行为攻击检测:为什么一个网络漏洞是不是玩完了为您的企业

C-level briefing: LightCyber EVP Jason Matlof (pictured) and other cyber security experts talk known threats and firewall shortcomings.
For decades, cyber security has been built around the idea that once the attackers have breached your network or organisation, it’s game over. But what if it isn’t?
Mostly the products offered by the cyber security industry have been designed with this idea in mind: keep the attackers out.
As Jason Matlof, Executive Vice President at LightCyber, says, the attacker being inside the network isn’t game over, however.
“Over the lifecycle of the attack, when an analyst looks, the dwell time has been measured to be around 6 months,” he says.
This means that the cyber security industry has spent years simply focusing on the first few seconds or minutes of a much longer process.
“Once they get in they have to figure out how to get operational control. Where are the privileged accounts, the databases, the servers that they need to get to the ultimate objective?”
This ultimate objective could be patient or financial records, credit card databases or any other valuable information. The point is that the attacker, once inside the network, is still several steps away from achieving their goal.
Unsurprisingly, much discussion of cyber security fails to make this distinction. The focus is always on the breach, possibly because this is the most interesting phase from a technical perspective.
For LightCyber and some other vendors, though, the key is the next phase, where the attacker does all kinds of things. First is the initial intrusion, followed by sending information to a command-and-control server, reconnaissance, lateral movement across the network and finally exfiltration.
Although AAA is often referenced in relation to authentication systems, it is in fact a foundational concept of all forms of security. As without any one of these elements, a security mechanism would be incomplete.
This means that the attacker serves up a feast of potential indicators to anyone watching.
It is this simple fact, combined with the inadequacy of firewalls, which has led to the birth of what is called behavioural attack detection.
The firewall is built around a constantly updated list of threats that it excludes from entering the network. It works backwards from the known exploit, whether files, URLs or packet signatures, to building protection against it into the gateways to the network.
But as Gerard Bauer, EMEA VP of Vectra Networks, the main threat is actually the ‘unknown unknowns’: the threats that have yet to be captured in the wild.
包含灭火器使用等消防设施和器材操作的在线EHS动画培训课程
“We don’t know if they exist, we don’t have visibility into what they do, and there’s no way signatures can catch them,” he says.
It is this gap in the traditional firewall-style technologies that behavioural attack detection aims to fill; in fact, they all stress that it is filling a gap, not replacing it.
“We always say the prevention technologies are necessary but not robust enough to be sufficient,” says LightCyber’s Matlof.
So what is behavioural attack detection? The approach looks beyond the initial breach and tries to detect typical attacker behaviour within the network. It does this through what Matlof calls a ‘known good’ approach.
LightCyber deploys an appliance in the network and creates a behavioural profile of all the machines and user accounts to create a baseline of what’s expected on the network.
“We look at where people typically go on the inside of the network. For example, an employee from one department goes to these domains, marketing goes to these domains.”
The anomalies from the learned baseline are what indicate the attacker.
“We’re looking for a machine doing things that the computer doesn’t normally do which are indicative of attack phases going on.”
“This user doesn’t typically scan the network, why is his machine doing that? The machine normally uses the user’s own credential, why is it being used to brute force other passwords? The machine is talking to a domain on the internet, which no-one else from the organisation has accessed, suggesting a command and control site.”
“The damage is not done until there’s some form of exfiltration. That is on the order of weeks or months to do.
“By changing the model you’re giving the defender the days and the weeks to stop them before the damage is done.”
In general, as a general principle, known goods and whitelisting approaches are gathering momentum alongside traditional blacklisting.
Rob Sobers, Director at Varonis, says that “whitelists tend to be both easier to maintain and more effective at blocking dynamic attacks.”
He says that in application security specifically, it is “not terribly difficult to build a whitelist that specifies which applications are approved and safe to run.”
But known good techniques are not perfect either. Giovanni Vigna, CTO and co founder at Lastline, notes that “anomaly detection has been ridden by both false negatives (because malicious activity does not generate anomalies) and false positives (because benign activity generates anomalies).”
The key is that the known good and known bad approaches are perfectly compatible, and that some combination of the two deployed together will have the best change of success.
Operational security is the ongoing maintenance of continued due care and due diligence by all responsible parties within an organization.
C级简报:LightCyber EVP贾森Matlof(如图)和其他网络安全专家谈已知威胁和防火墙的缺点。
在比赛中,几十年来,网络安全已建成的理念是,一旦攻击者破坏您的网络或组织,它和rsquo的。但是,如果它不是什么&rsquo的;吨?
主要由网络安全行业所提供的产品均设计有这种想法的:保持袭击者出来。
贾森Matlof,执行副总裁LightCyber说,攻击者在网络ISN&rsquo的里面是;吨游戏结束,但是。
“在攻击的生命周期,当分析师看来,停留时间已被测量为约6个月,”的他说。
这意味着,网络安全行业已经花了几年时间只是专注于一个更长的过程的最初几秒钟或几分钟。
“一旦他们得到他们必须弄清楚如何获得操作控制。哪里有特权帐户,数据库,他们需要去的最终目标服务器&rdquo?;
这个最终目标可能是病人或财务记录,信用卡数据库或其他任何有价值的信息。问题的关键是,攻击者一旦在网络内部,仍然是几个步骤离实现他们的目标。
不出所料,网络安全的许多讨论没有作出这种区别。重点始终在违约,可能是因为这是从技术角度看,最有趣的阶段。
对于LightCyber和其他一些厂商,不过,关键是下一个阶段,在攻击者做各种各样的事情。第一个是初始侵入,随后通过网络和最后渗出发送信息给一个命令和控制服务器,侦察,横向运动。
虽然AAA是相对于认证系统经常引用的,它实际上是所有形式的安全性的基础概念。如在没有这些元素中的任何一个,一个安全机制将是不完整的。

