The rapid pace of change as far as the enterprise threat landscape is concerned, can mean that enterprise security teams are often left taking one step forward and two back when it comes to keeping up with the bad guys. Could a little bit of pattern recognition help predict attacks and protect the network?
Pattern recognition as data protection
"Given the increasingly broad spectrum of attack vectors that enterprise security teams have to combat, it is inevitable that they will be breached several times every week with varying degrees of risk," says Gunter Ollmann, chief technology officer at IOActive.
Those are not the words with which anyone wants to start a piece about data security, yet when I spoke Ollmann he charged straight in there. The 'breached several times every week' claim does rather depend upon how you define a breach and as IT Pro reported recently the majority of enterprises seem blissfully unaware of what the term security incident actually means. However, with the threat surface expanding all the time and the dynamic nature of the security landscape, I am inclined to agree with Ollman when he states that it is a given that "despite increasing spend in perimeter and host-based defenses, malware will successfully breach enterprise defenses."
I also happen to agree with him when he started talking about how the real focus of enterprise security is business continuity. Once you understand that then the specifics of any given threat, or even the vector for that matter, should become increasingly irrelevant to incident response teams. "There are a growing number of external service providers that specialize in threat tracking and attack attribution," Ollman points out. In most cases, the data that these third-parties analyse "will reveal a breach detection within an enterprise before the enterprise security team are aware of it," he says.
While that is reassuring to a certain extent, it does raise the issue of the elephant in the server room. Many people simply have no real understanding of what 'normal' is on their networks in the first place. More than 90 per cent of organisations lack required levels of network visibility, according to Barrie Desmond from the Exclusive Networks Group."[This] is why compromised systems are often undetected on average for over 400 days," he says.
Which is where the notion of pattern detection or indicators of compromise come in. These can undoubtedly act as a vital clue to those enterprises that do regularly examine, and understand, their IT environment.
"By doing this," Desmond concludes "it will either prevent a breach from eventually happening or stop it within its early stages."
Any vaguely competent attacker is not going to be using those off-the- shelf and therefore easily recognisable tools, at least not once they have got through the network door (be it front, back or side) though. Instead they will adopt the same resources as used by the victim's own admin staff, 'public indicators of compromise' are most useful in that initial detection of an attack stage.
"But breaches do not begin and end with a single host," Conrad Constantine, Research Team Engineer for AlienVault reminds us. "Serious targeted breaches with actual human operators behind the attack will soon blend in and avoid the use of identifiably malicious software."
So don't expect miracles from the pattern detection approach. Yes, it's a useful addition to the enterprise security armory and one weapon that no self-respecting security team should be without, it's no silver bullet on its own. While I am warning not to get too carried away with the importance of patterns, I spoke with the Chief Security Strategist at Bitdefender, Catalin Cosoi, who was at pains to point out that while it is important to react to indicators of compromise it is equally important not to overreact. "The appropriate response is almost never to batten down the hatches, curtail services to the bare minimum and hope the attacker goes away soon," Cosoi says, while admitting precisely this can be called for in particular and special circumstances.
Instead, Cosoi suggests, that when faced with "a pattern of exploratory attacks consistent with an APT (Advanced Persistent Attack) developing" for example "one might consider setting up a honeypot or honeynet and gathering some more data about attackers in this manner."
