View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Behavioural attack detection: Why a cyber breach isn’t game over for your business

C-level briefing: LightCyber EVP Jason Matlof (pictured) and other cyber security experts talk known threats and firewall shortcomings.

By Alexander Sword

For decades, cyber security has been built around the idea that once the attackers have breached your network or organisation, it’s game over. But what if it isn’t?

Mostly the products offered by the cyber security industry have been designed with this idea in mind: keep the attackers out.

As Jason Matlof, Executive Vice President at LightCyber, says, the attacker being inside the network isn’t game over, however.

“Over the lifecycle of the attack, when an analyst looks, the dwell time has been measured to be around 6 months,” he says.

This means that the cyber security industry has spent years simply focusing on the first few seconds or minutes of a much longer process.

“Once they get in they have to figure out how to get operational control. Where are the privileged accounts, the databases, the servers that they need to get to the ultimate objective?”

This ultimate objective could be patient or financial records, credit card databases or any other valuable information. The point is that the attacker, once inside the network, is still several steps away from achieving their goal.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Unsurprisingly, much discussion of cyber security fails to make this distinction. The focus is always on the breach, possibly because this is the most interesting phase from a technical perspective.

For LightCyber and some other vendors, though, the key is the next phase, where the attacker does all kinds of things. First is the initial intrusion, followed by sending information to a command-and-control server, reconnaissance, lateral movement across the network and finally exfiltration.

This means that the attacker serves up a feast of potential indicators to anyone watching.

It is this simple fact, combined with the inadequacy of firewalls, which has led to the birth of what is called behavioural attack detection.

The firewall is built around a constantly updated list of threats that it excludes from entering the network. It works backwards from the known exploit, whether files, URLs or packet signatures, to building protection against it into the gateways to the network.

But as Gerard Bauer, EMEA VP of Vectra Networks, the main threat is actually the ‘unknown unknowns’: the threats that have yet to be captured in the wild.

“We don’t know if they exist, we don’t have visibility into what they do, and there’s no way signatures can catch them,” he says.

It is this gap in the traditional firewall-style technologies that behavioural attack detection aims to fill; in fact, they all stress that it is filling a gap, not replacing it.

“We always say the prevention technologies are necessary but not robust enough to be sufficient,” says LightCyber’s Matlof.

So what is behavioural attack detection? The approach looks beyond the initial breach and tries to detect typical attacker behaviour within the network. It does this through what Matlof calls a ‘known good’ approach.

LightCyber deploys an appliance in the network and creates a behavioural profile of all the machines and user accounts to create a baseline of what’s expected on the network.

“We look at where people typically go on the inside of the network. For example, an employee from one department goes to these domains, marketing goes to these domains.”

The anomalies from the learned baseline are what indicate the attacker.

“We’re looking for a machine doing things that the computer doesn’t normally do which are indicative of attack phases going on.”

“This user doesn’t typically scan the network, why is his machine doing that? The machine normally uses the user’s own credential, why is it being used to brute force other passwords? The machine is talking to a domain on the internet, which no-one else from the organisation has accessed, suggesting a command and control site.”

“The damage is not done until there’s some form of exfiltration. That is on the order of weeks or months to do.

“By changing the model you’re giving the defender the days and the weeks to stop them before the damage is done.”

In general, as a general principle, known goods and whitelisting approaches are gathering momentum alongside traditional blacklisting.

Rob Sobers, Director at Varonis, says thatwhitelists tend to be both easier to maintain and more effective at blocking dynamic attacks.”

He says that in application security specifically, it is “not terribly difficult to build a whitelist that specifies which applications are approved and safe to run.”

But known good techniques are not perfect either. Giovanni Vigna, CTO and co founder at Lastline, notes that “anomaly detection has been ridden by both false negatives (because malicious activity does not generate anomalies) and false positives (because benign activity generates anomalies).”

The key is that the known good and known bad approaches are perfectly compatible, and that some combination of the two deployed together will have the best change of success.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.