In one of our previous blog posts we’ve discussed the importance of deterrence in physical security, and how this principle doesn’t apply in the digital world. While a bank robber may only make one attempt due to the high risk of capture, cyber offenders on the other hand will make countless attempts to crack defenses using trial and error. Unlike a bank robbery, they will continuously look for a way in – phishing campaigns, exploit kits taking advantage of multiple vulnerabilities, brute-force cracking, polymorphic malware and so on. The bad news is that all it takes is one attack to succeed among the many, many attempts. The good news is that, probably, most of those attempts will be detected by prevention logs on your security monitoring systems.
Of course this concept is nothing new, and SOC teams today are already using correlation rules to automatically blacklist intruders and restrict suspicious devices from access. When you think about it, this strategy is really just adding more prevention mechanisms which we all know is far from providing full protection. So the next time your next generation prevention system dashboard declares victory with “An attack has been prevented” message, be suspicious that a bigger attack may actually be well underway. The question is whether your security team will even notice that the bigger attack.
To make this point a bit clearer, let’s examine several real life scenarios in which a log that declared the threat has handled and closed may not be enough to detect a serious breach:
- Phishing: Social engineering is a very common, easy to use yet very successful attack vector as it tries to exploit the most vulnerable of factors – the human mind. Very often harmful massages bypass our spam filters and making their way to our employees’ inbox or their social networks accounts. If your email security solution has prevented a phishing attempt, the security team should still immediately check for similar behaviors with different attributes in days and even weeks before to see whether this is actually part of a bigger campaign.
- Malicious DNS Requests: Most malware leverage DNS to communicate with its Command and Control before they try to exfiltrate data. Although security vendors are doing their best to identify these malicious requests, attackers are utilizing advanced tactics to bypass these measures – DGAs, IP Flux and so on – pay attention to malicious DNS requests blocked by your NGFW; it could be an indication that one of your workstations is already infected.
- DLP Alert: Most data leaks, are being detected long after the first occasion. Hopefully, an alert is triggered immediately but it’s not uncommon for it to take much longer as well (weeks to months according to recent studies). While your DLP solution may have successfully prevented a file upload to an external server, there is a very good chance it wasn’t able to stop the second or third attempt. Trace this activity and review past uploads from the same workstation or similar uploads from different workstations. You might be surprised by what you find.
The bottom line is that security systems may indicate a “false negative”, meaning that you’ve seemingly prevented a breach but in fact may have only stopped one attempt that is part of a much more orchestrated, complex one. After visiting numerous SOCs and meeting dozens of security teams we have found that most of the hard work of threat detection and response is in understanding the context of all the alerts that the analysts see on their screen every day. It’s incredibly easy to miss a true threat when you only rely on netflow and metadata collected at your SIEM (and it doesn’t matter which SIEM you use – they are not forensics platforms) as they don’t have the context of all network conversations (emails, file sharing protocols, DB transactions, activities with business applications and so on) to really understand the big picture.
Automation tools may help get basic information from a specific host or match an IP address against some black lists and help as a first step but are far from being a forensics system either. The problem is that traditional tools for investigating these alerts are very complicated and consume too much time. Using next generation forensics tools, that provide immediate understanding of the entire network traffic, provide months of visibility, integrate with your SIEM and other threat and scan feeds can dramatically reduce the time it takes to investigate these early warnings.
Interesting to find out more? Here is everything you need to know in 2 minutes: