Successful cyberattacks have the potential to sink even the most powerful organizations, even if they have an extensive cybersecurity strategy. While most attacks of corporates receive extensive media coverage and massive public attention, one of the most deadly characteristics of a successful cyberattack is its ultimate silence. With that in mind, how do you detect, and fight, a cyberattack?
When thinking about detection of attacks, the most important principles for IT experts to keep in mind isn’t, in fact, to be looking and hunting for the latest malware or worm of the week. It’s a common misconception to focus on the tools of the trade, and on the tools the cyberattackers use.
The people behind cyberattacks
The most important thing to remember is there are people behind the attacks; organized people who have selected their tools very carefully. They don’t turn up with malware that has file hashes, or things that can be recognized in situ, or tools that have common identifying factors – their QA labs have found ways around that.
Sam Curry, Chief Product Officer at Cybereason and Guest Lecturer on the Cybersecurity: Managing Risk in the Information Age online short course from Harvard’s Office of the Vice Provost for Advances in Learning (VPAL), in association with HarvardX, believes in order to detect a cyberattack, you need to look for identifying behaviours of the people behind the attack.
“What you want to be doing is looking through the behaviours, and saying: yes, I can stop the known bad, the things that are triggered by antimalware, but I’m actually looking for the unknowns. And I’ve got techniques, and I’ve got tools, and processes to find the human beings that are moving through the networks, rather than the tools.”
Unfortunately Hollywood has done a huge disservice to the cybersecurity industry. Often a movie will feature someone sitting behind a laptop who will start typing, and then hit enter, and they’ll be done – as if that’s all there is to hacking. Curry believes it’s important to change your thinking to separate the difference between an infrastructure breach and information breach.
Infrastructure breaches vs information breaches
There is a gap between the two: one is inevitable, the other is a possibility. It’s a simple truth that people will invade your infrastructures, they will get into your systems. They might get in through some malware, or a compromised identity, and that’s not the end of the world.
It is the end of the world, though, if you consider it as a binary stake, and you haven’t peeled it apart, and don’t realise it’ll take days, or even weeks, for an adversary to traverse your networks and turn it into something that has huge consequences – an information breach.
Curry reminds us, “Simply getting in isn’t bad. That’s when the clock starts ticking and you have to find the people in your networks and prevent them from getting to know your network; taking control of it, and doing bad things.”
As an analogy imagine if you had somebody trying to sneak into the building.
They’ll find a way past the door, or maybe into the garage, or they’ll deliver something. But, it takes a long time for them to understand the internal layout of the building; where the treasures are kept, and to be able to actually gain access to those things; use them and get them out.
Networks are far more complex. The analogy is probably better with a city: if you want to get into a city, you can probably get in, but finding where the bank vault is, being able to access it, and get things out takes time.
And it’s that development time where the defenders have a chance to catch the attackers.
How to catch cyberattackers
The adversaries in most organisations take their time to plan and stockpile their tools. When they do eventually turn up, they know what you’re using for defence. They know the static controls, they know the software you’re running, and the hardware you’re running. The things they bring and plant in the environment are specifically designed to get around those. It’s this calculated behaviour that makes them very hard to find.
The most important thing is, they’re humans. And humans, while they may not work at machine speeds, are creative. They’re innovative and they’re motivated, so as they hide and nestle in the environment, and try to find ways around you, the cat and mouse game begins.
As Curry says, “To win the game, it’s very important to start looking for the human behaviours and human trails in the environment, rather than the traditional way of looking for the tools they leave behind. That cat and mouse game is the game that you have to be equipped to win.”
“The sort of human behaviours we’re looking for are the things that deviate from what your users, or your admins, or even your testers do. There’s a progression from an initial infection to get higher privilege and move among systems. And, there are a few things that the adversaries will do. They need to make sure that if they get caught, they can come back.”
“So, they set up things called beacons to phone home. They also set up back doors, so they can come back, call it a plan B and a plan C. If they think you’re onto them, then they’ll go into a silent running mode, much like in submarine warfare. And they’ll come back with their plan Bs and Cs at a later point in time.”
Once the attackers feel like they can come back safely, the ultimate goal is obtaining the highest privilege – the assailants want the ability to act like a root user or administrator. This allows them to understand the network they’re in and identify where the controls they want are: it could be information, it could be a key function. And then they prepare for operational orders.
Usually, these orders are developed ahead of time, but sometimes they’re created on demand. They have massive resources behind them, and they leave tell-tale signs: they leave unique paths where you can see processes being used as they aren’t normally used in your company, such as accounts being used as they aren’t normally used.
By stitching together these little anomalies you can find things that, in the aggregate, stand out from the background noise. That’s the key to finding the bad behaviours. It’s understanding how the adversaries operate in an operational mode, to carry out military-like missions. Those can be found and stopped.
Learn how to catch cyberattackers on the Harvard VPAL Cybersecurity: Managing Risk in the Information Age online short course. Detection of assailants is covered in Module 7: Incident response and accountability, where you’ll learn how to:
- Name preventative measures that need to be implemented prior to a cyberattack
- Identify the correct process to detect and contain a cyberattack
- Articulate the appropriate communication strategy following a cyberattack
- Analyse the roles of key actors in the response to a cyberattack
- Assess the damage inflicted by a cyberattack
- Decide on processes to eradicate an attack, and recover affected systems, networks, and data
- Propose an incident response plan to prepare an organization in the event of an attack
During the eight-week course from Harvard’s VPAL in association with HarvardX, you’ll learn how to protect your business from cyberattacks as you’re guided by cybersecurity experts such as Sam Curry, CPO of Cybereason; DJ Patil, Former U.S. Chief Data Scientist; Harold Moss, Sr. Director Strategy & Business Development at Akamai; and Eric Rosenbach, Course Convener and Co-Director of the Belfer Center for Science and International Affairs at Harvard Kennedy School.
Ready to learn how to protect your business from the threat of cyberattacks?
Register now for the Harvard VPAL Cybersecurity online short course.