Enterprise security: the protective power of patterns
How can businesses keep up with the fast paced threat landscape?
OK, so with all that in mind, what are the most important indicators of compromise?
Quite possibly the most obvious for the most security operators out there are going to be the simplest, such as those discrete and obvious pieces of information such as IPs and domains.
"These are easy to gather and understand for those who aren't necessarily dedicated intrusion analysts or investigators," Nick Mazitelli, Senior Consultant at Context Information Security explains. He goes on:"The event flow from them should be fairly straightforward to process." No pun intended, but context is everything and there is a risk of false positives along with the bane of 'incident fatigue' these can cause.
"These simple and discrete indicators probably have the shortest useful life due to these ease with which an attacker can churn them, so the intelligence front is likely to move much more quickly,"Mazitelli points out.
But IPs and domains are just the tip of the iceberg, with heaps of other indicators hidden below the waterline. So where should you start in really getting to grips with the serious patterns of prediction?
Jonathan Martin, Director of Enterprise Security Products (EMEA) with HP, thinks there are really three key things that all CISOs/CIOs should be on the lookout for."Unusual network traffic is usually a sign that something is awry," Martin says.
The adversary will not only attempt to penetrate the infrastructure, but once there they will try and extract valuable data which can be monetised. Which is why unorthodox outbound traffic tends to be easier to identify and analyse than incoming traffic and there are a number of tools and solutions which can do this and work to isolate the breach. Then there are the "anomalies with privileged user behaviour" whereby a common route to valuable data is for the adversary "to mimic, or to attempt to compromise privileged user accounts by using Phishing techniques," Martin continues. With the right degree of research, it is fairly easy to takeover a privileged account and gain access to the system.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"Time of activity, systems accessed, type or volume of information accessed, all will provide early indication of a breach," according to Martin. Geographical irregularities with log-ins and access patterns as well as multiple logins from different IP addresses can provide good evidence that the adversary is at work.
Then, finally, in this group of key indicators we have those incidents where attackers have attempted to make registry changes so as to establish backdoor access.
"Monitoring system files and configurations along with registry changes are a good way to identify possible incidents," Martin concludes.
Geoff Webb, Director of solution strategy at SIEM specialist NetIQ, throws in a fourth indicator: unexpected patching of systems. "While this might seem like a good thing," he explains. "This can indicate that an attacker has established a footing within your network and is busy closing vulnerabilities to keep out the competition."
Identifying risk through the security noise
The sad reality of the world we live in is that, for the most part at least, the bad guys have a pretty decent head start and are not backwards in exploiting whatever opportunities arise as a result.The role of enterprise security teams therefore has to be that of minimising the window of opportunity."Where smoke signals form, dump water by the gallon before the smoke turns into a full blown fire," says Meint Dijkstra, director of technical services at COMPUTERLINKS. In other words, to understand the risks to the organisation then visibility of how an attack is actually unfolding is key to tackling it effectively and in a timely fashion.Let's face it, most enterprises these days have data logscontaining all the evidence needed for an expert eye to prove the how, when, what and where of any attack. "The problem most organisations have," suggests Paul Pratley, Investigations Manager for the Verizon RISK Team (EMEA), "is identifying what indicators matter to them and represent organisational risk out of all the security noise."
There is a real need to carry out threat modelling and adapt the deployment of security solutions into the places that really matter. "Ask these important questions," Pratley concludes."What are my organisations highest risk assets and how am I going to know when those assets are being targeted, what will that attack look like?"
Finding the right answers will lead you to a place of understanding where patterns, prediction and protection merge...
Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.
Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.
You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.