Analytics // Security Monitoring
10/26/2012
11:35 PM
Connect Directly
RSS
E-Mail
50%
50%

Monitoring To Detect The Persistent Enemies

Subtle attackers who are after intellectual property are hard to find. Monitoring can help, but a good analyst can help even more

The common wisdom in security circles is that companies should assume that they have already been breached.

In one recent study, academic researchers from security firm Symantec correlated antivirus and reputation data with a database linking vulnerabilities to malware and found 18 zero-day attacks over a four year period, including 11 attacks that no one had previously known had existed. In addition, attacks remained undiscovered for anywhere from 19 days to 30 months, about 10 months on average.

The research suggests that network defenders are not discovering advanced attacks--particularly those using exploits against unknown vulnerabilities--in a timely manner. While companies should assume that they have already been compromised that does not mean they should be content to allow attackers to have carte blanche within their networks, says Will Gragido, senior manager of RSA's FirstWatch Threat Research.

"It is like detection of cancer, earlier is better, because triaging works better, and the cure had a greater chance of working," he says. "If you wait and ignore those signs, the problem is only going to be more malignant."

No wonder, then, that security vendors are developing monitoring products that can better, and more quickly, pinpoint advanced persistent threats, or APT. Each of the technologies looks to make the most use of information generated by a company's internal systems, marry that with external threat data and deliver it in a way that a security analyst can decipher.

Yet, separating out hints of possible attacks from the noise is difficult at best. Suspicious events--such as devices communicating outside of normal business hours, traffic to Web sites in other countries or downloading a file from a residential IP address--may not be enough to definitively flag a possible attack, but if a system can correlate such events, then attacks can be recognized.

"A key thing to bear in mind is that there is no single indicator of compromise," says Gunter Ollmann, vice president of research for network security firm Damballa. "What is required is a lot of correlation between different events--many of which are suspicious behaviors or unexpected connections--and that correlation and the collection of these types of events will help you arrive at a conclusion that something has happened."

RSA's Netwitness combines log data, network flow information and threat intelligence to attempt to pinpoint attacks in side a network. Damballa's Failsafe uses network information to identify sophisticated attacks inside a customer's network.

[A new prototype system, called Disclosure, expands the view of botnet activity to a wider scale and detects botnet C&C traffic in real-time, inspecting billions of flows of datasets each day. See Hunting Botnets On A Bigger Scale.]

While both companies analyze network traffic and log data to recognize the signs of low-and-slow attacks, other firms--such as FireEye and Triumfant--recognize attacks by the changes they make to host systems. Keeping up with advanced threats used by persistent adversaries requires more defenses than most companies normally deploy, says John Prisco, CEO of security firm Triumfant.

Increasingly, companies are looking at not just a firewall and antivirus, but solutions that can better detect the attacks that get through, he says.

"We are seeing a new defense-in-depth strategy," Prisco says

Having more layers is a good thing, because attackers are always motivated to get a step ahead, says Mike Lloyd, chief technology officer with RedSeal Networks, a networking monitoring firm.

"The problem is that, in chasing anomalies, it is an arms race," he says. "If your system is trying to discover behavior X, the attacker will move to behavior X+1."

Perhaps the biggest weak point in all these systems, however, is that no matter what the technology, companies need a good security analyst who knows how to spot the indicators of compromise as well as the most likely groups threatening their business.

"At the end of the day, regardless of what tools you leverage, the analyst is where the rubber meets the road," says RSA's Gragido. "If the analyst doesn't understand the hallmark or the indicators of the threat actors or advanced attack patterns, then the information itself will be of little value."

The need for analysts, and the relative scarcity of good analysts, led security-intelligence firm Seculert to start offering an analysis-in-the-cloud service. The company's customers can ship their data to Seculert's Sense service, which uses correlation and intelligence generated by the service provider to find likely signs of advanced attacks.

"Each company creates huge amount of data from their current security solutions but they don't have the capability to look into this data ... and find those attacks," said Aviv Raff, chief technology officer for Seculert.

The company believe services like Sense will help its customers better understand the threats inside their networks.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.