From ransomware to the increasing weaponisation of data, today’s adversaries have more and more sophisticated resources to identify vulnerabilities within networks and discover new ways to bypass standard defences without getting caught. Advanced exploit tools are increasingly available for sale, making it easier for less talented attackers to carry out maximum impact with relative ease. This will pose a major threat to businesses and consumers alike, as everyday cyber criminals capitalise on myriad new and morphing intrusion tools.
In a joint study with Cambridge University, Lloyd's insurance found that the growing risk of cyber attacks leaves the Australian economy exposed to a potential US $16 billion in damage over the next decade. Furthermore, cybercrime has become the number one economic crime in Australia, with reports finding that Australians are now experiencing a significantly higher rate of economic crime than the rest of the globe.
As cyber threats continue to grow in sophistication and attack techniques evolve to become faster, stealthier and more successful than ever, so too must security and defence strategies to combat these massive risks.
Reactive defence is no defence at all
Our industry has long focused on signatures and indicators of compromise (IoC) which we know are extremely reactive and fragile by nature. Whilst there has been much debate around whether signatures are dead, they still have their place in dealing with typical malware and when using IoCs to hunt for intrusions within your organisation.
We all accept that the number of threats has exploded over the last few years, to the point that developing signatures one by one for each attack is an endless and frivolous task. From a protection standpoint, we need to pivot to leverage the power of machine learning and importantly, use indicators of attack (IoA).
An IoA highlights the need to change focus from what already happened within your network to looking at potential issues as they happen – that crucial shift away from purely reactive.
The benefit of an IoA is that it represents a proactive stance, it is an early warning sign that an attack may be underway. This includes code execution, persistence, stealth, command control and lateral movement within a network. An IoA should enable you to prevent the attack at its early stages, before it becomes a significant incident.
Looking ahead to Indicators of Attack
A classic example of an IoA is how we deal with ransomware. To look for IoAs is to break down and analyse an attack into the series of actions that the ransomware creator must conduct in order to succeed. What’s more, an IoA helps us distinguish the malicious from benign.
But what happens if an adversary does not use malware? What if they use a stolen credential, or start to live off the land and create backdoors, escalate privileges, move laterally? It’s impossible for signature-based technology to effectively deal with these types of challenges.
For example, a malware-free backdoor that abuses Windows’ “sticky keys” feature allows an attacker to revisit a compromised system at will and with system privileges. It is also quiet since it avoids any custom malware and even avoids user log-in activity. An IoA that targets this aspect of attacker tradecraft has a lifespan of years, whereas most traditional IoCs have typical lifespan of hours, days, or at best, weeks. As a true IoA, behavioural detection of sticky keys works in entirely malware-free attacks.
A defining moment for threat prevention
As the term IoA becomes more widespread and common across the security industry, there are cases where the definition is applied differently depending on who is talking and their own implementation. For example, one new description of an IoA is that it is nothing more than contextually relevant IoC.
Let’s be very clear: an IoA is not a rehashed application of an IoC. Unlike IoAs, IoCs do not deal with velocity of attacks, they can’t handle emerging threats, and they do not work with intrusions that do not use malware.
Collecting multiple IoCs, trying to add context and sending them to a SIEM for analysis at some point also does not warrant renaming to IoA. An IoA should be used to identify intent, to discover an attack that is currently unfolding in the environment, and most importantly, to provide opportunity to block this attack proactively, as it is happening.
Don’t focus on stopping malware, stop the breach
If there’s one thing to learn about where cybersecurity is headed it’s that an effective strategy focuses on stopping the breach, not just stopping malware. Today’s attackers have the time and resources to identify vulnerabilities within networks and discover multiple ways to bypass traditional technologies and defences, making a more modern approach to security a business imperative. IoCs still have their uses and their place, but they need to be augmented with the more advanced, proactive techniques that stem from IoAs.
Article by Michael Sentonas, vice president of Technology Strategy, CrowdStrike.