Why being raped is a spectrum and the importance of post-hoc detection

Data breaches are often presented retrospectively as a series of events leading to a single pivotal event, such as the public leak of sensitive files. The problem is that layering an ordered narrative over an attack can help make it easier to understand, especially for a wider audience beyond the security organization. But in reality, modern cyberattacks frequently occur and evolve over indeterminate time periods, with dormant, active, and hyperactive phases, multiple changes in tactics, techniques, and procedures (TPPs), and shifting objectives.

Let’s take the example of a current active threat: initial access brokers (IABs). IABs acquire compromised authentication credentials to sell to other cybercriminals, either by buying them from freelancers or directly harvesting them themselves through traditional cyberattack techniques like drive-by or phishing .

If you’ve been compromised by an IAB, you’ve been hacked. But the breach is dormant – the risk is not yet fully realized – and has not been exploited for any particular purpose. The IAB can sell access to your systems and networks to a cybercriminal group that installs a crypto-miner to raise your electricity bill semi-harmlessly in the background while generating valuable digital currency for attackers. Or they can sell your credentials to one of the many known ransomware operators to buy stolen credentials to launch a devastating cyber extortion attack that cripples your business. Both scenarios start with the same initial access, but the risk they pose and the impact they can have are entirely different.

Read also : How can minimum balance requirements benefit banks and customers?

IABs are only a small part of a cyberattack. Threats typically evolve in spurts to constantly shift the goalposts needed to successfully detect and respond to an in-progress compromise. Malware also does not remain static and is reconfigurable, allowing payload modules to be swapped out pretty much on the fly. Some of today’s most sophisticated attackers are also highly elusive and change tactics frequently so that IOCs are only reused by threat actors for brief periods or against a limited number of targets. For example, the command and control infrastructure that was used in an organization’s first breach, including IP addresses and domain names, will likely have gone through several iterations by the time you first detect a threatening actor.

IOCs are often artifacts from another time at the wrong time

Imagine looking for marauding raiders armed with swords and bows on horseback in the 21st century, instead of looking for people armed with guns, and you get the idea. If you don’t have the correct data for that time period, the IOCs have cyber-archaeological value at best. They are essentially artifacts from another time and misplaced anachronisms if not correlated with data from the correct corresponding period. For security teams, this means that not only do most IOCs have an expiration date, but they are only really effective for a specific, limited period of time.

The problem is that most real-time detection approaches only protect you from future threats.

More importantly, the majority of IOCs are only publicly disclosed to end users after they are discovered to be used for an attack. This results in a signal delay – between when the original attack traffic was seen and when the indicators become widely known and available for detection.

The problem is that most real-time detection approaches only protect you from future threats. They require new attack traffic and need to catch an attacker in the act.

In an ideal world, you would know that the domain sending a phishing email is malicious and the file hash is associated with known malware. Our detection technology would then detect these malicious emails and block them before they even reach the intended victim.

In the real world, the domain that sent the phishing request went offline 15 days ago, and there was never a file hash because the attack was fileless using a maliciously crafted office document.

The drawbacks of relying on “known-known” indicators are well known and we have proposed a number of different approaches to offset them, for example through proactive threat hunting, where a human analyst looks into any telemetry of security available to uncover any emerging compromise. And to minimize the wait time of threat actors and reduce the average response time, large organizations also conducted cyber-rapid response.

Cyber-rapid response and threat hunting are powerful when done right. But both require three things that many organizations have in short supply: expertise, time, and long-term historical data.

Retroactive post-hoc detection

A data breach is not a one-time event, as a data breach can unfold in different ways. More importantly, you may be hacked a little or heavily – an attacker may have only gained a foothold on an unimportant system, or they may have infiltrated deeper into your networks and systems to install backdoors and obtain multiple credentials with privileged access, making them difficult to cleanly exit even if we discover them.

The fact that most IOCs are already obsolete when they become known means that the traditional approach of relying on future attack activity has always been fundamentally flawed. But we were stuck because we couldn’t collect, store and review enough historical data.

Read also : How can minimum balance requirements benefit banks and customers?

Detection of threats and threat activity is the foundation of all incident response and remains one of the most critical areas for impacting Mean Response Time (MTTR). But real-time detection is limited to a forward-looking view, even though most of the available data is historical in nature.

What we need is longer term data retention and a way to sweep historical event data for IOCs and TTPs as it becomes available. We need to be able to do this whenever new data becomes available. With this approach, you can search for these IOCs in the time window where they were actually used. The earlier we can identify a threat and the further we can identify its activity, the better. And this depends not only on a vision of the future, but also on an understanding of past activity.

The opinions expressed in this article are the personal opinion of Oliver Rochford, Security Evangelist, Securonix.

The Banking & Finance Post is an initiative of Elets Technomedia Pvt Ltd, existing since 2003.
Now the Elets YouTube channel, a treasure trove of innovation-focused talks and awards, is also active. To subscribe for free, Click here.

Get the chance to meet the Who’s Who of the NBFC and insurance industry. Join us for upcoming events and explore business opportunities. Like us on FacebookJoin us on LinkedIn and follow us on Twitter, instagram & pinterest.

CIO

Comments are closed.