Analytics // Security Monitoring
10/26/2012
11:35 PM
50%
50%

Monitoring To Detect The Persistent Enemies

Subtle attackers who are after intellectual property are hard to find. Monitoring can help, but a good analyst can help even more

The common wisdom in security circles is that companies should assume that they have already been breached.

In one recent study, academic researchers from security firm Symantec correlated antivirus and reputation data with a database linking vulnerabilities to malware and found 18 zero-day attacks over a four year period, including 11 attacks that no one had previously known had existed. In addition, attacks remained undiscovered for anywhere from 19 days to 30 months, about 10 months on average.

The research suggests that network defenders are not discovering advanced attacks--particularly those using exploits against unknown vulnerabilities--in a timely manner. While companies should assume that they have already been compromised that does not mean they should be content to allow attackers to have carte blanche within their networks, says Will Gragido, senior manager of RSA's FirstWatch Threat Research.

"It is like detection of cancer, earlier is better, because triaging works better, and the cure had a greater chance of working," he says. "If you wait and ignore those signs, the problem is only going to be more malignant."

No wonder, then, that security vendors are developing monitoring products that can better, and more quickly, pinpoint advanced persistent threats, or APT. Each of the technologies looks to make the most use of information generated by a company's internal systems, marry that with external threat data and deliver it in a way that a security analyst can decipher.

Yet, separating out hints of possible attacks from the noise is difficult at best. Suspicious events--such as devices communicating outside of normal business hours, traffic to Web sites in other countries or downloading a file from a residential IP address--may not be enough to definitively flag a possible attack, but if a system can correlate such events, then attacks can be recognized.

"A key thing to bear in mind is that there is no single indicator of compromise," says Gunter Ollmann, vice president of research for network security firm Damballa. "What is required is a lot of correlation between different events--many of which are suspicious behaviors or unexpected connections--and that correlation and the collection of these types of events will help you arrive at a conclusion that something has happened."

RSA's Netwitness combines log data, network flow information and threat intelligence to attempt to pinpoint attacks in side a network. Damballa's Failsafe uses network information to identify sophisticated attacks inside a customer's network.

[A new prototype system, called Disclosure, expands the view of botnet activity to a wider scale and detects botnet C&C traffic in real-time, inspecting billions of flows of datasets each day. See Hunting Botnets On A Bigger Scale.]

While both companies analyze network traffic and log data to recognize the signs of low-and-slow attacks, other firms--such as FireEye and Triumfant--recognize attacks by the changes they make to host systems. Keeping up with advanced threats used by persistent adversaries requires more defenses than most companies normally deploy, says John Prisco, CEO of security firm Triumfant.

Increasingly, companies are looking at not just a firewall and antivirus, but solutions that can better detect the attacks that get through, he says.

"We are seeing a new defense-in-depth strategy," Prisco says

Having more layers is a good thing, because attackers are always motivated to get a step ahead, says Mike Lloyd, chief technology officer with RedSeal Networks, a networking monitoring firm.

"The problem is that, in chasing anomalies, it is an arms race," he says. "If your system is trying to discover behavior X, the attacker will move to behavior X+1."

Perhaps the biggest weak point in all these systems, however, is that no matter what the technology, companies need a good security analyst who knows how to spot the indicators of compromise as well as the most likely groups threatening their business.

"At the end of the day, regardless of what tools you leverage, the analyst is where the rubber meets the road," says RSA's Gragido. "If the analyst doesn't understand the hallmark or the indicators of the threat actors or advanced attack patterns, then the information itself will be of little value."

The need for analysts, and the relative scarcity of good analysts, led security-intelligence firm Seculert to start offering an analysis-in-the-cloud service. The company's customers can ship their data to Seculert's Sense service, which uses correlation and intelligence generated by the service provider to find likely signs of advanced attacks.

"Each company creates huge amount of data from their current security solutions but they don't have the capability to look into this data ... and find those attacks," said Aviv Raff, chief technology officer for Seculert.

The company believe services like Sense will help its customers better understand the threats inside their networks.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?