Detection is Your Superpower



Detection is Your Superpower in the Fight Against Cybercrime

In today’s cybersecurity landscape, the threat of cybercrime is not just limited to ransomware attacks. Sophisticated hackers are playing a long game, with dwell times — the time between infiltration and discovery — averaging 100 days and in many cases much longer. These attackers are patient, persistent, and have the resources to continuously adapt their tactics to evade protections. 

The reality is that prevention strategies are not enough to protect against these threats. The highest level of security maturity revolves around detection — proactively monitoring the network to spot exploits and preempt attacks. As compliance frameworks continue to tighten up, the need for effective detection strategies is becoming increasingly important. However, we’ve found that our enterprise clients aren’t just approaching detection as a “must do” requirement, but rather as a superpower that can truly take their cybersecurity to a whole new level. 

Protecting a network against a hacker means being on your game 100% — but the hacker only needs to be right once to get in. With a fully realized detection protocol, however, the tables are turned and it’s the criminals who now have to avoid making any mistakes. All you need to do is to watch and wait.

Is Your Network Protected?

Your network is critical infrastructure. You run your business on it. It’s your office, your data center, your cloud hosts, your users, your systems, your data. 

How well is your network protected? Are your cyberdefense systems mature? Can a hacker find a hole? They’ll keep trying ...until they succeed. This is their advantage. They can fail and fail without much concern, and need only one time you’re off your guard or some new vulnerability, like log4j or ESXI zero days, arises and they’re in. Fortunately, you have plenty of tools at your command to keep hackers from gaining the upper hand. There’s a lot that you can (and should) control.

You control the servers on your network, the operating systems, the patching, the access, the encryption, and the policies. 

You control the workloads you host in the cloud and your access to them. Even though you don’t control the cloud infrastructure, you have visibility into the controls the providers have in place, although cloud providers take no responsibility. This has been getting better lately, with more tools available in the cloud and admission that the cloud needs you to secure it. 

You also have SaaS service configurations and authentication. Even though you don’t control the SaaS systems, you have visibility into the controls the providers have in place and some responsibility for them. Expect that with all the push on secure access service edge (SASE), you’ll start seeing more SaaS providers giving you API access to controls as well as better logging. 

You control your users in the office and, ideally, when remote. That can’t make them adhere to policies, but you can enforce a great deal, even remotely. And you can get a lot of visibility into their activity. 

Finally, you control this whole hybrid network itself: the switches, the routers, wifi access points, virtual switches, virtual private clouds, VPN tunnels, user VPN, segmentation, geo-fencing, DNS, DHCP, email, etc. All the points of ingress, egress, and lateral movement. 

You can put protections in place on all these systems, firewalls, email gateways, segmentation, access control, multi-factor authentication, data loss prevention, content filtering, endpoint protection, and cloud access security brokers (CASB). Every control you have on your hybrid network is a place to stop the attacker. 

This is awesome! This is your territory where you are in control. This is where you can block, protect, and thwart criminals. 

There’s just one problem: Hackers will still find a way in, because the network is connected to the Internet. And they can keep attacking and hiding because you don’t control this worldwide network that you use every day.

The Internet Leaves You Vulnerable

The Internet is too big to fully secure, and there are lots of targets. Frankly, if hackers have a target, they will find a way in. There are always systems and processes that can be exploited. The attack vectors are numerous: DDOS attacks, social engineering, email phishing (the most commonly used attack), malware, supply chain attacks, broken code, malicious users, neglectful users, trojans and more. 

You can’t put any limits on the internet, save for outbound and some inbound routing controls — and only if you’re big enough to command that from your ISP or broadcast your own border gateway protocol (BGP) tables. And those can be poisoned by hackers and nation-state actors, too. 

The Internet is just way too big to police anyway. While there are controls for domains and email and, of course, SSL certs for websites, the Internet is for the most part wide open. 

Restrictions aren’t desirable anyway because they threaten privacy and the free trade of goods and ideas. The open Internet is a good thing and we want to keep it that way, but magically make it more secure. There are things that can be done, but that’s a larger discussion about law enforcement and diplomacy.

An Attack Thwarted by Detection

This is the story of an attacker: a cybercriminal. Or maybe they work for a government. Either way, they want to gain access to your network systems, be they in your office, on a cloud hosting provider, or even in a SaaS application.

