It is common sense that the sooner an attack is identified, the faster it can be contained and mitigated, limiting the fallout as much as possible.
Businesses need to supplement their traditional security tools and protocols with skilled incident response teams, forensic tools, and technologies that provide a full view of the network, not just what is entering the network, but what is going on inside.
In this way, companies will be able to identify if a breach is happening, what impact it has had, and identify on-going data theft, and other malfeasance.
John Mc Loughlin, MD of J2 Software, says perimeter defences are no longer doing the job. “Today’s threats use multiple vectors and means to achieve their aims, and while traditional security measures such as firewalls, DLP, IPS could possibly pick up part of an attack, they are woefully inadequate weapons in the war against advanced threats.”
He says it should be noted that although malicious software is used for the initial compromise, once inside a network, a cybercriminal will need legitimate credentials in order to move around the network, looking for the information they are after, and in turn, exfiltrating that information.
At one time, APT threats employed reverse back doors to access compromised networks remotely. However, these threats could be detected through their generation of consistent and routine network traffic. “Today’s threats often include a passive backdoor which are more difficult to detect and protect against.”
Mc Loughlin says dynamic defences are the way forward. “Only dynamic defences can hope to fight dynamic attacks. Thorough coverage is needed to fight attacks that happen in multiple stages, across multiple vectors.”
The first step, he says, is identifying unusual behaviour on the network. Should anything raise the red flag, a good investigative tool will be able to make a call on whether a breach has occurred or whether it’s a false alarm.
“It’s not brain surgery,” he says. “Organisations cannot fight against threats they cannot see. A solution that offers network visibility, covering all network communications, is needed to augment traditional security systems.”
Anomalous behaviour must be detected, and a thorough audit trail of activity on the network must be kept, he explains. In addition, having some security intelligence in place, so that potential threats don’t take days, or heaven forbid even longer, to analyse. “Make sure your security staff have the right skills, and are able to examine threats, and make the right call. All incident responders should be able to properly investigate all attacks, and put together a comprehensive mitigation solution.”
He adds that cognitive and behavioural biometric controls that monitor how staff act inside an application will provide continuous authentication.
“Techniques such as sandboxing, virtualisation and similar, will also help to keep a businesses’ most sensitive information separate from the main network. A determined attacker will find a way in, that is a given. This can take a matter of minutes, or the attack can involve weeks of planning, and preparation. APT are highly targeted and sophisticated, and far more difficult to prevent than a garden variety malware attack.”
A thorough, unified defence, that can not only detect anomalous behaviour, but analyse it, mitigate against it, and limit the damage, is the best approach, he concludes.