Spotting Attackers Early Means Being More Protected

Spotting attackers early means being more protected.jpg

By Vikram Kapoor

KRACK, as acronyms go, seemed an appropriate handle for last month’s WiFi security disclosure. After a quarter stuffed with bad security news, a new flaw in one of our most beloved technologies might have a few security pros on the verge of cracking. So WiFi takes its place on our long list of “things to worry about right now.” I don’t know about you, but I’m having cyber breach fatigue and it’s downright tiring.

The showiest security disasters make news, but breaches happen every day to organizations of every type around the world. Today it’s a protocol flaw. Yesterday it was a Struts vulnerability (or, if you believe Equifax, an inattentive employee who failed to apply a patch to fix said vulnerability). Tomorrow it might be a WiFi hacker with a Pringles "cantenna" (oh wait, that already happened).

The attacker perpetrating the next big cybersecurity incident is probably already behind someone’s firewall. And while you should definitely patch your vulnerabilities and maybe even turn off your WiFi (ok, just kidding, no one’s going to turn off the WiFi), that’s not going to be enough. We need to change how we think about cybersecurity. We need to go from retrospective security (scrambling to stop yesterday’s attacks) to a proactive model that can detect and stop intruders early in the cyber kill chain, well before data starts leaving the building.

Proactive security is a tall order. It’s tough to spot attackers until they do something dramatic on the network - like exfiltrating a database. If you can’t spot an attack until it’s too late, prevention and policy enforcement tools naturally take the security spotlight. But more robust proactive solutions are available, and they deserve a place alongside the firewalls, network intrusion, data loss prevention, and host-based products you use now.

Here’s why.

Attackers seldom find your cheddar right away. They usually spend days or weeks exploring servers, compromising credentials, and moving laterally within a network before they hit pay dirt. The cyber kill chain gives us a framework for understanding how this works and you can read the post mortem for any high-profile incident to see it in action. Attacks always generate plenty of noise - just not at a network perimeter.

Take Equifax. Attackers spent 8 to 10 weeks inside their network, apparently without being spotted. At TJ Maxx, attackers spent 18 months behind the firewall before they were detected. Home Depot? Five months. JPMorgan Chase? Three months. Mandiant’s 2016 M-Trends report (gated, so no link here, sorry) estimates average dwell times (the time between when the attacker breaks in and when they are detected) of 146 days. That’s a lot of unsupervised play time for the bad guys.

Imagine how these stories would have ended if someone spotted the attackers within hours (or minutes) of their arrival. Early detection reduces dwell times, and dwell times are a good metric for just how proactive your security really is.

Sponsored Content


1 Day. 1 Stage.
You on the edge of your seat the whole time.

What happens when you take a week-long cybersecurity conference and compact it into 1 day?

But it’s hard to reduce dwell times. Network-based security, in the form of network intrusion products, firewalls, or DLP, only sees known-bad traffic (like communications to a command and control server or something that violates a generic policy) when it crosses a network boundary that’s being monitored by the security tool. This approach has two alarming holes:

  • At some phases of the kill chain, adversarial and legitimate activity can be difficult to tell apart. For example, in the Target breach, attackers used stolen 3rd-party credentials to explore the company’s internal networks and systems (the “recon” phase of the cyber kill chain).
  • You only see what you watch. In practice, that often means visibility is limited to the internal/external network perimeter. More comprehensive coverage comes at a cost. Even worse, network-centric products may not be able to monitor the inner workings of cloud workloads - like the installation or launch of an app or a privilege change - at any price.

So how can we possibly drive dwell times below their current average of 143 days?

Good news. The technology exists:

  • More data: In the cloud, we can monitor almost everything. We can see well beyond network traffic to watch workloads, software interactions, files, and user behaviors. When we eliminate blind spots we can catch attacks far earlier in the kill chain. It’s like going from having one surveillance camera at your front door to having dozens watching every inch of your property - there’s nowhere to hide.
  • Better analytics: Mountains of data used to be too overwhelming to be useful - especially for under-the-gun security professionals. But with today’s powerful analytics tools, we can make sense of all that new data. An avalanche of information becomes actionable insights.

More data with better analytics is a game changer. With telemetry from workloads, containers, processes, users, files, and malware feeds (as well as network activity and traffic, of course) - we can redefine what “nefarious behavior” means, and spot it far earlier in the kill chain. For example, rather than checking activities against what’s permitted per your policy (the old way of thinking about nefarious behavior), we can now identify activities that aren’t normal (whether permitted by policy or not). More than a few attacks were first uncovered when a staff member saw their own account being used to do something out of the ordinary - even when it was permitted by policy.

That’s the good news. The tough part? You’ll need to start investigating those indicators of compromise (IOCs) before a breach happens. To do that, your security solution has to give you succinct, actionable information. Those two things are linked, they both need to be addressed if you really want to drive dwell times down.

Let’s start with your daily security routine. More data means you’ll have more IOCs available to reveal attackers at work early in the kill chain. Privilege escalations, repeated login attempts, and tampering with critical files can all help you stop an attacker cold - well before any damage is done - but each IOC needs to be investigated, assessed, and remediated.

You’re going to need a security solution that supports your commitment to IOC investigation. Products that raise thousands of alerts for the same thing, or suffer from a high rate of false positives, or require ongoing maintenance of complex rules and policies, aren’t going to work. Look for solutions that consolidate alerts, assess and score threats using all available telemetry, and do it all automatically, without administrative overhead or the need to correlate logs. That way you’ll be able to efficiently focus on the most relevant IOCs and drive dwell time down.

No one wants to be in the news tomorrow. Unfortunately, network-based security products and retrospective security have failed, time and time again, to stop cyber threats. Spotting attackers early in the kill chain is the proactive way to combat threats - and being more proactive means being more protected.

About Vikram Kapoor

Vikram Kapoor is co-founder and CTO at Lacework, and leads the company’s strategic technology and architecture roadmap. Prior to Lacework, Vikram led Bromium’s engineering team in delivering solutions supporting Bromium’s vision and business goals.

More About Vikram