Detecting the Undetectable

How do you search for something that’s invisible? An increase in the sophistication of cyber-attacks means that it takes an average of 146 days before a corporate hack is discovered and stopped.

Modern breaches are a mix of chameleonic deception and clever automation, enabling malicious code to be concealed deep inside the corporate network. In the battle to fight cybercrime, detecting the undetectable is a challenge CISOs face every day.

IT could learn a thing or two from planetary physics. Planets are sometimes hard to detect because they are so much dimmer than the stars they orbit. The Sun for example is a billion times brighter than Jupiter. Instead of looking for the planet itself, physicists measure shifts in the velocity of the planet's parent star caused by the influence of its orbiting companion. In other words, they stop looking for the unseen object itself and look instead at the effect of its behavior on the things they can see.

As the sophistication of cyberattacks grows, it’s getting harder and harder to find hackers hidden inside the system. That’s why it makes sense to switch to a behavioral strategy. Most security products are good for detecting known threats, but can’t do much to spot malware that’s designed to be invisible to them. CISOs must start to search for the impact of the malicious code, not just the code itself.

The implications of a failure to spot a malicious intrusion are rooted in an organization’s bottom line, from a loss of customer confidence and potential theft of intellectual property, to fines for data security non-compliance. Dealing with the fall-out pushes up the cost of cybercrime to the business. In its annual Cost of a Data Breach Study 2016, the Ponemon Institute reported an increase in the average cost of a data breach from US$3.79 million to US$4 million.

That cost is set to spiral. Next year, when GDPR comes into full effect it will significantly change the regulatory landscape. From 2018, disclosure of a data breach will become mandatory and fines may stretch to 4% of revenue. 

This poses a problem for CISOs looking to stay on the right side of the CFO. Not only will the pressure on organizations to keep personal data secure continue to grow, but in the case of a breach, CISOs will also need to ascertain exactly how and when the security defenses were breached, as this information could prove vital in determining the size of fine the organization must pay.

It’s tempting for organizations to throw extra resources at keeping criminals out. The problem is that the combination of growing hacker sophistication and the complexity of existing systems are already creating more alerts than fast-growing cybersecurity teams can handle. The vast majority of these alerts are false positives – incidents that turn out to be harmless but which must nonetheless be investigated, sucking thousands of hours out of already-stretched administrators. That’s why organizations are increasingly relying on automated security solutions – machines to protect them from attack by other machines.

Yet this won’t be enough. CISOs must detect attacks that operate beyond the reach of automated protection and monitoring measure – they need to find the planets that can’t be seen. That means defenses must also incorporate in-depth human analysis, using behavioral data to spot the impact of malicious code on the systems it uses for cover.

As with any intelligence cycle, a typical mission is organized into four stages: preparation, data collection, analysis and reporting the results. In the preparation stage, the perimeter will be defined and assess not only the location of the most sensitive data but also those employees with access to it. Automated software will then gather data to help build a contextual picture of what is going on.

With the context established, it’s easier to determine whether a behavior is genuinely suspicious or explainable. Automatic and manual analysis then follows, with the human work undertaken by malware analysts and operating system experts with the express aim of removing false positives.

Finally, the results are presented and shared with dedicated teams across the business to spread the information. Where malicious activity is found, incident investigation will begin (establishing point of entry and which data and equipment are compromised).

Effective threat hunting relies on a human-machine combination.  Automated collection of data on unwanted changes to authorized programs, the grunt work too laborious for humans to tackle, combined with human-driven behavioral analysis.

This combined human-machine approach reduces the risk of malicious code going undetected, enabling security teams to keep the organization’s data safe.

What’s Hot on Infosecurity Magazine?