8
Cyber Intelligence: WHITE PAPER Getting Ahead of Compromise

Getting ahead of compromise

Embed Size (px)

Citation preview

Page 1: Getting ahead of compromise

Cyber Intelligence:

WHITE PAPER

Getting Ahead of Compromise

Page 2: Getting ahead of compromise

Cyber Intelligence: Getting Ahead of Compromise

Executive SummaryAs cyber threats become an inevitable part of the fabric of the enterprise’s digital environments, and targeted attacks are increasingly subtle and manipulative, the limitations of traditional security controls have been exposed. The defender is challenged with enhancing their visibility and insights into their own organizations’ systems, in order to regain the advantage and inform critical, timely decision-making. Cyber intelligence is central to this challenge, providing total visibility and tailored, real-time insights into emerging anomalies – as opposed to feeds of old news about previous threats. This intelligence-based approach is at the heart of the new generation of cyber defense, based on skilled people and cutting-edge ‘immune system’ technologies engaged in an ongoing process of learning, understanding and dealing with developing issues, before they turn into crises.

“Gaining ongoing insight into ecosystem vulnerabilities and threats helps anticipate and

plan for risks that might sideline others who are less informed”

PWC

“Darktrace provides us with absolute visibility into what is happening in real time. We

can now pinpoint and target our security resources”

Louis Kangurs, Virgin Trains

Page 3: Getting ahead of compromise

White Paper

3

Staying open for businessThe breach of the network perimeter is now assumed as inevitable by today’s security professional. This is the new reality, in which network boundary technologies, while playing a critical role in a layered defensive strategy, are insufficient to defeat the targeted attacker. It is accepted that breaches are unavoidable, and that it is a case of ‘when’ rather than ‘if’. In this new world, the challenge has changed. As well as defending the boundary, the modern business needs to address the threat within, and develop an intelligence-led approach to detecting live threat within a complex information environment.

Modern organizations are dependent on their ability to do business in an open and connected marketplace. The lifeblood of the enterprise is its data, and in order to drive growth, this diverse data must flow beyond and around traditional network boundaries. It is constantly moving between the organization and its customers, suppliers, staff, partners and so on. The challenge of the CISO today is to protect data that is ‘out there’ in the wild. Indeed, the very improvements that have enabled enterprises to thrive in the last ten years – connectivity, digitization, innovation – are the very things that have exposed them to the most risk. Today’s security professionals understand the balance that must be struck when considering the staff of an organization. Employees need to be trusted as valuable assets but they also represent a significant threat to the integrity of the enterprise’s data and, whether malicious or negligent, their behaviors elevate risk.

While there may be a temptation to tighten these controls and introduce more stringent policies, the reality of doing business means that people will always find a way around barriers that hinder them. Anyone will tell you that you can cure any disease if you kill the patient. As businesses, we cannot afford to suffocate ourselves with laborious and impracticable security controls under the illusion that we are more ‘secure’ as a result, at the expense of our ability to be competitive, agile and efficient. The challenge to today’s security professionals is to protect the enterprise’s most valuable assets while continuing to enable data to support growth.

Staying open for business within the context of an ever-changing threat landscape requires a balance between risk and benefit. The balance required is never completely stable or static, but constantly being readjusted to keep the scales equally weighted. It is a challenge that requires a subtle approach, based on a mentality of intelligence over security. Whereas cyber security assumes that defensive measures must work 100% of the time, cyber intelligence provides evidence-based insights that directly inform decision-making, surfacing high-priority issues over less significant ones, and giving the organization the best possible oversight and understanding of its own state of health, in order to implement the best treatment plan.

Page 4: Getting ahead of compromise

4

order to minimize the chances of being uncovered. Indeed, the average time that it takes to detect a malicious cyber-crime attack stands at 170 days, with advanced attackers involving insiders taking 259 days on average to detect.

During this time, the adversary gradually builds up an understanding of the network and its architecture that informs the steps they take to move around the network laterally and carry out the tailored attack. While the defending organization is constantly distracted by day-to-day business issues, the attacker has the advantage of time and resource, biding their time to collect intelligence and perpetrate their operation with a high degree of confidence of what they are doing, where they need to go and how to avoid detection.

