Autonomous cyber defenses are the future: Richard Stiennon
Organizations must match the pace of increasingly automated cyber attacks, shutting them down before the damage escalates.
The future of cyber attacks will be pre-programmed autonomous tools that infect an organisation’s network, move to their targets, and steal or damage them in just minutes, according to Richard Stiennon, founder of industry analyst firm IT-Harvest.
This ebook, based on the latest ZDNet / TechRepublic special feature, explores how data center automation is powering new levels of agility and digital transformation.
Current incident response times are measured in hours, however, even in best-practice organisations. Stiennon says that as the cyber attackers become automated and autonomous, so must the cyber defenders.
Consider the NotPetya attack of June 2017, which subverted the automatic software update process of Ukrainian accounting software MEDoc to install malware instead, which then spread through the organisation.
NotPetya was a Russian operation targeted at Ukraine, but the damage spread globally through organisations such as container shipping giant Maersk.
“There was a single financial controller in Odessa who insisted that he needed a copy of MEDoc, and at Maersk the infection spread from that one initial seed of infection to all of their desktops in about 48 hours,” Stiennon said at a briefing organised by Cybereason in Sydney on Tuesday.
It took nine days to clean up the mess. Maersk said it cost them $300 million including lost revenue.
“What about when you’ve got about two and a half minutes when an attack can get in, do the lateral movement, find the resources it’s after, and exfiltrate them? That’s why we’re going to need autonomous responses as well,” Stiennon said.
That means autonomous security orchestration handling everything from detecting an intrusion as early as possible, deciding how to respond, identifying and isolating infected machines, and pushing out updates for firewall rulesets, network segmentation, and access controls.
“That’s a scary prospect for most us. Most of our processes we don’t trust that much, but we have to, to get to the point where we can trust that we can defend ourselves in that automatic way.”
So how do you convince management to cough up the money to build autonomy into security orchestration? Stiennon suggests doing what Lockheed Martin did in 2011, and use threat intelligence to help them understand the risk.
Lockheed Martin analysed the malicious activity at various stages of the cyber kill chain, and associated them with specific advanced persistent threat (APT) groups, without necessarily attributing those APTs to specific nation-state or criminal actors.
“The CISO weekly would report to her upper management, and they’d say look, these are the 14 active campaigns running against us, and this is where they got this week, and how we stopped them,” Stiennon said.
Most organisations don’t have the resources of Lockheed Martin, he said, but companies like Cybereason are starting to provide managed services to bring these capabilities to smaller organisations.
According to Charles Cote, Cybereason’s regional director for Asia, 80 percent of the current security spend is on prevention, and that has to change.
“As an organisation, we believe in prevention. Firewalls, IPS, anti-virus, you need that. But we also believe that that will fail,” Cote said.
“When you don’t have the ability to detect and mitigate immediately, collateral damage is expanded upon.”
MALWARE AND STOLEN DATA HIDDEN IN IMAGE FILES
Cybereason’s Nocturnus security research team has analysed attacks where elements of the cyber attack were embedded in image files using steganography.
Data was cryptographically encoded into the least-significant bits of the RGB colour values of images. Those images files, which looked normal, were then hosted on a legitimate domain. From there, they were downloaded into the target network by the remote access tool (RAT) already in place.
Downloading image files from a legitimate server didn’t trigger the security monitoring because there was nothing to indicate they might be malicious.
“We’re showing you a way to bypass traditional controls fairly easily… This overall is stealthy and very difficult to detect,” said principal security advisor Matthew Green.
The technique can be used to conceal any kind of data. This can include malware needed for the next stages of an attack, scripts to execute, or commands to reconfigure the attacker’s infrastructure that, for example, point to a new command and control server.
The Nocturnus team has also seen steganography used for data exfiltration. Stolen data was encoded into some five gigabytes of image files, which were then dropped into the organisation’s web directory. From there, the attackers could simply download them.
Last month Cybereason announced a partnership with UK semiconductor company Arm to develop layering protection, detection, and response into the Arm Pelion IoT Platform. The companies plan to protect one trillion connected devices by 2035.
Dr. Hans C. Mumm