When we look at the current threat landscape, we see attackers turning initial compromises into successful attacks. Attackers spend hours, even days, trying to break into systems. Once in the environment, they spend even more time moving laterally in search of sensitive resources. They can remain undetected within an environment for long periods of time through different mechanisms. We face sophisticated cyberattacks that pit security teams against the clock.
Attacker dwell time is long
The average time to identify and contain a violation increases over time, not decreases. According to IBM Data Breach Cost Report for 2021, it took an average of 212 days to identify a breach and 75 days to contain it between May 2020 and March 2021. That puts the total dwell time at 287 days. Those are very long periods of time, way too long, which is why we’re seeing so many victims of data breaches. The longer attackers are in the environment, the more damage they can inflict, including encryption, corruption, and/or theft of corporate data, most recently for ransom.
Cyber attacks are more sophisticated
Attackers have become much more sophisticated in their techniques. They’re not doing anything that elaborate. They are adding additional techniques and doing things that have already been tried and true. And they are changing the malware. They are making slight modifications to their techniques in order to be able to enter the systems more effectively. It’s not new malware, it’s the same malware, but it’s new techniques used to insert that malware into environments. In fact, we’re seeing old attacks that were used four or five years ago being exploited today to create new attacks. One of the techniques that is used effectively is dwell time. Attackers keep their actions low and slow over time because it is extremely difficult for a system to detect such activity. Correlating that data over long periods is very difficult for one person, let alone a solution.
Cyber attacks are multiple clouds
As organizations migrate to cloud, multi-cloud, and poly-cloud environments, threat actors create multi-cloud attack campaigns. They hide their activity in different cloud infrastructures that a company employs or uses, and take advantage of this as a threat factor for themselves. Companies struggle with knowing how to monitor and secure all of those different cloud environments, depending on the actual underlying business model.
And then there is IoT
Attackers are also taking advantage of gaps in IoT security. We are talking about any device that can be entered and enabled. It goes a long way in industrial control systems, critical infrastructure, manufacturing systems. IoT can be tiny little devices like a Fitbit or a video camera, but it can extend to a device used by a utility company in the field to be able to measure power or electricity usage.
For many of these devices, security is not built in. There is an explosion of those devices and security teams operating in a SOC need to be aware of those devices. Analysts need to be able to characterize IoT devices and detect threats that could affect them as they are targets for attackers to use as an initial compromise to break into different environments.
Rules and patterns can only detect known threats
The ability to detect these new techniques is very difficult for solutions that use known patterns. Many solutions will be able to record and correlate information, but their ability to detect new threats out of the box is very limited. The key is being able to automatically adapt to new threats. You don’t want to wait for your vendor to come up with a new signature or pattern match or new model, because who knows if the vendor will or how long it will take them to do so. Meanwhile, attackers are taking advantage of these new exploits and sophisticated cyberattacks.
It becomes a race against time. Without proper automation to detect early indicators of compromise and put them together quickly, SOC teams are waiting for more and more security events to occur and more indicators to happen before they can put the puzzle together so they can prevent an attack from happening. a breach. Prevention is more difficult than ever because most initial compromises are not about vulnerabilities or gaps in external defenses. These are human users who help escort attackers through the front door through clever and tricky methods to prevent phishing and social engineering attacks.
Detecting new threats requires true machine learning
This is where proper self-study machine learning and AI is critical to continually analyze current activity, behaviors, controls, and automate changes to the environment to protect against new attacks or new variants. True machine learning capabilities are critical to detecting emerging threats and out-of-the-box variants. Risk-based user behavior detection and analysis is a requirement to help security teams identify unusual commands being executed, unexpected external communications, leakage of credential data or financial information, and the like. Self-learning machine learning models and artificial intelligence can adapt to changes, anomalies, unusual user activity, etc. This is really what can help a SOC team automate different functions, streamline tasks, and provide visibility into what’s going on.
Compromises are inevitable. We must improve security across the board so that the single compromise, which is all it takes to wreak havoc, is responded to early and efficiently to prevent further damage. Gurucul can help. Contact Us Learn more.
The charge Sophisticated cyberattacks pit security teams against the clock first appeared in gurucul.
*** This is a syndicated Security Bloggers Network blog from Blog Gurucul | Security Analysis | Machine learning models in Big Data written by Jane Grafton. Read the original post at: https://gurucul.com/blog/sophisticated-cyberattacks-pit-security-teams-against-the-clock