How to Go from Hunted to Hunter

Organizations must act to shift the cybersecurity power balance in their favor, writes Ashish Patel

Following a cyber-attack, it’s only natural that a company would wish to work out retrospectively what went wrong and why. However, this tendency to act reactively and chase the symptoms of an attack needs to be addressed. If we are to truly target hackers head on, we need to act on the offensive – not the defensive.

As an industry we’ve been guilty of focusing too heavily on indicators of compromise (IoC) – hard evidence that proves an organization has been breached – for many years. Every year corporations invest in digital forensic tools with the aim of stepping in after the crime to try to identify the perpetrators, victims, and even what was affected.

Unfortunately, this approach addresses problems after the system has been breached and data stolen. It is of course important to share IoCs between various security systems, to try to reduce or eliminate copycats and repeat-crimes using the same technique – but this alone is not enough.

It’s time to change this tendency to be cyber-coroners and create an industry of cyber-hunters who proactively detect and stop attacks in their tracks. The key is to keep a close eye on indicators of attacks (IoA) – these are changes in system behavior – signs that someone could be probing for vulnerabilities, or masquerading as a legitimate person or process.

Organizations must collect, assemble, interpret, and apply many fragments of information early in an attack chain to disrupt advanced and targeted attacks. More than raw data, organizational and situational context enrich other forms of intelligence to create these IoAs. These early warnings reveal suspicious events, letting systems and people contain and mitigate attack activities before they lead to system compromises and data loss.

In a recent global Intel Security survey, only 24% of companies professed to feeling confident in their ability to detect an attack within minutes, and just under half said it would take days, weeks, or even months before they noticed suspicious behavior. Below are eight common attack activities that successful organizations should be tracking in order to detect and deflect targeted attacks before it’s too late:

  1. Foreign bodies: Internal hosts communicating with known bad destinations or reaching out to a foreign country where the company does not conduct business.
  2. Inside out: Internal hosts communicating to external hosts using non-standard ports or protocol/port mismatches.
  3. Leapfrog: Publically accessible or demilitarized zone (DMZ) hosts communicating to internal hosts; this can allow leapfrogging from the outside of the network to the inside and back, permitting data exfiltration and remote access to assets.
  4. Malware detection out of hours: Alerts that occur outside of standard business operating time could signal a compromised host.
  5. Finding the intruder: Network scans by internal hosts communicating with multiple hosts in a short time frame could reveal an attacker moving laterally within the network. Perimeter network defenses, such as firewalls, are rarely configured to monitor traffic on the internal network, but could be used to effectively detect the early stages of such an attack.
  6. Recognizing patterns: Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over a 24-hour period, such as repeated authentication failures.
  7. Cleaning up: Repeated reinfections signal the presence of a rootkit or persistent compromise. If a system is cleaned and becomes re-infected within five minutes, this could signify an ongoing attack.
  8. User error: A user account that tries to log in to multiple resources within a few minutes either from or to different regions could be a sign that the user’s credentials have been stolen or that a user is up to mischief within the network.

The first hurdle is usually collection of data. Many sensors and products can collect raw data, but most ‘use it and lose it’. The architecture needs to ensure the important (relevant) information is collected and shared, not just observed and discarded.

"It’s time to change this tendency to be cyber-coroners and create an industry of cyber-hunters"

Next, the individual data points must be aggregated to construct an indicator of attack. Simple, intermittent data archival, which is implemented by first-generation security and information event management (SIEM), is not enough. Basic event data must be enriched with contextual information (such as time, prevalence, location) and the human factor of experience, risk values, and instinct, if it is to be of true value to an organization.

By focusing on indicators of attack, including changes in network traffic patterns or volumes, and programmed access to systems normally used only by humans, corporations can stay one step ahead of attackers. With the power to accelerate their ability to detect, respond to, and learn from events, organizations can dramatically shift their security posture from that of the hunted to the hunter.


About the Author

Ashish Patel is responsible for leading the network security sales unit in UK & Ireland for Intel Security. He joined Intel Security, then McAfee, in 2014 following the acquisition of Stonesoft Oyi. Patel’s earlier career saw him responsible for launching pioneering WAF technology in UKI and gaining experience across all aspects of the security distribution channel. He holds an honours degree in Business Administration.


What’s Hot on Infosecurity Magazine?