The nature of today’s cyber attacks may look very familiar from an historical perspective but they differ in some significant ways, according to Ross Brewer, Vice President and Managing Director of LogRhythm. “The volume, velocity and impact is higher than it’s ever been,” he told CBR TV.
Whether its criminal gangs, governments or individuals attempting to hack into networks, each is taking a “methodical approach” to how they exfiltrate data, Brewer said.
Typically, the threat lifecycle will follow a similar pattern, the first stage of which is reconnaissance. At this stage, the criminal will seek to understand as much about the target individual and company as possible. This might mean trawling social media footprints, looking for vulnerabilities across internet-facing infrastructure or, brazenly, calling people up and tempting them to share passwords.
After reconnaissance comes the initial compromise, explained Brewer. This might be a phishing email, for example, or a more targeted spear phishing attack. Once an email or attachment is opened, this triggers malware which in turn gives the attacker “command and control”. This allows for the issuing of further instructions, taking over an individual machine or moving laterally, looking to access other assets or gain more credentials that means the criminal can move deeper into an organisation.
“And once they’ve identified the systems where the crown jewels sit then [the criminal will] look to extract, corrupt or destroy that data – or hold that data to ransom.”
If that’s the nature of the threat, how should organisations approach security to combat it? “Think about automating the detection of threats at those embryonic states – at the compromise stage or even the reconnaissance stage,” Brewer advised. Organisations need to reduce their mean time to detect and their mean time to respond to an attack. “The sooner in the cycle you can detect the threat the less damage can be done.”
From an operational point of view, Brewer said it was important to avoid what he called “swivel chair analysis”, namely using multiple security technologies – independently and in sequence – to look at different aspects of the threat. “The data set is often duplicated, in different formats and it doesn’t flow from one platform to the next,” said Brewer. Instead, organisations should use a “single pane of glass” approach, “a single threat lifecycle platform that automates a lot of the capabilities, reduces the time to detection and makes them more effective in their response.”
Artificial intelligence will play an increasing role in helping manage organisational security. “Automation is key,” said Brewer. “If you think about the data set and how large it is, it’s not humanly possible to get across it all. It doesn’t matter how many analysts an organisation has – and, in fact, there’s a massive shortage of analysts globally. So the next opportunity we have is through machine analytics – using AI, deep learning, machine learning.”
Ross Brewer was talking to CBR TV. The interview took place on 5 September 2017 in central London.