Typically, an advanced attacker will look to gain persistence, both on a host, and indeed on a network. Looking to have options in the event of detection, an attacker will attempt to infiltrate a range of devices and servers on a network. Attackers will often be able to move within a network and develop knowledge of the tools used to detect them, allowing them to move stealthily enough to avoid detection by traditional rules-based technologies. The noise of the network, and the large volume of outputs of log-based technologies often makes it impossible to detect the subtle movement of the attacker. Despite the evidence often being discovered in the post-incident forensic phase, the defender has simply been overwhelmed by the sheer volume of noise.

Living under the radarCyber-attacks fill the headlines week after week, with dizzying figures of customer accounts compromised and negative reputation impact making for dramatic stories. Major breaches require immediate remediate action, with time, effort and money poured into clearing up after a compromise.

The concept of a ‘clean-up’ operation after a cyber-attack is a flawed one however. Organizations are never free of threats and potentially dangerous or malicious influences. While there is huge pressure on companies post-breach to be seen to be taking action, to mitigate the reputational hit and restore customer, market and shareholder confidence, it is often a case of ‘too little, too late’. Too late because the damage is done, and too little because the adversary has gained a level of control and infiltration within the target organization that their ability to retrospectively defend themselves is limited.

The challenge of the last few years has been aggravated by the industrialization of the cyber-crime economy and the increasing sophistication of the perpetrators. Advanced exploit tools are readily available on the internet – customizable malware, laboratories for testing and previously unseen hacking techniques can be exchanged and traded – which means that taking a hold within an organization has become trivial. Once inside, incognito attacks take place that are very difficult to spot because they are careful and subtle.

Firstly, outsider attackers will typically use the authorized access credentials of an employee, to avoid tripping perimeter alarms. This makes it extremely difficult to distinguish authorized activity from a cyber-threat actor intent on doing harm. Attackers use this cloak of legitimacy to perpetrate their attack, disguising themselves amid the normal interactions of that user and the day-to-day noise of the network. Being recognized as legitimate at the point of entry allows attackers an advantage. They are considered to be ‘trusted’ and the challenge of moving within the enterprise to find and eventually egress data or manipulate systems becomes easier.

Furthermore, attackers not only use targeted email campaigns and exploit legitimate credentials in order to pass under the radar, but they may also use zero-day exploits and purpose-built malware to achieve their goals. Subtle, well-disguised attacks are increasingly played out over long periods of time too, a testament to the adversary’s patience and persistence. An advanced threat actor may lie low in the network for days, weeks or months on end, patiently lying dormant within the organization in

Page 5: Getting ahead of compromise

White Paper

5

Visibility and insight Organizations need to take a step back when considering cyber defense strategies, first asking the question: how well do I know my own environment? As network infrastructures and intranets have grown and expanded with more and more devices, functionality and technologies, the digital architecture of an organization of any significant size is typically very complex. IT security managers and risk directors often lack visibility of the very systems that they manage, accessing only data siloes and focusing on specific parts of the organization where there are known problems to resolve.

Total visibility of all digital interactions and communications, not just a subset of them, is critical because it allows security professionals to make the best possible decisions, based on an understanding of the bigger picture. With visibility of the global trends and patterns that are happening on a day-to-day basis across the enterprise, these individuals are in a better position to configure security controls and the network environment, identify vulnerabilities or rogue employees, and indeed curb live cyber-threats. Seeing and understanding what is going on in real time is the first step to seeing what should not be happening – however subtle the deviation is.

Precious timeTime is therefore an extremely precious resource which the defender is often poor in. The advanced attacker meanwhile has vast resources in terms of human capital, time and funding to create capabilities that bypass the various components of traditional security stacks. Organizations consistently struggle to detect compromises at the earliest point of relevance, before damage is being or has been done, such as a large-scale data breach or a major operational interruption. Instead they find themselves in a race against the clock to clean up and minimize financial, reputational and operational damage, in spite of the many months of preparation and lateral movement of the threat actor prior to the final attack or breach activity. As long as the attacker continues to have the time advantage over the defender, target organizations will continually be on the back foot.

Businesses need to hit the reset button, and rethink the way that they view cyber security and cyber-attacks. To start with, this means ceasing to consider these concepts as absolute states; the former is not practically viable, and the latter has no clear perimeters – a cyber-attack has no obvious starting point and no clear end either. Every attack starts with a compromise, which starts with a subtle change in the normal order of things and builds to form a chain of events that together can wield control of a foreign environment and jeopardize that environment and its contents.

