Threat actors continue to advance in their tactics, techniques and procedures (TTPs). One of the more sophisticated types of attacks is advanced persistent threats (APTs). They often target specific industries or even companies, taking interest in the long haul of data exfiltration.
Due to their level of expertise and abilities, they may be able to remain hidden in your network. The 2020 Verizon Data Breach Investigation Report (DBIR) shows that 81% of breaches took days or less to contain in 2020, which is an improvement over the months it took for 56% of the companies to detect a breach in 2019, according to the prior Verizon DBIR.
APTs are not the only threat to a company’s network, however; traditional attack vectors are still very active, and insider threats account for a large number of incidents as well. According to TechJury, businesses in the United States experience approximately 2,500 breaches daily. The number of incidents has increased by 47% since 2018, and the percentage of insider attacks carried out by trusted business partners is up to 25%.
The traditional model of access controls and perimeter defenses is no longer effective in combating these threats. As we move towards Zero Trust security, a new method that takes a holistic view of your environment is needed to keep your network safe.
Visibility is a key factor
One of the biggest problems when monitoring alerts is not only the false positives, but also a high volume of duplicate true positives. Alerting is great when it directs you to an actual issue. However, knowing what is truly malicious behavior takes a deep knowledge of the environment, the ability to set a baseline of normal activities and the capabilities to dig deeper to discern the actual nature of the threat. Perimeter defenses are necessary but will not protect against a user clicking on a malicious email or an insider sending data out through steganography. Moreover, they don’t tell you what is going on inside; as an example, east-west traversing continues to be a blind spot in many enterprises.
To truly understand your network, you need a real-time examination of packets; this is performed through the evolution of network traffic analysis (NTA) into actual network detection and response (NDR). As corporate environments expand beyond their traditional infrastructures to more virtualized and cloud environments, many blind spots are created.
A robust NDR takes the data from NTA and generates actionable data. The actionable data provides guidance for the next steps after a threat is identified, allowing for less-senior staff to choose a proper response to the incident.
To fully monitor the environment, NDR sees all communications taking place within the network and cloud infrastructures. NDR takes many steps to determine what is normal behavior for your network in relation to your applications and users as well as what is anomalous. It builds a profile of normal network behavior by examining raw data packets and alerts when abnormal activities are detected.
Data exfiltration does not have to take place in large chunks of data to be considered anomalous behavior; a sophisticated anomaly detection will factor many other dimensions. If a device is sending out lots of data or smaller chunks of data over a period of time, NDR can detect the threat, increasing the chances of detecting slow-moving threats. Regardless of what the threat is, NDR provides useful information about what is taking place.
NDR complements EDR and SIEM
The old way of focusing resources on stopping an attack at the gate or being reactive in nature is not enough. More firewalls or intrusion detection systems (IDS) are simply not providing the answers for the more sophisticated threats. Reviewing aggregated logs from a security and event management (SIEM) device requires more man-hours than most companies have and is still insufficient as log data is not enough when needing to perform deep investigation or hunting activities. Other solutions, such as endpoint detection and response (EDR), provide rule-based automated responses and analyses based on what happens in the endpoint itself. As a result, subtle attacks cannot be detected, such as lateral movement. The attacker will tend to operate in “almost” stealth mode until they are ready to launch their attack. To successfully counter it, the security team must perform many actions such as scanning active directory log files, using EDR, enforcing least privilege, collecting logs and configuring alarms. No single piece can detect the attack on its own, which is what makes detection and identification an operational nightmare.
True NDR sees the complete picture by using traffic analysis to understand user/data interactions and taking it a step further. NDR also builds the baseline of “normal” behavior, can alert when abnormal behavior is seen and can even be specific on what such behavior is indeed malicious.
By visualizing the “tree”, all user/data interactions, and enabling to focus on the suspicious ones, the “leaves”, the operator can move instantly from receiving an alert that lacks context to understanding the full scope of the incident.
Gadolinium attack (aka APT40, or Leviathan)
A few months ago it was reported that a Chinese state-sponsored APT known as Gadolinium/APT40/Leviathan was using several Microsoft Active Directory (AD) Azure cloud-based apps to compromise end-users. The attacks began with spear-phishing emails, which contained infected documents with COVID-19-themed titles. The malware within the infected documents contained PowerShell-based commands. It was designed to change the configuration of the end-users’ “with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage.”
Monitoring cloud infrastructure as well as on-prem environments is a key in doing the foundations of security the right way. Strong security practices that leverage NDR can help stop an attack in its tracks or prevent long-lasting damage by exposing the attacker before they can do any damage.
Contact us to set up a demo and learn more!