Why understanding the lifecycle of a cyber attack is better than trying to stop it

There is universal acknowledgement that 97% of all network databases are already compromised in some way, and sophisticated attackers can hide for months or even years before being discovered.

In fact, evidence suggests that in the high-profile cyber attack on Sony, the intrusion had been occurring for more than a year before its discovery. According to Cisco's 2015 Midyear Security Report, hackers' methods are becoming increasingly advanced and agile as the financial incentives for these threats also continue to rise exponentially.

As more big businesses like Anthem, JP Morgan Chase, Home Depot, etc. are exposed and millions of consumers' private information compromised, it becomes abundantly clear that prevention as the enterprise's primary cyber security strategy is inherently flawed.

> See also: Sandboxing vs. heuristic-based scanning: a malware detection 101

According to a recent Gartner report titled, 'Malware Is Already Inside,' the enterprise needs to understand that perfect prevention is impossible. Instead of a security strategy primarily focused on prevention, Gartner advises organisations to balance their cyber security investments across the four stages of Gartner’s Adaptive Security Architecture: Predict, Prevent, Detect, Respond.

How that translates into a real-world security strategy is crucial for enterprises facing an increasingly hostile environment. An enterprise that wants to 'bullet-proof' its corporate data must take a more layered approach. To proactively identify malicious attacks and their targets, one must factor in all points of exposure by concentrating on detection in addition to prevention.

When prevention inevitably fails, detection becomes critical. With a repository of forensics data coupled with predictive capabilities – the holy grail of network security – it becomes a matter of course to identify a compromise, understand their target and anticipate their potential paths.

In other words, organisations will have the ability to stop an attack and remediate a system before serious damage occurs!

The steps to success

To arrive at a more holistic and layered approach to an organisation's security strategy where a risk assessment can lead to predictive analytics, the following components are crucial to have in place:

Make detection the core of your security strategy by leveraging predictive analytics and attack profiles against critical assets to determine the pathway of the adversary.

Create an eco-system that integrates the inside-out and the outside-in of threat profiles and potential attacks. In effect, this approach completes a security strategy built around prevention by adding detection to complete the picture.

Provide recommendations to support the risk and policy decision process for the security practitioner by helping to establish a reporting system and communication strategy between the IT and C-suite.

> See also: From prevention to detection: why businesses must shift their security focus

Segregate and store data moving through the network so that the multiple data pathways can be monitored and correlated separately, allowing for a more accurate analysis.

Develop a predictive approach by clustering behaviors along with their commonly used tools and tactics to categorize adversaries that may be targeting you into specific types.

Develop automatic recommendations to harden perimeter products to match adversary intent based on the forensic evidence of most common patterns of past attack attempts.

A portfolio stack that leverages detection as the core component of an enterprise security strategy is the needed tool to create an internal view of exactly how your company is being targeted. You gain the ability to create a predictive framework that can outpace the adversary by integrating automated detection with forensics and analytics.

By storing this data over long periods of time, network activity can be categorized between benign and potentially malicious, thus segregating the suspicious packets for more scrutiny.

Moving to an automated system allows you to deploy your human and technology resources more effectively to focus on the system’s current vulnerabilities – such as a porous area of the firewall – an alarmingly common case in today’s growing threat landscape with solutions that struggle to keep pace.

The technology is finally available to leverage big data in real-time to understand and find the adversaries who have penetrated the walls around your network. Such valuable data is correlated using proprietary algorithms to detect a foreign presence inside the enterprise perimeter—a presence that should not be there— who wants to compromise your assets.

Given that we know the rate of network compromise, we should focus resources on monitoring the inner network coffers and vaults that are likely the end goals of a targeted attack.

Understanding the lifecycle of an attack from surveillance to compromise can yield intelligence that will continue to make an enterprise's security system smarter and leaner.

However, this can only be achieved through real-time detection correlated with long term data stores. This combination is a powerful tool that enables you to walk in the footsteps of your attacker.

Sourced from Mark Edge, UK country manager, Brainloop

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Cyber Attack