Cyber Espionage was one of the most complex attack patterns described in the 2014 Data Breach Investigations Report (DBIR) from Verizon. Cyber Espionage is one form of an Advanced Threat in which an attack is specifically designed to infiltrate your network, dig in once it’s there, and then exfiltrate data back to the attacker’s servers.
Advanced threat attackers will typically enter the network through user activity and will exploit unpatched software security bugs in order to entrench themselves into your network. In the best of all possible worlds users would know better than to open email attachments or click on suspicious links and your software would be instantly patched as soon as the patches are available. In reality users can be fooled by sophisticated spearfishing emails that are indistinguishable from legitimate emails, or by a website that they’ve used previously without issue which has been compromised in a water hole attack. And while patching systems quickly is the goal, the reality is that there are a large number of systems running older, unpatchable software that are easy targets.
The DBIR report assembled a list of security controls from the SANS Institute to combat Cyber Espionage – and all of them are fundamental best practices:
- Keep up to date with patches
- Block known bad IP addresses
- Use two factor authentication
- Harden your devices against malware
- Train your users
- Segment your network
Even with best practices firmly in place due diligence is no guarantee against compromise. Best practices can lower the chances that an advanced threat will make it in to your network but complete security coverage means more than just locking down your network. You also need to check to see if you’ve been compromised and determine the scope of the problem if it’s there.
One of the difficulties in determining if you’ve been compromised by an Advanced Threat is that the signs are subtle. Once your systems have been compromised there will be no ransomware demands or programs that suddenly stop working. The point of an Advanced Threat is to infiltrate a computer without ever being detected and to then spread to other computers in the network so that the attack can maintain a foothold even if it’s removed from the originally infected computer.
Detecting an Advanced Threat means understanding what normal activity looks like on your network and monitoring it so that you notice activity outside normal operating parameters. It means monitoring your outbound network activity to look for signs that data is being exfiltrated. It means looking for internal network traffic on computers that have no reason to contact each other. It may also mean monitoring servers or workstations for unusual processes or unexpected installations. It means looking for any activity you can’t explain.
Finding the information to set up a security baseline isn’t the problem. There is a vast amount of data available in logs and by setting up collectors for system or network activity. The problem is filtering out the vast majority of normal activity in order to pinpoint the exceptions that indicate a compromise. That’s where Splunk® can be used to pinpoint anomalies and correlate incidents across multiple log files to not only find a problem but also trace the scope of their activity.