The new measure of security: visibility

POSTED on November 23, 2016

Kasey Cross discusses the importance of having the ability to see active attackers on your network at work

Kasey Cross, director of product management, LightCyber

Given the magnitude of the data breach problem and the escalating costs and coming penalties, one value you must insist on from your security infrastructure is visibility. In particular, it’s critical to have an ability to see an active attacker at work on your network.

Today, most organisations are blind to the operational activities of internal or externally-based attackers. The industry average for dwell time still centres around five months, giving attackers plenty of time to accomplish their goals without fear of detection. It is a sobering reflection of the failure of traditional security to find an attacker early and curtail a data breach or something even worse.

Specifically, security professionals must be able to pinpoint the things that an internal or external attacker must do to achieve their goal. This is a type of visibility that starts once an attacker has gained a foothold in the network and has actively begun a campaign. Primarily, these activities will involve reconnaissance and lateral movement, as they tend to produce the largest number of “signals” as an attacker surveys a compromised network and attempts to gain control of valuable assets.

When you think about it, once an external attacker gains access to a network—usually through a compromised user computer or account—they need to accomplish two main things. They need to look around and understand the lay of the land (or LAN as the case may be) to see where assets are located and what infrastructure and vulnerabilities they can use to get to them. In parallel, they need to expand their sphere of control, so they can have access to assets to steal, modify or damage them. An insider typically needs to follow these steps as well.

The steps an attacker uses generally involve common IT or networking tools and procedures. This is one reason why it is so difficult to spot and so easy to miss the signs of their work. What they do and what they use blend in with normal network activity. Detecting it is best accomplished through behavioural profiling, so that there is a baseline of known good for every user and device on the network. From such a baseline, anomalies become apparent, and then the trick is to determine which anomalies are likely to be indicative of an active attack.

It’s also important to note that rarely do these steps involve the use of malware. Malware may be used in the initial intrusion to gain entry to the network, but once an attacker is inside, it is rare to see the use of malware. If you are primarily focused on detecting malware, you will surely miss the activities of an internal or external attacker.

Having meaningful visibility primarily involves discernment of internal traffic from users to and from data centres—whether they are on-premises or cloud-based—and between user machines. Of course, visibility should also involve looking at internet-bound traffic as well as return traffic from the internet. If the goal is to uncover a targeted external attacker working on a data breach or an insider that is intentionally or unintentionally conducting malicious activity, the best signs to look for are inside the network—tools and activities used or performed by a user or device on the network that are anomalous and suspicious and likely part of reconnaissance or lateral movement.

This “East-West” traffic can provide the greatest number of reliable signals of an attack. “North-South” traffic—command and control and exfiltration—is also important, but it is far less reliable since it is easily obfuscated because an attacker generally controls both ends of transmission. A good number of security solutions include some form of North-South visibility, but East-West visibility tends to be rare. Without it, you would be hard pressed to know if there might be an active attacker on your network and what exactly is going on. This is precisely what attackers are counting on to successfully complete their goals.

Contributed by Kasey Cross, director of product management, LightCyber