January 12, 2016
Antivirus and antimalware software have long been the standard protective measure used by network security specialists to detect and thwart attackers. Unfortunately, there are some problems with this method, both from the hacker's standpoint and from the administrator's standpoint. While antivirus software is exceptionally good at detecting and blocking known malware, brand new threats that have not yet been identified by antivirus software developers aren't generally recognized and tend to slip through undetected and unabated.
|Networking administrators are faced with growing numbers of users and devices. They need a way to detect intruders even without the presence of tell-tale malware.|
Legitimate Tools Replace Malware for Gaining Network Access
From the hacker's standpoint, it makes no sense to develop and depend on a tool that has a very short lifespan. Just like the developer of legitimate software, the hacker has to get enough bang for the buck to make their efforts worthwhile. That means that the more sophisticated and serious hackers are abandoning the concept of malware altogether. Hence, antivirus and antimalware software can no longer be depended on to detect and stop those incoming threats.
Instead of the nasty little virus, Trojan, or worm, today's advanced hackers are using legitimate tools that antivirus software thinks is just another benign software application running harmlessly on the network. Just like with malware, hackers are using legitimate tools like remote management applications and scripting engines in order to do the same things they used to use malware to do: get in and steal a user's credentials, crack passwords, dump password hashes, and then utilize remote desktop tools to jump from one system to the next, spreading their thievery and mayhem. Most hackers understand that their attack will eventually be caught and stopped; they simply want to use the tools that will allow them to get by with more mischief for longer periods of time.
Accounts with higher level access should be monitored more stringently than average users, but a baseline for normal behavior should be established across the network.
Protecting the New Malware-Less Attack
How can business IT departments identify and protect against these new "legitimized" attacks? First, they have to cease depending on malware and antivirus protection. Those tools are crutches that can lull network administrators into a false sense of believing that everything is okay, since the antivirus software hasn't signaled warning of an attack.
Instead, security should involve rigorous and intelligent network performance monitoring. This method involves establishing a baseline of what is considered to be normal network activity and then setting alerts to indicate when the norms have been succeeded, which could signify an attack.
The longer you can take to establish baselines, the better your new detection system for legitimized attacks will be. You want to include several weeks or months of monitoring so that you establish a good baseline for normal workdays, nights and weekends, and even what network activity looks like during a holiday. The network performance monitoring solution should look for anomalies like a scurry of invalid password attempts or unusual activity involving highly sensitive and/or rarely accessed files and folders. The higher the user level and the more critical the assets are that the anomaly involves, the lower the threshold for alerting a potential threat should be. In other words, don't let it slip your awareness if an admin-level account shows 3 incorrect password attempts, even if your threshold for an average user account is 5 or 6.
|If you don't have any users who should be accessing data from the other side of the world at 4 a.m., even one attempt at access under these circumstances should throw up a red flag.|
What Makes a Good Network Monitoring Solution to Protect Against Hackers?
Here are the factors that should figure into setting baselines and thresholds for alerting IT about anomalies:
- Where the attempted access originates. A lower threshold should be established for high-risk areas. If you have no interests in high-risk regions, a threshold of one is recommended.
- How many times the anomaly occurs. Does it look like a frustrated user or something more sinister?
- The timing of the anomaly. If it occurs in the middle of the night when few if any users should be attempting to access the network, that's more suspicious than a more severe breach of threshold activity during the middle of the day.
- The duration of the anomaly. Do the attempts at access exceed what you'd expect to see from a user who simply forgot their password?
- The source of the anomaly. Is this a high-level user with access to top-secret stuff? Is it an advanced user that shouldn't be the type to forget or mis-enter their password multiple times?
- The pattern of the anomaly. A user will generally go directly for whatever they came to do. An attacker will move systematically through the network in ways that a normal user would have no cause to.
Clearly, the landscape of network security is shifting, and your CIO and tech teams need to be prepared. For more great ideas see CIO Brief to learn about network performance, security, trends, technologies, and more.