Stepping into the Breach

There’s an old network security adage that goes, “Your network is being tested every day.  Hopefully, the one testing it is you.”  

Mostly, these “tests” are basic scans, unskilled attackers looking for easy, unprotected victims.  While this may sound intimidating, these so-called attacks are not very sophisticated, and your network security should be strong enough to deal with them.  

However, these scans do pose an unexpected threat to your network, and it’s due to the security software you’re probably running.  If you have an SIEM running on your network, it is dutifully collecting log data for threat analysis.  When it detects a simple scan like this, it will store that information in a log, and send an alert to your network security guy that your network could be at risk.  This is dangerous.

How could this possibly be dangerous, you ask?  Isn’t the security guy’s job to know when your network is at risk?  Sort of.  What many people don’t understand, though, is that any network connected to the internet is always at risk.  A security expert doesn’t need a program to tell him that an attacker could have an eye on his network.

The real trouble, though, is that the sheer volume of alerts can be overwhelming, especially if you have a small security team (or no official team at all!).  Large organizations with complicated networks can receive as many as 200-300 of these “potential threat” alerts per month.  Checking on all these incidents is not only costly and time consuming, it’s also horribly dull to sift through 300 incidents that ultimately require no response.  And because it’s dull, there’s risk of the incidents being skimmed, leaving the possibility of real threats getting lost in the unimportant alert noise.  In short, you don’t need to know every time your network is scanned; you only need to know when the network is breached. 

Correlating logs, generating alerts and developing dozens of reports is detrimental to your security health, as it obscures the real threats to your system; the attacks that are actually dangerous.

So, what’re the real threats?  Smart attackers, or as they are sometimes called, advanced persistent threats (APTs).  These attackers are extremely skilled at breaching perimeter controls, and have the capability to maintain long-term attacks against their targets.  Even the most sophisticated software won’t stop a determined and talented APT, because APTs are essentially crooked security experts, and they know how to tread quietly to avoid setting off security alerts.  At the hands of APTs, most networks will eventually succumb.  

You can be sure you won’t catch APTs by checking your logs, but don’t feel bad; only 1% of companies ever discover breaches through log-checking.  It’s amazing that log-centric approaches have lasted this long with that kind of failure rate.  Fortunately, there’s a better approach, one that actually offers protection against the dangerous attacks.

What you need to keep out APTs is an elite team of threat hunters, intrusion analysts and forensic specialists monitoring your network 24x7, scanning for breaches, shoring up defenses, and evicting adversaries.  You need smart people ready to step into the breach for your network, actively searching for threats and alerting you only when a situation is dire.  You need a supplement to your SIEM and other security controls, another piece to complement them so these defensive mechanisms can function at their peaks.  Your current controls are good for repelling the basic attacks, and it frees the elite specialists to focus on the attacks that are unprecedented, innovative, and sophisticated. However, these protective controls are just not good enough to detect and eliminate known and never-before-seen adversaries. 

Our adversaries are humans just like you and I and when these adversaries operate on your systems, they leave a trail that only a human can detect. You will need a human to understand what actions they take in the OS (chokepoints), and to read the breadcrumbs they leave on and across systems (patterns and anomalies).

This involves the proactive, stealthy, and methodical pursuit and eviction of adversaries inside your network without relying on IOCs or, as we like to say at LMNTRIX: to catch a human, you need a human.

 


On 2017-05-14

Privacy Statement | Terms of Use