We've all seen this movie or TV scene: A hacker sits in a shadowy room busily typing on his keyboard. The camera slowly pans around him, and within a few clicks — voilà! — the protagonist has deployed a cyber-attack into the highly secured target he was trying to penetrate. 'I'm in', he says.
This may make for great TV, but the reality of data breaches is not as exciting. In fact, the biggest and most damaging attacks don't happen in minutes. Rather, they include multiple steps that unfold over months.
They aren't executed in a few clicks, but through a long process of exploration and exploitation. According to IBM's Cost of Data Breach Report, the average time to detect and contain a cyber-attack is 287 days. That's over nine months!
If a data breach is made of so many individual steps, why aren't the steps detected and the malicious exploit immediately identified? The answer is that they are detected, but the main problem of cloud security today is not detection. It's correlation.
Tracing the steps
Data breaches and cyber-attacks are not singular events. They are an ongoing process with multiple steps.
The first step usually is infiltration, during which an attacker gains a foothold in the network. Infiltration can happen in many ways. It can come by way of targeted credential theft, exploiting vulnerable web applications, third party credential theft, malware, and more.
The next step is usually reconnaissance. This is where attackers try to understand what the network architecture is, what access they have via stolen credentials, and where sensitive data is stored.
Compare this to thieves breaking into a house in the middle of the night. The first thing they do is check the house's layout and determine where the valuables are being kept.
Once attackers are done with basic reconnaissance, usually they will attempt lateral expansion in the network. They move within the network into a higher tier with better access, perform privilege escalation to gain permissions with wider access, acquire sensitive data, and finally exfiltrate it outside the network.
These steps take weeks and months to progress, performed via a painstaking trial-and-error process by attackers, as they strive to identify sensitive resources and expand within the network.
Usually, in the case of a cyber-attack, we hear only of the first and last steps – infiltration into the network and data exfiltration. But during the steps in between, there is a whole world of activity that often goes unnoticed.
The importance of correlation
Modern security systems detect a lot; they probably detect too much. According to a study by IT security firm Bricata, the average security operation centre receives over 10,000 alerts each day from an ever-growing array of monitoring and detection products.
Despite these massive numbers of alerts, there are several reasons why malicious activity still goes undetected:
Too many logs
When you have too many logs, it's impossible to know which alerts matter, and which do not. Identifying a malicious event in a sea of false positives is like trying to find a needle in a haystack.
While many events are detected, most of these are medium and low-risk alerts that are not worth investigating.
Lack of context
Looking at an individual activity separately, it's impossible to tell whether that activity is legitimate or not. That administrator logging on in the middle of night — is it because he is sleepless, or did someone steal his user credentials?
Is that DevOps engineer invoking an API call she has never used before because she is working on something new or a hacker trying something shady? Without context, it is impossible to tell.
Duration of time
Going back to our original point — data breaches take a long time to unfold. This means that alerts related to it will be detected over an extended period. When events are detected in sequence, it is easy to tell they are related. But what happens when they are detected months apart?
Given these realities, it is unrealistic to expect security managers to connect a random event to another event they spotted weeks or months ago. The answer is to use automated tools that detect individual events and correlate them into a logical sequence that shows how they are related.
Cyber-attacks occur over extended periods. The bigger, more complex the network, the more time the attack will take. Over such a drawn-out period, it is impossible to keep track of individual events and connect them manually.
Rather, organisations need automated tools that will track separate activities over long periods and alert IT to the aggregate threat of the event sequence.