 They want into your systems because the information there can make them money or give them access to vendors and clients. Regardless, you’re responsible for keeping them out and your network secure.

  1. 1.  Attacker scans find an exploit.
    First, they scan your network or pick yours from a spray of scans their bots performed. Their IP addresses are obscured by a set of ramp-off points from pwned servers and VPNs. Then, they find a set of ports opened by printers that were auto-configured at installation with wide network access, inadvertently including firewall subnets. Or maybe they ran a set of stolen passwords against a mail account or some SaaS service and used that to inject malware that gave them a back door. 
  2. Email remains the most common vector of attack because it’s a big attack surface with lots of users all accepting connections. Either way, they work their way in. They look at what’s right around them to find the jewels or ways to entrench. They need time to work.

  3. 2. Internal protections slow them down.
    There are tripwires all over. They look for ways to disable anti-malware. They use existing software because new software is a tripwire. They probe other devices on their local subnet, hoping the network tripwires only cover the core network. In cloud-hosted systems, they scan for known vulnerabilities. Most attackers exploit known vulnerabilities and the cloud providers are full of them.

  4. 3. But they find a payload.
    A database is found with high privileges for compromised credentials. User data, PII, client data, trade secrets, it’s all there. Now, it’s time to pack it up and ship it off to some online storage.

  5. 4. The cybersecurity team is watching.
    Not so fast! Your MDR team has been watching. That open printer port may have been an oversight, something that would eventually have been cleaned up, but even now, that access was logged. Even better, it triggered an alert for inbound traffic not matching a public service rule. Those scans across subnets, even when they fail, are logged and trigger alerts. Elevated privileges on a workstation, uncommon destinations or an imbalance of producer/consumer ratio, failed authentication attempts, data patterns matching account numbers, and servers being accessed from unknown sources, all trip a wire. 
  6. 5. The attack is stopped and the hole is plugged.
    The alarm goes off. The cybersecurity team now knows where to look and what to fix. Emergency averted!

Adding Detection to Protection

Today, there are cybercriminals: pirates, lots of them. They troll these waters, attacking at will, with very few restrictions. 

We can look at dark web chatter, file dumps, and the scans and attacks on our network ingress. We can even put honeypots out there to collect data about attacks and catalog what we learn and make it available to all as threat intelligence. 

But that’s not “control” because the Internet is not your network. They will still get in because all they have to do is keep trying. Trying, so long as they don’t get caught. Can you protect them with more products? No. We need to catch them, not just assume we can block them. What we need is detection. Without detection, protection provides false confidence. 

Detection is about leveraging your one irrevocable advantage over the cybercriminal. The very same advantage the attacker has when attacking, only needing to succeed once out of many attempts, is your advantage once they’re inside. Every step they take needs to be perfect, because one false move will give them away. 

All points are detection. Every single point on your network, every system, is a point of egress for an attacker. A tripwire that, if monitored correctly and matched, “correlated” with other activity, can catch the bad actor fast. 

Every protection is a detection system. Every protection system, be it a firewall, endpoint protection, web filtering, or micro-segmentation control, is also a detection system. Even just telling you what got blocked is highly valuable, so you see what attackers are after, what tactics they employ and what vulnerabilities they think you have, which is far more valuable context than any threat intelligence feed can offer. 

Attackers know this, and they are very careful to not get caught. The longer they can be inside your network, the longer they can harvest valuable data and entrench themselves. The attackers who had infiltrated SolarWinds, and through them, several government agencies, were inside for over a year. GoDaddy reported hackers infiltrated their cPanel code for 3 years, affecting tens of thousands of web sites. Even ransomware attackers who are looking for a quick buck can’t act too fast; they need to make sure they’re on enough systems and backups before they detonate. That could take days or weeks, and the main reason they’re found faster than other attacks is that they’re found the hard way: by detonating their payload.

Make Detection Your Superpower!

Because hackers need time to do their work, they are at a disadvantage. They can’t get caught. They’re counting on weaknesses so they can go undetected. They’re counting on inside systems to be trusted and less scrutinized. But you can use your superpower to look for them and lock them out.

