Watch out for what you can’t see

Not every cyberthreat is obvious or apparent. Some may lurk for months or years, and are all the more dangerous for it.

By Bill Clark

Fri 7 Jun 2019 @ 15:50

The dramatic ‘smash-and-grab’ cyberattacks portrayed in the movies, where the intruder is trying to break through defences to grab the data while the security team types furiously in an attempt to counter them is pure Hollywood fiction.

The reality is dangerously different. An emphasis on perimeter defence means that if an intruder gets in, there may be little to stop them from accessing your data, stealing funds or bringing down your systems. The fact that two-thirds of small and medium enterprises reported that threats evaded their perimeter defences shows the risk of this approach.

Once an attacker is in your system, they may lurk, continuing to compromise the security of your data. A recent IBM study found the mean time to detect a breach had risen to 197 days. The mean time to respond and eliminate the threat was a further 69 days.

What lurks within

Once inside the perimeter, an intruder can do more than peek at your client list, though given strict new privacy regulations, such as the EU’s GDPR and California’s Consumer Privacy Act, that can be bad enough.

A fast-rising threat, currently utilised in 50 per cent of attacks, is ‘island hopping’. Once a cyberattack penetrates the perimeter, the attackers can use your network to launch an attack on another organisation – either their real target or an intermediary step (or ‘island’) to their final target. A prominent example of this was the huge data breach on US-based retailer Target, which originated from a heating, air conditioning and refrigeration subcontractor.

Even if the intruder does not want to ‘hop’ on to other businesses in your supply chain, there is also the risk of lateral movement within an organisation. An intrusion into the kitchen appliance division, for example, may lead, through internal movement and connections between business units, to the compromise of the section doing R&D on nuclear reactors. Lateral movement is also commonly seen as a counter-incident response behaviour.

Once intruders are in your systems, much of their activity can resemble normal network activity. They count on it being lost in the huge amounts of data being generated every day. This is why user and entity behaviour analytics (UEBA) is an important tool. It enables organisations to establish a baseline of normal activity using machine learning and then recognise deviations.

Another violation which may be lurking within a network is cryptocurrency mining. In these types of attacks, intruders surreptitiously plant software that uses your computing power to perform cryptocurrency ‘mining’. Performing the complex transactions needed to create cryptocurrency requires a great deal of computing power, so criminals use the resources of unsuspecting organisations or individuals. While this may be clever, at best, it consumes your resources. At worst, it can damage or disrupt your systems and having any uncontrolled access to your systems is always a problem.

Another overlooked threat is outdated or abandoned software. Either installed by the business and then superseded by other applications or installed by an individual on their system, software which is no longer supported and isn’t receiving security updates offers a potential attack vector. Regularly checking your organisation for orphaned software and removing it can prevent future exploitation.

Remote access trojans (RATs) can be planted in a system, allowing attackers to access and use your network from any location. Good cybersecurity culture, such as training staff not to click email links can help prevent them. In use, they can result in unusual types of network traffic or an increase in volume. Again, UEBA can help detect such a lurker.

Finally, consider the human element. Sometimes cybercriminals don’t need to penetrate the perimeter at all. They may apply for a job. Once hired, they can remain in a company for years, exfiltrating trade secrets and intellectual property. Carefully vet new hires.

Cybercriminals may also persuade existing employees to work with them, either for financial gain or through threats. This is another place where UEBA can help, as it operates automatically and has no preconceived notions about trustworthiness. It looks for unusual activity, whatever the source, and raises the alarm.

The first step in beating dangers lurking within is to recognise the possibility they exist. After that an intelligent UEBA tool can help identify anomalies that may be security issues. With the alarm raised, your SOC, using the information from UEBA, can respond to deal with the issue. Combined with good perimeter defence, vigilance against lurking threats provides a comprehensive defence.

Learn more

Learn how LogRhythm can help you expose and respond to hidden threats.