In the world of information, the pursuit of security is a race without a finish line. New threats are born and evolve on a daily basis. The moment we let our defences remain static they become obsolete.
Over in Waterstons’ technology labs we’ve been testing out a new defence against cyber threats. I thought it was worth sharing as it represents a new approach to network security, and gives an interesting insight into what the future could hold.
How we detect cyber threats
Let’s talk about how we typically detect cyber threats. At the most basic level you probably have some sort of logging enabled on your network devices. Whether anyone pays attention to it or not is another matter, but in theory if someone watches those logs they may be able to spot some anomalous behaviour that indicates an attack. Maybe. Probably not.
To improve our detection capabilities we often deploy Intrusion Detection Systems (IDS). The job of the IDS is to watch traffic on our network and look out for behaviour that matches known attack profiles. A port scan for example might not register on individual devices as anything to worry about, however someone attempting to connect to every address on your network in turn would get the attention of an IDS. As a network grows, you’ll probably have to deploy more IDS devices to cover different segments. On a moderately large network what you end up with is a bunch of different devices all observing a different part of the picture. Interpreting the data from any one device is like guessing the picture on a jigsaw from just one piece. Ultimately someone has to spend time putting the jigsaw together for it to make sense.
To make sense of the data on larger networks we might deploy a Security Information and Event Management system (SIEM). This aggregates the collective input of our various logging and IDS systems and compares them to gain an understanding of the big picture. Instead of dealing with a torrent of spurious alerts we task our SIEM with filtering out the noise and providing useful information.
Assume you’ve already been hacked
Despite this complex arrangement of event detection and correlation, most security experts advocate an 'assume breach' mind-set. In other words, even if your fancy detection systems think you’re sitting pretty, you should assume that someone’s already broken in.
That’s not just paranoia. It’s realistic. The Ponemon Institute conducts research on information security. In one report they found that 90% of US companies had been hacked in the last 12 months, and in another that half of all US adults had been hacked in the last 12 months. If you still think you’re OK, then consider that Mandiant found the median time between a network being breached and the breach being discovered was 243 days. That’s nearly a year of someone rummaging through your data undetected! Not only that, but in two thirds of cases the only reason the breach was discovered was because an external party spotted it. That’s not exactly reputation enhancing… So even if all your monitoring systems tell you you’re clean, someone could be helping themselves to your data and you don’t even know it.
So how does this happen? How do attackers manage to evade our detection systems so successfully? The answer appears to be quite simple. According to Verizon, 76% of attacks involve compromised user credentials. Think about that – if the attacker has a valid username and password then they can log in just like everyone else. There’s no need to 'break in'.
Consider a burglar alarm in your home. You set it, you lock your door, you hope that if anyone tries to break in it’ll make a racket and alert someone. That’s fine if the burglar kicks in your window, but what if the burglar has a set of front door keys and knows the alarm code? In that case the alarm is useless. Worse even than useless if it’s providing a false sense of security.
A new way of thinking
So what’s the solution? Well, consider if instead of just looking for an entry/disarm sequence, we collected information from your burglar alarm’s sensors over a period of time. What if we analysed this information and noticed that on a weekday you typically come home between 5:30pm and 6:00pm, go first to your room to get changed, then enter the kitchen to cook dinner, and then go to the table to eat. That’s your normal behaviour profile. If then the alarm’s sensors detected someone arriving at 2pm on Wednesday, and making repeated trips between the living room and the back door we could identify this as abnormal behaviour. Regardless of whether they entered the correct alarm code we might want to send an alert to your phone just to check it’s really you.
An Israeli cyber security start-up called Aorato had the idea to do something similar with an information network. They figured that if they captured every single piece of authentication traffic that occurred on a network they would have enough data to build up a 'profile' for the behaviour of every user and device on the network. Even on a small network that’s a huge amount of data, and interpreting it is not something that any poor human brain could cope with. Fortunately Aorato’s expertise lay in machine learning – a field which forms part of artificial intelligence research (and one of the 4 requirements to pass a Turing test). They set about developing an algorithm that could analyse the data and learn the behaviours of each user in an organisation.
The advantages of machine learning in cyber security should be easily apparent. In a constantly changing arena, a defence which learns and evolves can maintain its effectiveness against a mutating threat landscape.
Whatever they were doing, it caught the eye of a software company in Redmond, and the resulting output of this machine learning software is taking form in Microsoft Advanced Threat Analytics. This embryonic system takes a completely different approach to detecting attacks. The theory is that an attacker may be able to evade IDS and SIEM systems by cleverly hiding their tracks, or (more likely) bypass surveillance using valid credentials. What they can’t do, however, is accurately mimic your behaviour once they’re in.
It’s an interesting concept, if a little disconcerting that a server somewhere on your network knows your habits better than you do!
Information is power
As the process happens to ingest a goldmine of authentication information, Microsoft/Aorato have also fed it a catalogue of security research to identify tricks that may bypass other detection systems. For example if it observes a computer accessing information using a valid security ticket but the same ticket was previously observed being issued to a different machine, MS ATA is able to alert that the ticket has been stolen, and record the information it has been used to access. If you’ve invested in SIEM, MS ATA will happily ingest the correlated security event information from your SIEM system to expand its own visibility across your security landscape. The more information it collects, the richer its detection capabilities.
The future of cyber defence
Microsoft’s Advanced Threat Analytics product is still being developed, and has a number of practical hurdles to overcome. If the technology manages to live up to its potential though it could change the way we detect cyber threats. Rather than relying on static events and known threat patterns, we could put the job in the hands of a near-omniscient (as far as your network goes) machine that learns your habits and notices when they change.
As we creep further forwards in artificial intelligence research, the cyber security landscape is going to change. We’re a long way from Skynet taking over, but advancements in fields such as machine learning are opening up new possibilities. Security is an area that can reap obvious benefits from these technologies as they mature. The other side of the coin is that once the technologies are out there, you can also be sure they’ll be used against you. It’s an arms race after all, and there is no finish line in sight.