So where are we looking? Everywhere. Well, everywhere is hard to do and the investment can escalate, but consider that you control all those points on the network — the servers, the workstations, the routers and switches, the firewalls, cameras, and phones. They are all your eyes and ears. The way you configure them, the very same rules you employ for protection, also be used for detection. Here is how it works. 

  1. 1. Log Abnormalities. The magic starts with logging the activity where those narrow protection rules are applied. On a server, it’s things like attempts to log in from an atypical IP address that got blocked by the host firewall or micro-segmentation agent. This can be determined by profiling your servers during tuning or by whitelisting. Or on a network switch, traffic was generated between blocked subnets. Or on a workstation, memory reads were blocked by anti-malware software. In all these cases, the protections worked as designed — but they did more than that. They generated alerts that represent a trail to follow and find an attacker. Every node, every protection system, every rule or policy, and every user are your source of power and an opportunity to turn the table on the attacker.

  2. 2. Collate and Analyze. For the superpower of detection to really work, you need to capture this data, and you need to capture network activity as a layer independent from the computers generating the activity so it can be correlated with systems data and acted upon. This is initially done with a log collector, but network traffic is packets and headers, not a system log, so network sensors (NIDS) also need to be in place. Host-based sensors also complement the large mix of logs coming from authentication systems, EDR software, DLP software, firewalls, and other sources.

  3. 3. Tune In and Alert. In modern cybersecurity detection systems, the log collector feeds into a management system called a Security Information and Event System (SIEM). The SIEM gives tools for alerting and reporting, but because attacks can be very sophisticated, you also need another layer of analysis that allows for threat hunting, tuning, and anomaly detection. Big data tools such as Elastic’s Kibana make large sets of cybersecurity data manageable and allow the analyst to create tripwires that are derivatives of network behavior, catching even the most sophisticated hackers.


Managed Detection and Response

This process is known in the cybersecurity industry as Managed Detection and Response, or MDR. MDR is a service that employs many tools that comprise a platform utilized by Analysts and Engineers for detection. The addition of human beings watching and making sense of the firehose of data is what distinguishes MDR from a protection system — analyzing, identifying and neutralizing threats instead of simply blocking them without providing any intelligence. 

In onShore’s own Panoptic platform (meaning “all-seeing”), there is the Panoptic Sensor, which is deployed across points on the network and in the cloud, and the Panoptic SIEM, which utilizes Kibana for visualization and analysis as a default. Depending on the client, there may also be logging and intrusion detection agents installed on servers and workstations, network access controllers, network traffic aggregators, Endpoint Detection and Response (EDR) systems, data loss prevention systems, and further detection technologies. 

There’s more to detection than simply being your superpower against attackers, however. In addition to catching the crooks, you’re also creating and maintaining a large set of data for forensics. That’s something that could make a seven-figure difference in liability when you can demonstrate what data was or wasn’t exfiltrated in an attack. It’s no wonder that all cybersecurity frameworks call for it and government regulations are now catching up. Compliance with government and industry requirements is not only satisfied with an MDR service, but it is also enhanced with a clear demonstration of security functions. Many compliance violations are also detected in the process. 

Every step of the way, with every threat thwarted, compliance checked off, audit data reviewed, violations detected, and anomalous behavior investigated, the network becomes tighter, stronger, and tougher for the attacker to get in and go undetected. 

Testing is also important to briefly mention in this context. MDR services thrive on data, but they’re at their best when given more than simply live network data. You should also include the not-quite-static data of network and system configurations. This can be generated by a Vulnerability Scan, which can be run regularly or even on a continuous basis to provide trending data and aid in vulnerability management. It’s a valuable set of data that establishes context to allow the analyst to narrow the haystack. Penetration testing, where a hired hacker is asked to attempt a break-in, offers another important data point for further context for the defenders, and helps identify potential vulnerabilities. 

Detection is Your Superpower

Detection is your superpower. Use it. Make every protection system, including your users, also a detection system. Feed that data into one place where it can be analyzed. Put an MDR process in place for ongoing analysis of the data to find the attackers early on and tighten up every day. Work with government and industry to demonstrate high security and compliance. Be ready for when you do get attacked to respond quickly, informed with data that provide attestation of methods and impact. Be safe out there.