Targeted attacks are outmaneuvering the preventive security layers companies have in place. It takes on average 100 days to even detect a breach. Antivirus solutions are incapable of detecting fileless attacks where no malicious program gets executed. Advanced attackers know how to bypass the preventive layers, and such attacks can only be detected by looking at behavior.
Here comes the tricky part – how to distinguish malicious behavior from the normal activity?
How a Real Targeted Attack Looks Like: Case Gothic Panda from Mitre’s ATT&CK Framework
The following example demonstrates how an advanced and targeted cyber attack looks like in real life. The case features an advanced persistent threat (APT) group known as Gothic Panda from MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) knowledge base and model for cyber adversary behavior. The behavior of this APT group is well documented and used to test network security, and security products, against specific threats.
The adversaries in this case example are seeking to exfiltrate industrial intellectual property and documents. Gothic Panda’s attack can be broken down into three main phases – initial compromise, network propagation and exfiltration.
In the initial compromise phase, attackers’ goal is a successful code execution and control of a system within the target environment.
In the second phase, network propagation, attackers attempt to identify and move to target systems within the network. Their goal is to exfiltrate credentials and documents.
In the exfiltration phase, the adversaries collect the data and compress it into an easy-to-transmit package. They try to exfiltrate the documents by hiding in other outbound network traffic. Depending on the defensive setup, exfiltration can be much noisier and more noticeable than attempting to hide in the noise with lay-of-the-land tools.
EDR Security Detects Incidents That Matter
The most important phase for detection is naturally the first one – before an attacker gains persistence and moves to critical systems. Most organizations use a preventive layer like endpoint protection to block commodity malware. Yet, advanced attackers may remain undetected by using low and slow attacks, eventually finding a way around the preventive layer.
That’s when detection and response come into the picture.
Implementing an endpoint detection and response (EDR) solution is a quick way to set up capabilities to detect and respond to advanced threats and targeted attacks. Detection technologies certainly detect suspicious events, but too often they fail to filter out noise from critical incidents.
According to a 2017 EMA study, 79% of security teams report being overwhelmed by high numbers of threat alerts. For example, in a midsize organization with 650 sensors, there are typically one billion events every month, but only about ten detections require actions. A high-quality EDR solution hones in on the few incidents that matter.
Context Gives Meaning to Individual Events
Artificial intelligence and machine learning is the only scalable solution that can be applied. But AI alone is a little more than a glorified false positive generator. What’s needed is the perfect combination of cyber security experts and data science – man and machine.
We must develop technologies that can learn what human security analysts do, only at a lightning pace – connect the dots, and place events into a proper overall picture in order to make an accurate judgment.
This overall picture is context. False alarms strain security teams, and decrease the likelihood of uncovering actual incidents. Getting to a near zero false positive rate means that alerts must be grouped into context with related events to make a judgment. Anomalous events may turn out innocuous, when you see the full picture – the context.
Our whitepaper, Detecting Targeted Attacks With Broad Context Detection™, explains in detail why context is everything – in life and in cyber security – and how F-Secure’s Broad Context Detection works: