In the first decade of this millennium, we were dealing with simple worms, viruses, trojans and botnets. Basic reactive protection tools – like firewalls and anti-virus – were effective then, although falling gradually behind, buried by the volume of daily threats. Nowadays we see different malware. Threats are modular, persistent and armored. We have nation-state attacks on the rise and commercial companies, like Hacking Team, weaponizing exploits and creating military-grade spying tools.
The game has changed. In the early days, enforcement prioritized over intelligence and most customers wanted automatic blocking. Detection relied on hash sums or signatures, so it was low on false positives and safer to block anything outright. The changing attack landscape inverted the protection triangle, so now companies are looking at intelligence to help manage most of the security risks, and blocking to deal with a small portion of well-defined incidents.
In this new paradigm, instead of focusing on vulnerability and trying to prevent attackers from entering, we need to focus on attack consequences: containing and preventing damage and start sharing intelligence for building the ecosystem for best defense.
All security devices and applications must be sharing actionable threat intelligence (ATI) across IT infrastructure, locations and organization boundaries. With public cross-scanner tools, sharing hashes of malware is very frequently sufficient, no need to exchange gigabytes of malware files. But, intelligence must be actionable – prioritized correctly, filtered from false positives and ready to use.
We now hear of breaches almost every day and we've gotten desensitized to them. The average time to discover a breach in 2015 was 188 days, according to Trustwave. The status quo now is: Your enterprise will get breached sooner or later, so focus on early breach detection, forensics and incident response.
For most people, I estimate your password is already leaked and your credit card info is out there. So, here is what we, as security incident response professionals, should do. We ought to back up and give up the fights we can't win – like trying to prevent attacks by “block and forget,” using manually compiled handles, like IP addresses, urls and using lists of badness, like SNORT rules or YARA rules for detection.
Rather, we need to leverage advanced detection solutions to continuously monitor and detect, and then drive the enforcement mechanisms automatically. This is the essence of the secure ecosystem defense.
We should back up to a higher security ground and try to hold and defend it. We need to holistically examine the entire malware attack kill chain – every stage of it from the download to the data exfiltration – and use defense-in-depth techniques powered by machine learning. But the best detection, in my opinion, is neither driven by humans nor machines alone. It's a hybrid: human-supervised machine learning with additional heuristics defined by subject matter experts on top of mathematical models.
Finally, there is something to be said about context. Not all threats are the same. And even the same threats sometimes mean different things based on context. Context matters in prioritizing alerts to cut through the alert fatigue, such as the overload by security alerts that was partially responsible for the Target breach.
So, the new age of security requires us addressing the new threats through context, correlation, machine learning and actionable intelligence. I am adopting this new defense paradigm. So should you.
Nick Bilogorskiy is director of security research at Cyphort.