Cyber-attacks have become an everyday phenomenon today. It is a menace that is growing with each passing day. New types of threats are emerging and their average damage potential is also growing fast. The average cost of a cyber-security/data breach is phenomenal and stands at approx. US $ 4 million in 2016.
System and network security has become critical to the survival of businesses today. Every network system and computer in a business’s IT ecosystem needs to be protected. Out of all the cyber threats available on the web, Advanced Persistent Threats (APT’s) are probably evolving at the fastest pace and becoming one of the most severe issues in cyber security today. Wikipedia defines “APT” as “a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity”. In an Advanced Persistent Threat, the unauthorized entity stays undetected in the attacked network for a long time with the intention of stealing information. For proper protection from cyber analytics threats in general and Advanced Persistent Threats, in particular, a three pronged approach works best. It will include the three processes of Detection, Protection and Prevention.
Detection
In case of targeted attacks and APT’s, the way they are designed and orchestrated is to ensure near total evasion of point security infrastructure. Once they have breached the system perimeter and have come inside, the only way they can be detected is by an analysis of the behavior of the individual components of the attack. This can be done only through the use of behavioral analytics where the enterprise goes beyond the traditional logging of incidents. Huge amount of data should be analyzed at regular frequency for finding out the red flags that can confirm the presence of a breach. These red flags could be in the form of a typical behavior of applications, changes in files, configurations and user activities. Basically they are anomalies that signal any departure from what has been established as a normal baseline.
Protection
Protection or response to the threat or attacks is very critical in limiting the damage. The first step here is to understand the modus operandi of the attack and to figure out extent of the breach and the level of exposure. This will include any perceived high value target. The coherent functioning of all the security capabilities and apparatus is critical here. This means, that a measured defined response is established for a particular type of incident. For example, if a particular user is found to use his privileges in a manner that violates the established norms, that particular network area gets blocked or if a BYOD device is detected with an app whose pedigree is suspicious, that particular user gets his/her authentication to be suspended till the device in question is examined. Integrity verification tools can be a good idea because they can highlight file level changes. Any suspicious activity here can be a red flag that would trigger appropriate action.
This approach can be termed as the next level of Security Information and Event Management (SIEM) where the protection measures were decided by correlating insights from events, anomaly and log & flow data.
Prevention
Prevention is always better than cure. An age-old saying which still holds good. It is however, easier said than done. The reasons are many; one is the lack of rigor and religious adherence to some of the tried and tested established practices like security policies, security awareness programs and access control. Proper identification, multi factor authentication [using one or more of the three things – something you know (passwords and pin numbers), something you have (ID card, smart cards tokens) and something you are (finger print, retina scan or DNA)] and authorizations for using restricted privileges, if employed properly, still go a long way.
Another is the fact that traditional reactive signature based approaches like firewalls and anti-virus are getting bypassed regularly. The need of the hour today is the ability to destroy the key points in the attack chain preemptively on the end point as well as the network in real time. A behavior-based approach can be used to detect and prevent incipient attacks, even the ones employing advanced malware.
Sometimes, steps as simple as avoiding/restricting use of platforms with known vulnerabilities can go a long way in prevention. Rogue java apps are a big source of risk. As per IBMs X-Force threat intelligence quarterly, these apps contribute to 96% of java exploits. Restricting or curtailing Java use can be an effective prevention measure.
The Detection, Protection and Prevention approach is definitely capable of helping with the cyber security challenges of today’s organizations and reducing incidents as the global cyber threat landscape continues to change for the worse.
Mahendra is a former Happiest Mind and this content was created and published during his tenure.