In an age of countless, ever-changing threats, analyzing yesterday’s adversaries is no guarantee of protecting against tomorrow’s. Today’s attackers are using constantly adapting their techniques and strategies in order to stay persistent, and achieve longevity within your systems. The baseline of normal behavior is constantly changing.

We therefore need to start counting time differently, looking to ‘catch’ suspicious activity within the window of time between the initial compromise and the first signs of abnormality. Rather than investing in post-mortem research of past breaches and compromises, we should focus on finding tomorrow’s problems – by tuning our ears to the very subtle signals that are emitted in the noise of a busy organization. Within an enterprise IT environment, this requires two key elements:

Intelligent analysis and abnormalitydetectionWith situational awareness of the entirety of an organization’s activity, new technologies can be leveraged to analyze it, and form a constantly-evolving picture of normality. Fundamental advances in probabilistic mathematics and machine learning have made this approach possible, delivered by technology that learns what is normal and abnormal within a particular organizational environment on a continual basis, and surfaces probabilistically anomalous events in real time.

Anomalies, or deviations from learnt normal behaviors across devices, networks and users, must be genuine and based on a dynamic understanding of the environment. Abnormal behavior can often be dealt with in a responsible way by business units – but only if it is detected early. Organizations need to liberate themselves from the task of sifting through masses of security alerts, produced based on predefined assumptions of what constitutes ‘a threat,’ and instead employ tailored intelligence that illuminates the digital enterprise environment and informs decision-making. Ultimately, mitigating risk is a continual exercise of informed decision-making by business professionals – the ability to focus on the right decisions and areas of concern requires a new generation of technology that is self-learning, probabilistic and adaptive.

Page 6: Getting ahead of compromise

6

“Darktrace is interesting because of its back-to-front approach to security... [it] profiles not possible attack vectors, but the network itself, as well as the devices that connect to the network and the network's users.”David Meyer, Gigaom, 2014

Cyber intelligence vs Threat intelligence

‘Threat intelligence’ is a term that has been given to the collection and sharing of information about identified threats. Essentially it refers to a database or feed of information that must be matched against an organization’s security alerts, logs and other forensics data to determine if a specific activity is a threat to the organization. If a detection can be correlated with a piece of threat data, it may be used to help protect against similar attacks that are still circulating.

The fundamental flaw of sharing information about past attacks is that it is retrospective and does not help organizations defend against tomorrow’s fresh attacks. It is requires at least one organization to get burnt by each new attack vector in order to find it, limiting itself to telling you about previous attacks, in the assumption that the same attack might replicate itself. Typically, it takes months for a new attack vector or technique to manifest in threat intelligence feeds. In the meantime, your enterprise is vulnerable to those same attacks that have yet to be revealed and shared by prior victims. At worst, it is a mass of inapplicable data that distracts from the core objective of the organization, which is to defend against future attacks, not past ones. It is little solace to know that your organization was the first to discover, and suffer, a new threat and the first to add it to the threat feed, for others to protect themselves.

Intelligence about threats must be tailored to an organization to be useful, and must feed into a human being at some point, in order for difficult decisions to be made. The best intelligence is that which assists human beings in the decision-making process, and gives them the best degree of confidence that those decisions are correct, appropriate and, most importantly, timely enough to avoid a full-scale data breach, operational interruption or reputational hit.

True cyber intelligence is not about identifying past threats and attack vectors, therefore, but is focused on understanding exactly what is happening within the organizations, to a level of granularity that will expose even very subtle and quiet actions. Clever intelligence is about analyzing this detailed, real-time information in such a way as to correlate multiple weak indicators and form a picture of understanding from that data.

Indeed, within the context of national security and law enforcement, ‘intelligence’ refers to the special insights that directly inform decisions around how to tackle specific risks and threats, before the adversary has seized the initiative and forced you onto the back foot. It provides evidence-based knowledge that allows human beings to determine how and when to take action, and in turn to assess the effectiveness of those decisions on an ongoing basis, as the context inevitably changes.

