Defense based security programs, reliant on signatures and indicators of compromise (IOCs), fail to prevent unwanted access by advanced adversaries. These advanced attacks are often targeted, and customized, compromising critical systems to steal personal data, intellectual property, and financial assets.
The challenge is that it takes enterprise security teams over 3 months1 to detect these attacks. In case of the recent Yahoo breach, over 200 million user names offered for sale on the dark web in 2016 were stolen two years ago. The longer it takes to detect these attacks, the larger the remediation, incident response, forensics and reputational costs incurred.
THREE FUNDAMENTAL REQUIREMENTS FOR EARLIEST DETECTION OF UNKNOWN THREATS
Organizations must close the protection gap; the time the adversary enters the enterprise network to the time they are evicted, to minimize damage and loss. Enterprise Security Operations Center (SOC) teams are responsible for continuously monitoring, triaging and responding to threats within the network. Tier 3 SOC analysts spend 30-50% of their time in incident management, dealing with a backlog of alerts, many of which turn out to be false positives.
Even the accurate alerts are often too late, providing indications that the adversary is already in the network. Giving them the opportunity to execute a single malicious instruction may give them all the presence they need to complete their mission. It is essential for SOC teams to implement prevention and detection that trigger at the earliest moment of an attack. SOC teams must consider these three requirements to stop unknown threats:
Look beyond signatures
Signatures are reliable when searching for artifacts associated with known campaigns, to combat low caliber adversaries, and to pivot through enterprise network. Advanced adversaries are constantly changing and adapting malware, bypassing signatures-based technology. Strategies that focus on patterns within malicious binaries themselves (Yara signatures, for example) are relatively ineffective because they are prone to false positives. SOC teams must focus on tools that look for attacker behavior and techniques to detect suspicious activity. These tools also must look for suspicious activity and patterns across enterprise-wide endpoints by monitoring the process activity information, network traffic, domain lookups, previously executed commands, persistence locations, and in other key areas.
Multi-layer protection vs a ‘tool chain’
Advanced attackers use sophisticated techniques at multiple layers of IT infrastructure to gain and maintain access to critical assets. Enterprise protection is no longer a problem that a collection of niche tools patched together with a process can solve. SOC teams already understand that a ‘tool chain’ can’t cover a kill chain composed of exploits, malware, fileless malware, advanced malicious persistence and other and fundamental adversary tactics and techniques.
Information from multiple layers must be gathered seamlessly across the attack lifecycle, free from gaps in time, and data normalization delays, analysed instantaneously, to understand the full scope of the attack in time to prevent system disruption.
Adversaries use persistence techniques to survive reboots and maintain a foothold on systems. However, persistence artifacts are difficult to identify, especially ones that have never been seen before. It is an error-prone process that takes security analysts hours if not days to complete. SOC teams must automate the hunt for persistence; automated enumeration of all possible persistence locations across all endpoints and applying high-value enrichments and advanced analytics to single out infected hosts identifying malicious persistence in minutes. Automation does not replace the analyst, but removes the onerous and time consuming tasks, empowering analysts to focus on high priority alerts, resolving ambiguous information, protecting critical assets before damage and loss occurs.