Vulnerabilities / Threats
12/5/2011
06:22 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Best Ways To Detect Advanced Threats Once They Invade

If attackers want to get in, it's likely they will find a way; security experts offer advice on how to detect the intrusion

Significant attacks against major technology companies have underscored that, while good defenses can make it hard for an attacker to penetrate a network, a persistent attacker will find a way in.

The list of attacks that have resulted in leaked corporate data grew longer this year: security firm RSA, marketing firm Epsilon, entertainment giant Sony, and others acknowledged breaches in 2011. Little wonder, then, that while defense-in-depth has long been a mantra of the security industry, vendors and consultants are now more strident about recommending that companies look to shore up their abilities to detect attacks that have succeeded.

"When all else fails and there is some chance of the attacker getting in, the question becomes, how are we going to detect them?" says Bret Hartman, chief technology officer for RSA and an EMC fellow.

Unlike more general cybercrime, targeted and persistent attackers tend to focus on quiet reconnaissance and infiltration of their victims, making detecting the threats that much more difficult.

"These things are not exploding into your network -- gone are the days of your Nimdas and your Slammers," says Jim Walter, manager of the McAfee's Threat Intelligence Service (MTIS).

To be ready for the attackers already inside the company network, security managers need to take a few steps, say experts.

1. Know The Network
The most important tool in the detection drawer is a solid baseline understanding of the network. Knowing how systems are configured, how they connect, and what ports and services are available on each is a necessary step to detecting when something changes maliciously, says Jim Walter, manager of the McAfee's Threat Intelligence Service (MTIS).

"If you don't know exactly how many machines are on your network, where they are, what they are doing, and how they are connected, you are absolutely exposed," Walter says.

Companies should continually revisit their understanding of the network and the interconnected systems to incorporate changes. Checking the integrity of files is a key tool, but ensuring that configurations are hardened and follow company policy is also important, says Dwayne Melancon, chief technology officer of security firm Tripwire.

"Once they get in, they are in, but knowing how things looked before they got in gives you the upper hand in being able to figure out what happened and how to stop them," Melancon says.

2. Cordon Off The Data
In addition to having a comprehensive picture of the network, companies should also put their critical data in well-monitored digital "vaults." By restricting access to important data, any malicious attempts to copy or steal the data become more obvious, says Joe Stewart, director of malware research at Dell SecureWorks.

"You have to plan ahead of time," he says. "And having your sensitive data in a separate enclave where you have stricter policy enforcement is a good idea."

In addition, companies can borrow a technique from insider defenses, creating honeypot or decoy files that look interesting, but result in an alarm when copied or accessed.

"It is really equivalent to detecting an insider attack because the attacker is already operating from the inside," RSA's Hartman says.

3. Monitor Hosts, Logs, And Network Traffic
Once defenders have a baseline understanding of their networks, threats can be detected by finding anomalous behavior in log files, host behavior, and network traffic.

Companies that do not regularly examine their log files are more likely to get breached. In the latest edition of its Data Breach Investigations Report, for example, Verizon found that 69 percent of the breaches it investigated in a year could have been detected by analyzing log data. Instead, almost seven out of every eight breaches were discovered, not by the victim, but by a third-party firm -- a trend that is far less likely to happen in the case of stolen intellectual property.

Monitoring network traffic can also lead to the discovery of an attack. Moreover, systems that record network data for later analysis can help a company's analysis of a potential threat, Hartman says.

"You might, in a log file, see that file XYZ has been exfiltrated," he says. "But a good attacker will delete the file, so you won't know what they took. With the packets, you can discover what was stolen."

Finally, host-based intrusion detection systems that go beyond antivirus and reactive signature detection are also key to figuring out what may be causing the anomalies -- whether a malicious attacker or a malfunctioning program.

"Logs are great, network traffic is great, but those two don't give you a view of what the programs are doing," Hartman says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web