For organizations looking to take proactive action against cyber adversaries during their attack missions, these questions are critical and require high-quality intelligence, the result of advanced, context-aware analysis of a broad range of factors that contribute to an attack taking place. Cyber intelligence must drive decisions while compromises are nascent and manageable, in a timeframe that allows those decisions to be effective and avoids a crisis at its logical conclusion.

Page 7: Getting ahead of compromise

White Paper

7

Better focus, more action Attack techniques and methodologies are virtually impossible to predict, with yesterday’s attacks looking different to tomorrow’s one, or the one the day after. Internal vulnerabilities are a constant issue that require continual assessment. In this environment of countless threats existing within the organization at any given time, comprehensive visibility is required into the happenings of our own organizations to work out where to focus our attention, and establish cyber defense priorities in real time. Yet the overload of the security events and incidents that are frequently produced by the gamut of conventional security tools has often had the perverse effect of engendering inactivity, on the part of the security or IT function, due to the sheer volume of alerts that are surfaced, or the un-actionable nature of the information that is being fed back.

Security practitioners must be able to hone in on threats, in a way that makes sense to the organization, rather than spend valuable time on thousands of context-less alarms. Taking advantage of each enterprise’s unique configuration, the time your employees come to work, the types of devices they use and the way they use them, the resources that they access, etc. etc. is critical, because no adversary has such details for their attack planning. This granularity of activity must be leveraged by employing self-learning ‘immune system’ technologies that can see and intelligently analyze this data, establishing an implicit understanding of its level of normality or otherwise, and surface anomalies in real time that must be dealt with by the business in a timely fashion.

ConclusionThe cyber intelligence function is crucial to the new risk mitigation strategies that are being put in place to deal with tomorrow’s threats, providing organizations with actionable knowledge and evidence that they would not otherwise have access to, and allowing them to deal with the genesis of a compromise, at the point that the abnormality emerges.

Advanced mathematical technologies can leverage this ‘home advantage’ within very complex and dynamic environments. Next-generation solutions need to be highly sensitive to extremely low-level noise and catch the tweaks in normal behavior that manifest themselves as anomalous, based on an evolving understanding of what constitutes normality for that particular organization at any given moment in time.

Being able to cope with subtle actions and quiet compromise is key to being able to detect and address the early stages of compromise before they snowball into uncontrollable cyber incidents that culminate in major financial, operational or reputational damage to the organization. An Enterprise Immune System approach does this, by continually learning, spotting and analyzing the faint traces and weak indicators that necessarily precede each potential disaster, rather than turning up on the crime scene to work out what went so terribly wrong.

Page 8: Getting ahead of compromise

ABOUT DARKTRACEDarktrace is one of the world’s fastest-growing cyber defense companies and the leader in Enterprise Immune System technology, a new category of cyber solutions based on pioneering Bayesian mathematics developed at the University of Cambridge. Darktrace addresses the challenge of insider threat and advanced cyber-attacks through its unique ability to detect previously unidentified threats in real time, as manifested in the emerging behaviors of the network, devices and individuals. Some of the world’s largest organizations rely on Darktrace’s adaptive, self-learning platform to spot anomalous activity within the enterprise, in sectors including energy and utilities, financial services, telecommunications, retail and transportation. Darktrace was founded by world-class machine learning specialists and operational government intelligence experts. The company is headquartered in Cambridge, UK, with offices in London, Milan, New York, Paris, San Francisco and Washington D.C.

CONTACT US

UK: +44 (0) 1223 350 653US: +1 (917) 363 0822

Email: [email protected]

www.darktrace.com


LOCAL SEARCH: Getting Ahead with Google+

LOCAL SEARCH: Getting Ahead with Google+

Technology
Getting Ahead of the “Ripple Effect”

Getting Ahead of the “Ripple Effect”

Documents
The secret to getting ahead in Marketing

The secret to getting ahead in Marketing

Business
Getting Ahead and Staying Ahead of the Auditors NetPeoples Meeting July 2009

Getting Ahead and Staying Ahead of the Auditors NetPeoples Meeting July 2009

Documents
Getting Ahead of the Avalanche:

Getting Ahead of the Avalanche:

Documents
Getting Ahead with Hedge Accounting

Getting Ahead with Hedge Accounting

Documents
Getting ahead through innovation Always the reliable

Getting ahead through innovation Always the reliable

Documents
Your Guide to GettinG AheAd

Your Guide to GettinG AheAd

Documents
Workplace Realities Getting a Job and Getting Ahead

Workplace Realities Getting a Job and Getting Ahead

Documents
Getting Ahead with a Successful Chain Approach

Getting Ahead with a Successful Chain Approach

Documents
Getting Ahead: How Does Education Affect My Health?

