCs are infected”
What does malware that isn’t participating in Internet attacks behave like? Two words ‘low’ and ‘slow’ best describe advanced threats. These sneaky infections can move around the internal network behaving like existing applications. They learn what ports to use when communicating with certain servers and they are programmed to search out and watch for key words or phrases such as confidential, pass, competitors, customers, financial, buyout, etc. When something catches their interest, they slowly and methodically start making copies of files and upload them to internet sites where they can pore through the harvest and spend more time looking for sellable information. How can we uncover these thefts?
We have been depending on signature matching like that performed by firewalls for too long. This strategy is no longer the only way to uncover the exfiltration of sensitive data. A low and slow approach to exporting stolen information means that the cyber threat detection system must evolve once again. We have to start performing network behavior analysis where communications are monitored over time and odd behaviors increase Threat Indexes (TI). When the TI hits a threshold, notification is triggered which can avoid any single event triggering an alarm unless it is a special case.
Monitoring behaviors over time can mean days to uncover malware instead of a few seconds. Cyber Attack Incident Response on sophisticated infections may only trigger minor events that when combined over time add up to a much bigger anomaly.
Given the massive amount of data that can be produced over a 1-2 week period, packet capture methods had to be avoided. Network Behavior Analysis systems depend on the collection and aggregation of flow data such as NetFlow and IPFIX to build a complete picture of how all systems are behaving over time. What’s more is that the data can more easily be warehoused for weeks or even months which allows flow collectors to act as an incident response system for all threat detection systems that report on strange behaviors that warrant investigation. Are you ready to embrace the next phase of cyber attack incident response? If so, learn how to shorten your recovery time by contacting our team.