Considering the news impact of sophisticated security breaches in the last year, perhaps it’s no surprise that 74% of respondents in a recent survey indicated that targeted attacks are a primary concern for their organizations. But, only 24% of companies surveyed were confident of their ability to detect an attack within minutes of it starting, and just under half said it would take days, weeks or even months before they noticed.
That there is a disconnect between worry and preparedness is becoming a received wisdom, as study after study bears it out. The latest report, from Intel Security-owned McAfee, also examined the top eight most critical indicators of attack and examines best practices for proactive incident response. It found that enterprises are the most effective when they perform real-time, multi-variable analysis of subtle attack activity, in addition to factoring time and threat intelligence into risk scoring and incident response priorities.
For instance, McAfee found that 58% of organizations investigated 10 or more attacks last year. But out of the companies that said that they could detect targeted attacks within minutes (78% of those used a real-time security information and event management (SIEM) system to do so), roughly 58% experienced 10 or fewer targeted attacks in that time period. Takeaway: Preparedness flips the percentages around.
“You only gain the upper-hand versus attackers when you address the time-to-discovery challenge,” said Ryan Allphin, senior vice president and general manager of security management at Intel Security. “Simplify the frantic work of filtering an ocean of alerts and indicators with real-time intelligence and analysis, and you can quickly gain a deeper understanding of relevant events and take action to contain and deflect attacks faster.”
Hurdles remain, even for those with quick response capabilities. For instance, half of the companies surveyed indicated that they have adequate tools and technologies to deliver faster incident response, but often critical indicators are not isolated from the mass of alerts generated, placing a burden on IT teams to sift through threat data.
As far as the top eight most common attack activities that successful organizations track to detect and deflect targeted attacks, five reflected tracking events across elapsed time, showing the importance of contextual correlation.
As McAfee said:
Internal hosts communicating with known bad destinations or to a foreign country in which an organization does not conduct business.
Internal hosts communicating to external hosts using non-standard ports or protocol/port mismatches, such as sending command shells (SSH) rather than HTTP traffic over port 80, the default web port.
Publically accessible or demilitarized zone (DMZ) hosts communicating to internal hosts. This allows leapfrogging from the outside to the inside and back, permitting data exfiltration and remote access to assets. It neutralizes the value of the DMZ.
Off-hour malware detection. Alerts that occur outside standard business operating hours (at night or on weekends) could signal a compromised host.
Network scans by internal hosts communicating with multiple hosts in a short time frame, which could reveal an attacker moving laterally within the network. Perimeter network defenses, such as firewall and IPS, are seldom configured to monitor traffic on the internal network (but could be).
Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over a 24-hour period, such as repeated authentication failures.
After being cleaned, a system is re-infected with malware within five minutes—repeated reinfections signal the presence of a rootkit or persistent compromise.
A user account trying to login to multiple resources within a few minutes from/to different regions—a sign that the user’s credentials have been stolen or that a user is up to mischief.
In general, the ability to detect anomalies is critical. “We noticed a workstation making odd authentication requests to the domain controller at two o’clock in the morning,” said Lance Wright, senior manager of information security and compliance at Volusion, a commerce solutions provider contributing to the report. “That could be normal activity, but it could also be a sign of something malicious. After that incident we set up a rule to alert us if any workstation has more than five authentication requests during non-business hours to help us identify the attack early, before any data is compromised.”