Getting Ahead: How Does Education Affect My Health?

Documents
Preparation: Getting Ahead of the Game

Preparation: Getting Ahead of the Game

Documents
Getting ahead of the game whitepaper

Getting ahead of the game whitepaper

Documents
Getting a Step Ahead- Internal Hiring

Getting a Step Ahead- Internal Hiring

Recruiting & HR
Getting Ahead of Advanced Risks

Getting Ahead of Advanced Risks

Documents
Getting Ahead In The Meetings Industry, Anthony Hyde

Getting Ahead In The Meetings Industry, Anthony Hyde

Business
GlaxoSmithKline plc Investor Science Event Getting ahead

GlaxoSmithKline plc Investor Science Event Getting ahead

Documents
GETTING AHEAD OF THE CURVE › images › Getting-ahead...GETTING AHEAD F THE CURVE 3 power vacuum and loss of some states’ monopoly on violence. All these factors may lead to vicious

GETTING AHEAD OF THE CURVE › images › Getting-ahead...GETTING AHEAD F THE CURVE 3 power vacuum and loss of some states’ monopoly on violence. All these factors may lead to vicious

Documents
Whenstatusisgrabbedandwhenstatusisgranted: Getting ahead

Whenstatusisgrabbedandwhenstatusisgranted: Getting ahead

Documents
Getting Ahead Of The Game: Proactive Data Governance

Getting Ahead Of The Game: Proactive Data Governance

Technology
HR Forecasting - Getting Ahead of the Game

HR Forecasting - Getting Ahead of the Game

Business
Getting Ahead of the Game - karengeddis.comkarengeddis.com/wp-content/uploads/2018/03/Workbook_Module-4_… · Getting Ahead of the Game • • • • • • • • • Author:

Getting Ahead of the Game - karengeddis.comkarengeddis.com/wp-content/uploads/2018/03/Workbook_Module-4_… · Getting Ahead of the Game • • • • • • • • • Author:

Documents
GETTING AHEAD IN YOUR EPQ

GETTING AHEAD IN YOUR EPQ

Documents
Getting Ahead Overview

Getting Ahead Overview

Documents
GETTING AHEAD OF THE GAME - PRISYM ID · 2020. 8. 24. · GETTING AHEAD OF THE GAME • PAGE 4 OF 8 GETTING AHEAD OF THE GAME • PAGE 5 OF 8 TAKING RESPONSIBILITY Organizations should

GETTING AHEAD OF THE GAME - PRISYM ID · 2020. 8. 24. · GETTING AHEAD OF THE GAME • PAGE 4 OF 8 GETTING AHEAD OF THE GAME • PAGE 5 OF 8 TAKING RESPONSIBILITY Organizations should

Documents
Getting ahead on LinkedIn

Getting ahead on LinkedIn

Business
The secret to getting ahead - ARCADION secret to getting ahead is getting started ... HHI: BP Clair Ridge 2011 ... module inc. structural PFP for the Forties Echo installation

The secret to getting ahead - ARCADION secret to getting ahead is getting started ... HHI: BP Clair Ridge 2011 ... module inc. structural PFP for the Forties Echo installation

Documents
CRYSTAL BALL: WHAT’S AHEAD Taren Grom Getting Down · PDF file14 November/December 2012 PharmaVOICE Getting Down toBusiness: What’s Ahead in2013 »CRYSTAL BALL: WHAT’S AHEAD

CRYSTAL BALL: WHAT’S AHEAD Taren Grom Getting Down · PDF file14 November/December 2012 PharmaVOICE Getting Down toBusiness: What’s Ahead in2013 »CRYSTAL BALL: WHAT’S AHEAD

Documents
Getting ahead and getting hired in social media & digital

Getting ahead and getting hired in social media & digital

Business
Getting Ahead With LinkedIn

Getting Ahead With LinkedIn

Career