Another day, another breach - and a long one at that for a recent FBI alert. The FBI quietly released threat intelligence indicators, including web-based attack infrastructure, on a grouped labeled "APT6", which has been actively pilfering data from multiple government networks since at least 2011.
The detail that always draws me in these attacks is the amount of time it went undetected - also known as the "dwell time". Data from multiple industry reports (ie. Mandiant M-Trends, Trustwave, & Verizon Data Breach reports) show the average security breach goes undetected for more than 6 months before being discovered. Persistent attacks are different than your run-of-the-mill crypto-locker and web defacement attacks, where you'll know immediately when you are hacked. Instead, the goal of persistent attackers is to maintain unfettered access to your network for as long as possible in order to steal personal/financial data, intellectual property, and monitor operations and communications. Even in lieu of a motive, many botnet operators will gain and maintain access to your network in order to sell it later to someone that does.
The security industry calls this problem the “Breach Detection Gap” – but why do these attacks go so long before being detected? The answer is somewhat complex but I’ve boiled it down to two factors:
- Today’s network and endpoint detection solutions overly rely on identifying the initial or early stages of an attack, such as an exploit or malware execution. These solutions rarely have full scope post-compromise detection capabilities which could be used to discover an entrenched adversary, installed malware, lateral movement, and malicious use of valid credentials within the squishy interior of the network.
- The art of intrusion detection has traditionally focused on protecting the perimeter via network traffic analysis. With the proliferation of cloud services, encryption, and mobile devices, there is no more definable perimeter in the modern enterprise – attack vectors and C2 will be missed.
If you really want to know if your network harbors a persistent attacker that doesn’t rely on the FBI knocking on your door or Brian Krebs writing an article about you on his blog, you are going to have to hunt within your network.
Malware Hunting (or Threat Hunting if you want to be inclusive) within a network is a proactive and iterative search for adversaries within a network under your control. It’s a practice that the US military and some of its’ allies have employed for years on their own networks but is only recently making its’ way into the commercial world.
Regardless of how imperative it is to hunt within your network for these threats, the #1 reason for not hunting that I hear from IT Security Managers is the perceived high skillset and resource requirements. Through its’ technology, the team at Infocyte is dedicated to making malware hunting more accessible by reducing skill and time requirements via automation and design. If you can’t confidently answer the question of whether your network is hacked or not by a persistent threat, take a look at Infocyte and see how effective it can be.