Home Depot, Target, JP Morgan, and Community Health Systems have all been victims of a network security breach, resulting in loss of customer’s personal data and millions of dollars in revenue. We ask ourselves “who will be next?” – because the assault on the digital economy has become an asymmetric war and businesses are on the losing side.
The first edition of "The Post Breach Industry Report" is an industry study using real-world data from enterprise networks, revealing what attackers do inside an organizations network once they evade perimeter defenses. The statistics are scary:
Cyber attacks are increasingly sophisticated and highly organized. And, they are successful despite $60 billion invested in cyber security annually worldwide. These defenses—plus the efforts of skilled information security professionals who are focused on protecting their organizations’ intellectual property, honoring customer trust and upholding the law—are not working. These events and actions are a grave reminder - "there is no such thing as perfect security."
Organizations are heavily investing in prevention centric technologies. Prevention centric security solutions like next-generation firewalls, and sandboxes only detect the initial exploit of an attack and identify some forms of command and control using reputation lists. Targeted attackers typically use exploits that are tweaked, that haven't been seen before or they gain access via a third party, à la Fazio Mechanical and Target. Next-gen firewalls and sandboxes will find opportunistic attacks like botnets, but they won’t find these targeted attackers.
So what happens after the attacker bypasses the defenses and moves into the heart of the corporate network? Or when an employee’s device is infected by an exploit while on a guest Wi-Fi network and they walk the exploit into the organization? Prevention is not enough.
Prevention-centric solutions must be complemented with robust real-time breach detection. Organizations need to detect what the attacker and their malware are doing, like the behaviors shown in the chart below.
Phases of Attacks Detected Inside Perimeter Defenses
The reconnaissance, lateral movement and exfiltration phases represent the activities of a targeted attacker who evaded the perimeter defenses. Having visibility into these behaviors enables security analysts to protect their network and data from in-progress attacks. It is even better when detections are correlated to the host under attack to tell a story about what the attacker is doing as in the table below.
The attack on the host with IP address 10.1.1.183 in one organization’s network transpired over 18 days. These detections showed what the attacker was doing and provided multiple opportunities to stop the attack.
Next-gen firewalls and sandboxes can provide a mountain of alerts, but you need actionable intelligence. It's time for security that thinks
Rather than relying on detecting known signatures, the Vectra X-series provides real-time insight into advanced persistent attacks through a combination of security research, data science and machine learning. The insight is fully automated with clear, intuitive reports so you can take decisive action immediately to stop an attack or mitigate its impact.
Attackers are already in your network, looking for an opportunity to steal high-value data or further their goals. The Post Breach Industry Report reveals what attackers do within a network once they evade perimeter defense.
Download the report today.
Jerish Parapurath is a cybersecurity and technical training consultant with 20 years of experience in network and cybersecurity, including 8 years of management experience in hiring, mentoring, leading, and team building.