这意味着,攻击者的潜在指标盛宴担任了给任何人看。
正是这个简单的事实,与防火墙的不足,这导致了所谓的行为攻击检测的诞生相结合。
防火墙是围绕着威胁不断更新的列表,它进入网络排除建造。它的工作原理向后从已知的漏洞,无论是文件,URL或封包签名,建立反对保护到网关到网络。
但随着杰拉德·鲍尔,威达网络EMEA副总裁,主要的威胁实际上是&lsquo的,未知的未知&rsquo的;:那些尚未在野外捕获的威胁。
“我们不要&rsquo的;知道如果存在的话,我们不&rsquo的; t有可视性,他们做了什么,有大局;签名没有办法能赶上他们,”的他说。
它是在传统的防火墙式的技术,行为攻击检测的目的是填补这一空白;事实上,他们都强调,这是填补了空白,而不是取代它。
“我们常说的预防技术是必要的,但并不足够强大的就足够了,”的小号Matlof; LightCyber&rsquo的说。
那么,什么是行为的攻击检测?该方法看起来超出了最初的违反,并尝试在网络内检测典型攻击行为。它通过什么Matlof称之为&lsquo的,已知的良好&rsquo的;做法。
LightCyber部署在网络中的设备,并创建所有的机器和用户帐户的行为配置文件来创建什么&rsquo的基线;预期在网络上秒。
“我们看看那里的人通常走在网络的内部。例如,从一个部门员工进入到这些域,销售进到这些域&rdquo。
从了解到基线异常是什么表明攻击者。
“我们’再寻找一台机器做的事情,电脑没有按&rsquo的;第•通常做其指示攻击阶段回事”的
“这个用户没有按&rsquo的; -T通常扫描网络,为什么他的机器做?该机通常使用用户大局;自己的凭证,为什么它被用来蛮力其他密码?本机是否正在与互联网上的域名,它从该组织没有其他人已经访问,表明指挥和控制的网站和rdquo;
“不造成的伤害,直到有大局;某种形式的渗出的。即几周或几个月做的量级。
“通过改变你的模型&rsquo的;重新赋予后卫天,周损害之前阻止他们完成”的
一般情况下,作为一般原则,即商品和白名单方法都蓄势待发除了传统的黑名单。
罗布解酒,在Varonis主任说,“白名单往往都更容易维护和更有效地阻止攻击的动态”
他说,在应用安全具体地说,它是“不是非常难以构建一个白名单,指定该申请获得批准,安全运行和rdquo;
但已知良好的技术也不是完美的。乔瓦尼豇豆,首席技术官兼联合lastLine所创始人,指出,“异常检测已经由两个假阴性缠身(因为恶意活动不会产生异常)和假阳性(因为良性的活动会产生异常)rdquo;
最关键的是,已知好的和已知不良的方法是完美兼容,并且一起部署两者的某种组合将有最佳的成功转变。
操作安全是继续适当照顾和尽职调查的日常维护,所有责任方组织内。

猜您喜欢

湘潭舰护送世界粮食计划署船舶安全抵达索马里
携程信用卡门的PCI-DSS合规启示
安全安全活动周企业安全负责人员畅谈网络诈骗防范基础
刘涛身披婚纱登台眼眶含泪被赞美如画
AR-BLOGGER JIEB
中国资本市场投资报告会在青举行 大咖现场支招
信息安全宣传活动策划案