IT security teams are focused on vulnerability and configuration management and monitoring the endpoint for malicious activity, but security pros may be missing the telltale signs that highly skilled attackers may have already set up operations on the corporate network, according to new whitepaper from Trend Micro.
To gain an upper hand, firms must be able to spot the unwanted intruder and constantly foil their efforts.
Tom Kellerman, vice president of cybersecurity, Trend Micro Inc.
"Digital insiders" can scout for exploitable vulnerabilities, set up communication channels on the inside to avoid detection and even patch vulnerabilities to prevent hackers to piggy back on their efforts, according to Tom Kellerman, vice president of cybersecurity at Trend Micro Inc. Kellerman said data analytics help forward thinking IT teams spot potential problems before they grow out of control.
"This may require organization to increase their awareness of the activities on their networks and the ability to correlate events to thwart the digital insider’s malicious activities," Kellerman wrote in a blog entry about the insider threat and Trend's network analysis tools."To gain an upper hand, firms must be able to spot the unwanted intruder and constantly foil their efforts."
Trend issued a white paper on the topic,"How to Thwart the Digital Insider – an Advanced Persistent Response to Targeted Attacks," (.pdf) outlining steps organizations can take to spot attackers who may have already infiltrated the company network. It involves the use of threat intelligence and network analysis, correlating the data to spot potentially malicious activity.
"These guys are past masters at lying hidden for years on end so we need to up our own game to achieve advanced situational awareness," Kellerman wrote. "It will require patience once a digital insider is discovered, however, and more monitoring to ascertain all of the actors behind a particular threat so that law enforcement can take over – this is not a time to go in all guns blazing."
Situational awareness and deep data analysis has been a consistent theme in 2012 as security researchers provided information on targeted attacks and cyberespionage campaigns looking to steal intellectual property.
Big data analytics emerged as a major theme at the 2012 RSA Conference. A number of security firms warned about targeted attackers infiltrating and remaining virtually undetectable on networks for months and even years. Large enterprises such as IBM, HP and RSA, the Security Division of EMC Corp. are touting data collection and correlation. It typically involves a Security Information and Event Management appliance to collect and crunch the data from the various security devices on the network. The firms have been slowly adding threat intelligence feeds in an effort, they say, to improve detection and isolate problems much faster.
Vulnerability and configuration management can only go so far in reducing the attack surface, said Pete Lindstrom, a research director at Spire Security. Determined attackers can use zero-day vulnerabilities, or find a weak point based on a single configuration error or software component that hasn't been updated.
Threat intelligence data can be used in a variety of ways, Lindstrom said. For example, malicious IP addresses where attacks originate, can be identified and communication to those points can be blocked by enterprise IT teams addressing the threat. While large businesses often have the resources to do it better, organizations on tighter budgets are turning to managed security providers to provide visibility and data correlation.
Collective Intelligence Framework
Proactive security typically involves threat intelligence gathering and data analytics to help organizations better understand the security threats that matter most to the organization, said Rick Holland, an analyst at Forrester Research Inc. Holland said organizations that are building an intelligence program typically partner with cyberintelligence organizations such as Dallas-based iSight Partners or VeriSign's iDefense security intelligence services to gain actionable data. Cyberintellgience firms have traditionally catered to the defense industrial base and financial services firms, but their customer base is growing, Holland said.
"Intelligence requires analysis and relevancy and a lot of what vendors provide is just a feed that companies may or may not be able to use to make actionable," Holland said.
Holland advocates the use of the Collective Intelligence Framework (CIF), an open source project that combines multiple threat feeds and data sets together and enables organizations to query against the data to find bad IPs (infected systems) on their network. The CIF is extremely useful, but requires skilled programmers and threat analysts, Holland said. Other firms, such as Baltimore-based LookingGlass Cyber Solutions, can provide similar information in a more user friendly interface, he said.