A Reversed Approach to Tackling Insider Threats

Written by

The standard principle across the information security industry has been that defenders need to protect everything all the time, while attackers need to capitalise on just one mistake to breach the network.

This works on the presumption that attackers are sitting outside of the network, baton down the hatches to get in. But what if they have already infiltrated the organization and disguised as one of the employees? One click of a button will transmit a deadly virus or malware across the entire network and ground the operation to a halt. 

For the last half-decade there’s been a grudging but growing acceptance that, despite allocating more than two-thirds of cybersecurity spend to defence, the bad guys will get in and are likely already operating inside the network.

More recently, in direct response to this perpetual breach acceptance, organizations are in the process of adjusting their security spend to better respond to this new paradigm of security thought.

Roles reversal

Investments are being allocated to the real-time detection of threats operating in enterprise networks and arming investigative teams with the tools and data repositories they need to hunt for evidence and qualify damage.

What many organizations have failed to grasp is that by looking inwards – including continual monitoring of their internal networks and accumulated logs – they have fundamentally changed (and reversed) the age-old security mantra.

While the odds used to be perpetually stacked in the attacker’s favour, this is no longer the case. Armed with overlapping visibility of internal network communications and, ideally, statistical knowledge of intra-device and intra-service relationships, the odds are now stacked in the defender’s favour – no longer the attacker’s.  The attacker must be vigilant all the time. The defender only needs to be right once!

(Re)building the security strategy

The key to capitalising on this paradigm change is of course to be able to observe threats operating in enterprise networks in real-time or as near to real-time detection.

Luckily, the latest generation of threat detection systems are capable of passively inspecting network traffic at full throttle using advanced machine learning and trained classifier models that accurately detect and categorise threats at streaming speeds.

In a previous decade, the aspirations of continual monitoring of streaming network traffic were severely restricted by a mix of network processing unit (NPU) performance issues, signature management limitations, and an overload of alerts – both false-positive and true-positive.

Major advances in NPU design, machine learning and artificial intelligence (AI) have overcome those hurdles, allowing traffic inspection to leap from limited network flow abstractions like NetFlow to full-stream packet inspection in real-time.

The latest generation of network monitoring technology is also easier to deploy since it can accomplish its task in real-time by observing traffic at a network tap or spanning port location. Previous generation approaches had required abstracted network data to be cached or stored for a period of time to allow for inspection and detection confirmation.

From an attacker’s perspective, network intrusion is relatively straightforward and statistically easy – exploiting holes in unpatched services, malicious malware attachments, and social engineering victims.

But once a beachhead is established within the targeted organization, different skills, tools, and methodologies must be employed. Each step the attacker makes generates some kind of noise on the network or footprint on the host.

No longer a silent assassin

Since most organizations have spent little to nothing monitoring their internal networks or real-time monitoring of host event logs and security events, attackers have had a free ride. They’ve been able to generate noise and be heavy-footed as they clamored around the victim’s network, knowing that nobody was watching.

Nowadays, the slightest misstep – such as probing and attaching to a single port on a server that the compromised device has never touched before – is enough to trigger a heightened awareness of possible network intrusion.

New machine learning-based threat detection systems are then able to correlate lesser non-security anomalies with such an innocuous event within a small window of time, and arrive at high-certainty conclusions that an intruder is operating within the network.

For organizations to seize the day and successfully reverse the odds on an attacker, they need to look inward and instrument their networks for real-time threat visibility. Luckily, ease of deployment has come along in leaps and bounds in recent years. It’s much easier than people think.

What’s hot on Infosecurity Magazine?