For too long, attackers have been one step (or leaps) ahead of security teams. They study existing security solutions in the market and identify gaps they can use to their advantage. They use attack methods that are low cost and high return like stolen credentials and phishing, which works more often than not. They bank on security teams being too overwhelmed by security alerts to be able to sift through the noise to detect their presence. In this week's webcast, Matt Hathaway explored what security professionals need to do to get ahead of attackers whether by increasing the cost of attacks, catching attackers in their favorite hiding spots, or knowing how to recognize tools and techniques all attackers use. Read on for the top 3 takeaways from “Getting One Step Ahead of the Attacker: How to Turn the Tables”:
1) Attackers Have Gotten Creative – Defenders have progressed malware detection to the point where even newer and more innovative malware can get detected and blocked with a high success rate, which is great. However, success in this area pushes attackers to adopt more stealthy and creative tactics, often involving social engineering and user impersonation. Attackers study their targets, and will use spear phishing to get a foothold on an organization's network through its users. Once in, they can move from system to system by continuing to impersonate user activity. Attackers also understand things like how the average network is laid out, gaps they may be able to take advantage of, and where people generally have monitoring in place. Attackers don't even necessarily have to be too sophisticated to be successful, sometimes persistence will be enough.
2) Anomalous Activity is the Answer – Alliteration aside, it really is crucial for security professionals to be able to recognize what kind of user activity on their network is normal, and what is not. How many systems should and does each individual usually access? What data is typically transmitted internally and externally from different groups in your organization? Have a baseline, simple measurement of what constitutes normal access for the average user. The ability to access and review all the data for an individual, account, or system is also important for when something abnormal occurs and you need more context to determine whether the alert is valid. If you aren't monitoring for anomalous user behavior, it becomes harder and harder to detect an attack early enough to prevent data loss.
3) Don't Neglect Endpoints Nor The Cloud – The majority of user activity is happening on endpoints and in the cloud, and often this information isn't getting logged in a centralized place. The cloud provides a lot of convenience and productivity, but making things easier for users introduces more opportunities for attackers. If you don't know what cloud services your company is using or what people are doing in them, attackers have a way to get data out of an organization without even reaching the network. You must analyze behavior across cloud services and your endpoints so you don't miss any suspicious changes. Failure to monitor user behavior on endpoints and in the cloud creates major blind spots for security professionals. Sometimes an indication of attack will tend towards the obvious, for example a vulnerability getting exploited or a port scan. However, a great deal of attacker behavior will be much more nuanced and stealthy.
For the more in-depth discussion of how to spot attacker behavior and increase the cost of attacks to reduce risk: view the on-demand webcast now.