Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

GUEST VIEW: To stop advanced attackers, look for uncommon indicators

Sugiarto Koh | July 31, 2013
To identify indicators of compromise, you need a two-tiered approach with tools and processes that combine trajectory capabilities, big data analytics and visualisation.

We all know that advanced attackers have the resources, expertise and persistence to compromise any organisation at any time. Attackers fundamentally understand the nature of classic security technologies and their applications, and exploit the gaps between them. They relentlessly drive their attacks home, frequently using tools that have been developed specifically to circumvent the target's chosen security infrastructure. Upon penetrating the network, they go to great lengths to remain undetected, using technologies and methods that result in nearly imperceptible indicators of compromise to accomplish their mission.

The challenge for defenders is that traditional security technologies are focused on detecting strong indications of compromise, such as known malware and other threats, but fail to capture or analyse weaker indications of compromise. Furthermore, these technologies are only able to make a determination at a single point in time. If that one shot at identifying and blocking a threat is missed, most IT security professionals have no way of monitoring files once they enter the network and take action if they turn out to be malicious.

Eventually you will realise that a breach has happened, but the process of discovering the breach may take months or even years for most organisations, according to the latest Verizon 2013 Data Breach Investigations Report. At that point, you will be left with no other alternative but to call in the forensics team to figure out what happened, and what was stolen or destroyed.

In the case of Singapore, the open and globalised natures of its economy are qualities that could potentially render it an attractive target for possible security attacks, espionage and foreign subversion. As a regional IT hub, the country possesses extensive technological infrastructure and high levels of connectivity. The rising frequency of security breaches and hacking incidents in recent years further emphasises the need for more effective security systems to counter increasingly advanced attackers in this modern age. Because attackers today often know more about the networks they attack than the network owners and use this to their advantage, it's crucial for IT organisations to start thinking like an attacker.

To regain control against such stealthy attacks, defenders need a new threat-centric approach to security to address the full attack continuum, be it before, during or after an attack. This requires continuous visibility into indicators of compromise and retrospective security to quickly contain and stop the damage. Examples of activities that could indicate compromise include a system attempting to communicate back to a known bad (blacklisted) IP address, trying to access a part of the network, a device or a database it hasn't before, or creating a process that it would not under typical circumstances.

 

1  2  Next Page 

Sign up for Computerworld eNewsletters.