Best Ways To Detect Advanced Threats Once They Invade
If attackers want to get in, it’s likely they will find a way; security experts offer advice on how to detect the intrusion
By Robert Lemos, Contributing Editor
Dec 05, 2011
Significant attacks against major technology companies have underscored that, while good defenses can make it hard for an attacker to penetrate a network, a persistent attacker will find a way in.
The list of attacks that have resulted in leaked corporate data grew longer this year: security firm RSA, marketing firm Epsilon, entertainment giant Sony, and others acknowledged breaches in 2011. Little wonder, then, that while defense-in-depth has long been a mantra of the security industry, vendors and consultants are now more strident about recommending that companies look to shore up their abilities to detect attacks that have succeeded.
“When all else fails and there is some chance of the attacker getting in, the question becomes, how are we going to detect them?” says Bret Hartman, chief technology officer for RSA and an EMC fellow.
Unlike more general detect attacks, targeted and persistent attackers tend to focus on quiet reconnaissance and infiltration of their victims, making detecting the threats that much more difficult.
“These things are not exploding into your network — gone are the days of your Nimdas and your Slammers,” says Jim Walter, manager of the McAfee’s Threat Intelligence Service (MTIS).
To be ready for the attackers already inside the company network, security managers need to take a few steps, say experts.
1. Know The Network
The most important tool in the detection drawer is a solid baseline understanding of the network. Knowing how systems are configured, how they connect, and what ports and services are available on each is a necessary step to detecting when something changes maliciously, says Jim Walter, manager of the McAfee’s Threat Intelligence Service (MTIS).
“If you don’t know exactly how many machines are on your network, where they are, what they are doing, and how they are connected, you are absolutely exposed,” Walter says.
Companies should continually revisit their understanding of the network and the interconnected systems to incorporate changes. Checking the integrity of files is a key tool, but ensuring that configurations are hardened and follow company policy is also important, says Dwayne Melancon, chief technology officer of security firm Tripwire.
“Once they get in, they are in, but knowing how things looked before they got in gives you the upper hand in being able to figure out what happened and how to stop them,” Melancon says.
2. Cordon Off The Data
In addition to having a comprehensive picture of the network, companies should also put their critical data in well-monitored digital “vaults.” By restricting access to important data, any malicious attempts to copy or steal the data become more obvious, says Joe Stewart, director of malware research at Dell SecureWorks.
“You have to plan ahead of time,” he says. “And having your sensitive data in a separate enclave where you have stricter policy enforcement is a good idea.”
In addition, companies can borrow a technique from insider defenses, creating honeypot or decoy files that look interesting, but result in an alarm when copied or accessed.
“It is really equivalent to detecting an insider attack because the attacker is already operating from the inside,” RSA’s Hartman says.
3. Monitor Hosts, Logs, And Network Traffic
Once defenders have a baseline understanding of their networks, threats can be detected by finding anomalous behavior in log files, host behavior, and network traffic.
Companies that do not regularly examine their log files are more likely to get breached. In the latest edition of its Data Breach Investigations Report, for example, Verizon found that 69 percent of the breaches it investigated in a year could have been detected by analyzing log data. Instead, almost seven out of every eight breaches were discovered, not by the victim, but by a third-party firm — a trend that is far less likely to happen in the case of stolen intellectual property.
Monitoring network traffic can also lead to the discovery of an attack. Moreover, systems that record network data for later analysis can help a company’s analysis of a potential threat, Hartman says.
“You might, in a log file, see that file XYZ has been exfiltrated,” he says. “But a good attacker will delete the file, so you won’t know what they took. With the packets, you can discover what was stolen.”
Finally, host-based intrusion detection systems that go beyond antivirus and reactive signature detection are also key to figuring out what may be causing the anomalies — whether a malicious attacker or a malfunctioning program.
“Logs are great, network traffic is great, but those two don’t give you a view of what the programs are doing,” Hartman says.