Turning the Tables on Cyber Attackers

Author: Nick Race, Country Manager, Arbor

Whoever said the best defence is a strong offence could have been thinking of protecting the enterprise from “advanced threats”. Given the stealth of today’s advanced attack malware, the scale of data compromise and speed of execution, it has been proven time and again that relying on a passive, defensive security strategy is no longer adequate.

Australian enterprise security professionals are well aware they are under constant attack. They probably have defensive, primarily signature-based systems already in place, from endpoint anti-virus to next-generation firewalls. Many are armed with endless amounts of log data, from firewalls, intrusion detection and protection systems, web-servers, application servers, and so on. However logs do not provide the complete picture and only connect events after the fact. The real security challenge lies in the rapid correlation and interpretation of seemingly unrelated network traffic events.

Even pre-set security alerts, intended to help security teams, can be distracting with false positives, or simply overwhelming with less important alarms. It can be difficult to rapidly identify any given alert as a component of an attack that matters, and prioritise accordingly. The lack of context and the lack of genuine “situational awareness” can make it extremely challenging to spot a real threat solely from the discrete point system data provided by logs and alerts; it is very hard to see the big picture. Constantly reacting to alerts, especially not knowing with confidence their significance or whether the mitigation measures in place are truly effective creates a sense of not being in control.

Today’s advanced attacks aren’t isolated events, nor are they static. They are multistage campaigns that probe a target’s defences, study security reactions and tailor their techniques to “fly under the radar”, or simply work around an organisation’s defences. Advanced attacks are designed to be “stealthy” and obfuscate their tracks. In many cases, alerts are just the tip of the iceberg, the significance of which is realised, if at all, long after the attackers have accomplished their goals.

Imagine A Better Way

Say an organisation knows they are under attack; they may even have some idea of attack vectors based on industry alerts or recent suspicious activity. They certainly have a good idea of their most valuable assets, or likely attack vectors, perhaps phishing related penetration of endpoints, or suspicious activity on active directory servers. What if they could actively hunt for malware and malicious behaviour within their network? What if it was possible to proactively check on these assets, actively seeking out infiltration within their network traffic?

Most organisations have a Security Information and Event Management (SIEM) system in place. However SIEMs are not designed for this type of probing analysis; they are designed to react to pre-defined alerts. If they are triggered at all by stealthy malware, alerts do not give them the full picture, the true threats represented by alerts can get lost in the noise, making it hard to prioritise. Besides with incomplete intelligence, CSOs are constantly reacting to events, playing a game of catch-up. A more proactive response is required for sure.

Security analytics is the proactive analysis of large network data sets in real or near real-time. It allows CSOs to pre-emptively seek out and neutralise potential threats by examining the full scope and depth of network communications as embodied in full packet captures. Armed with security intelligence, awareness of each unique environment and expected network behaviour, security analytics puts enterprise security professionals in a position to get out in front of security events and gain real control.

Powerful, rapid visualisations allow security professionals to proactively look for malicious behaviour and identify Indicators of Compromise (IoC) by quickly interacting with and intelligently sifting through network traffic data. It is possible to quickly and easily “zoom in and out” from years to seconds of specific network activity, on the same screen with a click of a mouse.

Since advanced attacks are designed as long-running campaigns, CSOs need the ability to quickly scrutinise past data to ‘connect the dots’ over time. With more current knowledge of stealthy components or attack indicators accumulated, it is possible to ferret out Zero Day malware in old traffic. This is critical for identifying current risk, where malware might have moved laterally, packages might have been dropped along the way and most importantly, how do they get out in front of the threat?

Strengthen Your Security Posture and Incident Response

Adding a proactive element to their security strategy can also help to strengthen Australian organisations’ security posture over time and make it more difficult for advanced attackers that tend to return again and again. They can implement far more down-to-earth risk assessment based on actual traffic data, as well as enhanced investigative and forensic capabilities, which can improve their Incident Response (IR) procedures.

Every time an actual attack is discovered while it is in progress, security teams learn what areas they are targeting, entry points used, techniques for lateral movement and how they are attempting to exfiltrate data they want.

Proactive security analytics is also a powerful risk assessment tool. As network traffic is better understood, including how it changes and evolves over time, CSOs will undoubtedly spot vulnerabilities. This ongoing, positive feedback loop will also help them to respond faster and protect themselves from future attacks.

Using a proactive security strategy allows CSOs to regain some measure of real control over their networks, because their actions are more effective and they feel more confident. So why have a purely reactive strategy based on incomplete and post facto alerts? If you are under attack, why stay only on the defensive?

About the author

Nick Race is Country Manager for Australia and New Zealand for Arbor Networks, a leading provider of DDoS and advanced threat protection solutions for enterprise and service provider networks.

Join the CSO newsletter!

Error: Please check your email address.

Tags attack malwarearbor networksCyber attackersdata(SIEM)security analyticsrisk assessmentSecurity Informationsecurity information event managementsecurity alertszero dayenterprise security

More about AdvancedArbor Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Nick Race

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place