Detecting cyber threats
This post is authored by Joe Faulhaber, Senior Consultant ECG
In today’s cyber threat landscape, it’s not a question of if an attack will occur, but who will attack and when. To keep enterprise data safe against global threats that include attackers as technically sophisticated as any defender, enterprises need to have world-class cyber defenses. This requires strong execution of security fundamentals, in-depth knowledge of the enterprise environment, and working with experts to be ready to detect attacks when they occur.
World-class attackers, your enterprise
Protecting the modern enterprise is challenging because it’s an incredibly dynamic problem. Configurations are in constant flux, hardware is being cycled, software is updating, workloads are moving to the cloud, and users are bringing devices in and out of the network. At the same time, random attacks are entering the system, and there is danger of well-funded, determined external attackers trying to steal valuable data from enterprises as well. Even insiders can be threats, and what an attack looks like can change every day. Cybersecurity is an arms race, with attackers and defenders responding to each other constantly.
Detection in Depth
Protection in depth is the best enterprise defense, because defending just at the host, network edge, or the cloud isn’t sufficient. Similarly, threats that cause damage or pose danger need to be detected in depth as well. When threats or attacks are detected, an appropriate effective response is required. The three pillars of security; Protect, Detect, and Respond are key to a secure enterprise.
Detection in depth means taking a layered approach to find threats all over the enterprise with redundant detection mechanisms, even where there are no protective defenses. It also means verifying the output of detective sensors to build trust in signals.
Some threats are not complicated to detect. Out-of-date software, missing or stale anti-malware protection, and misconfigured policies are all threats that can lead to successful attacks. These threats can be detected easily and are among the fundamental requirements to stay secure.
Other threats are tougher to detect, such as attacks against network infrastructure or insider attacks, and detection often depends on collecting numerous logs and performing analysis. Software supply chain attacks may be particularly successful, especially if users go looking for software on the Internet on their own, and require different detection methods. Knowing your environment well makes it much easier to know if something is out of place or missing.
Even in a well-protected network, there will be successful attacks. Some of them are quite easy to identify – a new variant of an existing and common commodity malware evading anti-malware detection isn’t that hard to find if you know where to look. Even if you’re not familiar with an attack, being curious and knowledgeable enough to think “that’s weird” is often the start of detecting something new. Another key to good detection and analysis is the knowledge and resources to understand the tactics, techniques, and procedures used in today’s attacks. Even the biggest organizations need help to see parts of attacks that happen beyond systems in their control.
Determined Human Adversaries
The most dangerous attacks are targeted and perpetrated by determined human adversaries. These have been called “Advanced Persistent Attacks”, though they may not be particularly advanced or even well targeted. But they are especially perilous because they attack the enterprise, not an individual or computer, and are driven by humans who may have incredible determination and goals only known to the attackers. The adversary may come after what they think an enterprise has, not what it possesses.
Differentiating between a targeted attack and a random commodity attack can be quite difficult, since what works to compromise an organization does not depend on the attacker’s motivations. An expected penetration test and a real attack can look the same or completely different when it comes to detection. Different attacks may use similar methods and a seemingly random attack may turn out to be a determined adversary. This makes knowing previous adversary behavior incredibly important. The first encounter with a new threat can be very confusing, with time wasted chasing irrelevant details or false leads. This confusion is often compounded by the human impact of being targeted, which can bring the emotional impact of a physical attack.
In the worst case of having a determined human adversary attacking your enterprise for the first time, it is essential to have help from those who have detected these types of threats before, and a response plan on how to deal with the attacker.
Becoming World-Class
Detecting cyber threats can seem overwhelming when new threats are constantly making news and older threats are still capable of causing big problems. However, identifying threats can be made much easier by implementing protection and detection in depth. Executing the fundamentals of security daily, knowing what is normal for your enterprise environment, and having expert help in identifying the latest attack methods is key. Solid protection and rapid response capability are tied together by detection and intelligence, and the Microsoft Enterprise Threat Detection (ETD) service enables detection in depth with cybersecurity experts and global intelligence for your enterprise.
Read more at Microsoft Enterprise Threat Detection blog.