Community Threat Analysis Uncovers Insider Attacks

Community Threat Analysis Uncovers Insider Attacks

By:
Mike Banic, VP of Marketing
December 10, 2014

Today, we announced the new Community Threat Analysis for the Vectra X-series that puts your organizations key assets at the center of real-time investigations of Insider and targeted attacks.

2014 has been the year of the breach, and as a result companies are increasing their investment in cyber security. However, the majority of cyber security products focus exclusively on malware and external attacks, and are effectively blind to insider threats. At Vectra we believe that security should protect your most important assets regardless of whether the threat is from an external attacker or a malicious insider. You don’t get to choose your attacker, so why should your security solutions protect only against one type? Let’s take a closer look at why stopping the insider threat is crucial, and what Vectra can do to help.

According to the most recent US State of Cybercrime Survey from Computer Emergency Response Team (CERT) at Carnegie Mellon University, insider threat cases make up 28 percent of all cybercrime and more than 33 percent of organizations reported an insider cyber attack in 2013. The result is an annual $2.9 trillion loss from employee fraud around the world, with $40 billion in losses from employee theft and fraud in the US in 2012 alone.

My colleague Oliver Brdiczka has written posts on discussing why every organization needs to protect against insider threats, how these insider incidents affect organizations and the mistaken belief that malicious insiders equate only to Edward Snowden or Bradley Manning.

Insider threats affect every organization. Data from the SpectorSoft Insider Threat Survey of 355 IT professionals revealed that approximately 35 percent reported they had experienced an insider attack, and an estimated 75 percent of all insider crimes go unnoticed. What’s worse is 61 percent said they couldn’t deter such attacks and 59 percent were unable even to detect one, leaving them vulnerable to fraud, data breaches, and intellectual-property theft.

Typically, insider attacks have only been discovered once intellectual property is found in the wild followed by a forensic investigation of various logs and databases that may never uncover the culprit. This has been the case because the security tools have always been at the network perimeter. Insiders already have privileges, so there is no initial exploit, no command and control communication and likely no abnormal channel used for data exfiltration.

The new Community Threat Analysis combined with Vectra’s real-time cyber attack detections delivers four important capabilities to identify and stop insider attacks:

1) Actively monitors internal network traffic to identify the exploration and execution phases of an insider attack in which they may be scanning machines for a port that will enable stealthy communications or performing a brute-force password attack on a server with a stolen username;

2) Dynamically creates communities based on observed network traffic including number of connections between users and hosts as well as traffic volumes;

3) Enables security operations to identify key assets and automatically displays the proximity and potential impact of incidents of attack – both insider and targeted – to key assets within a community as well as the progression of the attack; and

4) Shows changes in a user’s or host’s connections and community membership that may be an indicator of an internal attack.

So how would this work? Consider Chuck who works as a systems administrator at a national retail chain and was recently denied a promotion that went to Mary, with whom he has had a long-simmering feud. In retaliation, he steals Mary’s account credentials and uses them to steal customer credit card numbers from secure internal systems and sells them on an illegal online market. The theft of millions of cards is discovered, and the retailer faces significant financial and reputational damage.

Community Threat Analysis can be used to proactively detect Chuck’s activities. The detections for Chuck’s host are cause for alarm because he is connecting directly to a key asset in a community to which he is not a member. His host will also show attack detections for reconnaissance when he explores for stealthy communication ports, lateral movement when he performs a brute-force password attack using Mary’s login and for accumulation of the credit card data from finance servers. In Community Threat Analysis, Chuck’s host will appear as a new member in the finance community and the proximity and impact of the attack detections enable a real-time insider investigation, rather than sifting through the debris of disaster.

Watch this brief demo to see how Community Threat Analysis works.

{{cta('58cefc27-662b-4e6a-8c6b-2a78feabd555','justifycenter')}}

To learn more about how Vectra detects insider threat, register to download this white paper.

{{cta('7557d7eb-5c36-4452-9b2d-e3e379554cee','justifycenter')}}