We’ve all seen this movie or TV scene: A hacker sits in a shadowy room busily typing on his keyboard. The camera slowly pans around him and within a few clicks — voilà! — the protagonist has deployed a cyber attack into the highly secured target he was trying to penetrate. ‘I’m in’, he says.
Radware executive Eyal Arazi says this may make for great TV, but the reality of data breaches is not as exciting. In fact, the biggest and most damaging attacks don’t happen in minutes.
Rather, they include multiple steps that unfold over months. They aren’t executed in a few clicks, but through a long process of exploration and exploitation. According to IBM’s Cost of Data Breach Report, the average time to detect and contain a cyber attack is 287 days. That’s over nine months!
If a data breach is made of so many individual steps, why aren’t the steps detected and the malicious exploit immediately identified? The answer is that they are detected, but the main problem of cloud security today is not detection. It’s correlation.
Tracing the steps
Data breaches and cyber attacks are not singular events. They are an ongoing process with multiple steps.
The first step usually is infiltration, during which an attacker gains a foothold in the network. Infiltration can happen in many ways. It can come by way of targeted credential theft, exploiting vulnerable web applications, third party credential theft, malware, and more.
The next step is usually reconnaissance. This is where attackers try to understand what the network architecture is, what access they have via stolen credentials, and where sensitive data is stored.
Compare this to thieves breaking in into a house in the middle of the night. The first thing they do is to check the layout of the house and determine where the valuables are being kept.
Once attackers are done with basic reconnaissance, usually they will attempt lateral expansion in the network. They move within the network into a higher tier with better access, perform privilege escalation to gain permissions with wider access, acquire sensitive data, and finally exfiltrate it outside the network.
These steps take weeks and months to progress, performed via a painstaking trail-and-error process by attackers, as they strive to identify sensitive resources and expand within the network.
Usually in the case of a cyber attack, we hear only of the first and last steps – infiltration into the network and data exfiltration. But during the steps in between, there is a whole world of activity that often goes unnoticed.
The importance of correlation
Modern security systems detect a lot; they probably detect too much. According to a study by IT security firm Bricata, the average security operation centre receives over 10,000 alerts each day from an ever-growing array of monitoring and detection products.
Despite these massive numbers of alerts, there are a number of reasons why malicious activity still goes undetected:
# Too many logs: When you have too many logs, it’s impossible to know which alerts matter, and which do not. Identifying a malicious event in a sea of false positives is like trying to find a needle in a haystack.
# Low risk alerts: While many events are detected, most of these are medium and low-risk alerts that are not worth investigating.
# Lack of context: Looking at an individual activity separately, it’s impossible to tell whether that activity is legitimate or not. That administrator logging on in the middle of night — is it because he is sleepless or did someone steal his user credentials?
That DevOps engineer invoking an API call she has never used before — is that because she is working on something new or a hacker trying something shady? Without context, it is impossible to tell.
# Duration of time: Going back to our original point — data breaches take a long time to unfold. This means that alerts related to it will be detected over an extended period. When events are detected in sequence, it is easy to tell they are related. But what happens when they are detected months apart?
Given these realities, it is unrealistic to expect security managers to be able to connect a random event to another event they spotted weeks or months ago. The answer is to use automated tools that not only detect individual events, but also correlate them into a logical sequence that shows how they are related.
Cyber attacks occur over extended periods of time. The bigger, more complex the network, the more time the attack will take. Over such a drawn-out period, it is impossible to keep track of individual events and connect them manually.
Rather, organisations need automated tools that will track separate activities over long time spans and alert IT to the aggregate threat of the event sequence. Begin the search here.