Each of the publicized breaches over the past 15 months have been followed by the same question: “How did these attackers go undetected for several weeks or months?” The 80 million Americans covered by Anthem, whose personally identifiable information (PII) was stolen, are now asking this very question.
Let me liken this attack to a recent experience in my own life. After finding a small pile of what looked like sawdust on our hardwood floor of our guest room, it was like the “oh-crap” moment a CXO experiences when a 3-letter agency informs them that their organization’s crown jewels have been discovered in Kazakhstan. “Oh crap, we have termites.” Just like Sony Entertainment called in the FBI or Anthem called in a forensics agency, we called the termite guy.
After the termite guy completed his inspection, I asked a series of questions including “How did they get in, how far have they gone, what is the extent of the damage, what is the cost exposure, and how can I get rid of them and can I be sure they are gone?” I bet these sound similar to the questions a CXO and CISO asks in his meeting with the FBI or a cyberforensics team.
This is when it hit me — cyberattackers are digital termites. Both quietly do damage over a long period of time and most of the time, they go completely undetected until irreparable damage has been done. The question I also asked the termite guy is one that CISOs should be asking: “What evidence can I look for to know if they are back and how do I find it?”
Our termite guy explained how California termites are airborne and travel invisibly with the wind. They may have landed on our cedar shingles and entered through the outside. He tapped on the shingles and a small mound of sawdust-like stuff landed on a sheet of paper he held under them. That proved his hypothesis.
Well, this is helpful for me to look for signs that the termites have returned, but what about the CISO? What can he do to spot digital termites — cyber attackers — to see if they are active in his network.
As I read coverage of the breaches at Anthem, Sony, JP Morgan Chase, and dozens of others, I realize that journalists write about these cyberattacks as though they are smash-and-grab jobs. These cyberattacks unfolded over weeks or months. It was just like the termites we discovered that had been working for several months before we saw the first sign of them. Our termite guy talked about how they operate along a channel and spread laterally. His description reminded me of the command and control channel, reconnaissance and lateral spread of a modern cyberattack.
The point of initial incursion by cyber thieves who stole records from Anthem or JP Morgan was likely not the computer with the data they wanted to steal. After successfully infecting this initial computer, the malware probably phoned home to say, “I am in” and asked for instructions.
Like a paratrooper who landed behind enemy lines, the infected machine would have begun quietly performing reconnaissance to learn the lay of the land and spread laterally, infecting other machines and enlisting them in the attackers nefarious army that operates as a community, just like a colony of termites. This process of spying and spreading will continue in stealth mode for weeks or months until the attacker finds the key asset he wants to steal.
Just like we can’t see airborne termites and we can’t stop them from getting through the porous exterior of a home, it is nearly impossible to see all approaching cyberattackers and keep them all out. However, similar to the signs that termites are active, there are signs that cyberattackers are actively operating in your network as well. The problem is that the security solutions employed by organizations today try to either prevent the attacker from entering or perform forensics after the “oh-crap” moment when their crown jewels are found in the wild. What’s missing are security tools to find the active phase of the cyberattackers during the weeks or months of them spying and spreading before they begin stealing.
To detect the active phase of a cyber attack, there is a new category of security platforms called automated breach detection platforms. Vectra AI led this category with the release of the X-series platform in 2014. To learn more about how automated breach detection works differently than traditional perimeter security solutions, read this white paper.
This article is originally published on Medium by Mike Banic, VP of Marketing at Vectra AI. When he is not battling termites at home, he joins the battle against cyberattacks in progress with cutting edge solutions from Vectra’s team.
Vectra® is the world leader in AI-powered network detection and response.