Another day, another breach – and a long one at that for a recent FBI alert.
The FBI quietly released threat intelligence indicators, including web-based attack infrastructure, on a grouped labeled “APT6”, which has been actively pilfering data from multiple government networks since at least 2011.
The detail that always draws me in these attacks is the amount of time it went undetected – also known as the “dwell time”. Data from multiple industry reports (ie. Mandiant M-Trends, Trustwave, & Verizon Data Breach reports) show the average security breach goes undetected for more than 6 months before being discovered. Persistent attacks are different than your run-of-the-mill crypto-locker and web defacement attacks, where you’ll know immediately when you are hacked. Instead, the goal of persistent attackers is to maintain unfettered access to your network for as long as possible in order to steal personal/financial data, intellectual property, and monitor operations and communications. Even in lieu of a motive, many botnet operators will gain and maintain access to your network in order to sell it later to someone that does.
The security industry calls this problem the “Breach Detection Gap” – but why do these attacks go so long before being detected? The answer is somewhat complex but I’ve boiled it down to two factors:
- Today’s network and endpoint detection solutions overly rely on identifying the initial or early stages of an attack, such as an exploit or malware execution. These solutions rarely have full scope post-compromise detection capabilities which could be used to discover an entrenched adversary, installed malware, lateral movement, and malicious use of valid credentials within the squishy interior of the network.
- The art of intrusion detection has traditionally focused on protecting the perimeter via network traffic analysis. With the proliferation of cloud services, encryption, and mobile devices, there is no more definable perimeter in the modern enterprise – attack vectors and C2 will be missed.
If you really want to know if your network harbors a persistent attacker that doesn’t rely on the FBI knocking on your door or Brian Krebs writing an article about you on his blog, you are going to have to hunt within your network.
Malware Hunting (or Threat Hunting if you want to be inclusive) within a network is a proactive and iterative search for adversaries within a network under your control. It’s a practice that the US military and some of its’ allies have employed for years on their own networks but is only recently making its’ way into the commercial world.
Regardless of how imperative it is to hunt within your network for these threats, the #1 reason for not hunting that I hear from IT Security Managers is the perceived high skillset and resource requirements. Through its’ technology, the team at Infocyte is dedicated to making malware hunting more accessible by reducing skill and time requirements via automation and design. If you can’t confidently answer the question of whether your network is hacked or not by a persistent threat, take a look at Infocyte and see how effective it can be.
More from our blog
Despite the rich data provided by SIEMs, organizations find themselves drowning in false positives, making it difficult to focus on high-priority events. This problem of alert fatigue prevents cyber security teams from identifying and addressing real threats – impacting small teams with no SOC, large enterprise teams with a SOC, and MSSPs overseeing the security for many SOCs/customers.Read More »
In 2018, the U.S. Healthcare Industry Remained a Hot Target for Data Breaches. Last year alone, over 15 million patient records were affected with an average of one data breach occurring every 24 hours in the healthcare industry. It goes without saying that hackers and cyber attackers are finding ways around/through/past security defenses—exploiting vulnerabilities and…Read More »
A Brief History of Forensic State Analysis Prior to starting Infocyte, our co-founders, Chris Gerritz and Russ Morris, created the first enterprise-scoped threat hunting team for the entire U.S. Department of Defense. Their teams were responsible for hunting, detecting, and responding to highly sophisticated attacks across an 800,000-node network. With virtually unlimited resources and access…Read More »