This November marks the 130th anniversary of ‘A Study in Scarlet’, the very first novel to feature Sherlock Holmes. Written in just three weeks by a 27-year-old Sir Arthur Conan Doyle, the book marked the debut appearance of the most famous fictional detective ever conceived. Anyone who’s read a Sherlock Holmes novel knows that the cases are rarely straightforward, but Holmes is always able to use his guile and intuition to solve them, often with the help of his trusted sidekick, Dr John Watson.
Modern day cyber security requires much of the same guile and intuition that Holmes needed. However, while Holmes rarely had to focus on more than one threat at a time, today’s cyber security professionals face thousands of them every day, and some are much more dangerous than others.
Let’s look at the typical day of a security analyst. Alerts are constantly being generated by the slew of false positives that are part and parcel of the modern security environment. Occasionally, one of these might be a real threat, but the vast majority are little more than distractions and red herrings. By contrast, false negatives – i.e. where everything seems fine, but in reality, a real threat is lurking – are the real adversaries of the security analyst. After all, as Sherlock would say, there’s nothing more deceptive than an obvious fact.
For example, a “Moriarty-esque” cyber-criminal might be able to use stolen employee credentials to create multiple fake admin accounts and spread malicious activity across them. To the untrained eye, the logs for each individual account may seem fine. It’s only when all of the accounts are linked together that the real picture begins to emerge. With so many of the breaches that make the global news headlines, it often seems like someone should have spotted the threat long before it caused major damage, but hindsight is a wonderful thing. In reality, it takes a truly skilled eye and the latest technology to detect a real threat as it’s forming amidst the fog of uncertainty created by so many false positives and false negatives.
Below are three real-life cases that didn’t necessitate a pipe or deerstalker hat, but did require fast, effective detective work to solve. In each case, it wasn’t clear at the time whether there was a genuine incident unfolding, or if it was just a set of coincidences and/or false positives:
1) The Case of the Faceless Phisermen
In this first example, multiple employees at a particular organisation received phishing emails that directed them to a fake Outlook Web Access (OWA) website. Once at the site, they were asked to enter their credentials in order to log in and manage their email. However, their credentials were then stolen by hackers, who used them to access the employees’ genuine Outlook accounts and send spear-phishing emails to large groups of non-employees (i.e. with yahoo.com or gmail.com, etc. addresses). Since the emails were from known email addresses, the victims had little reason to doubt their legitimacy. Furthermore, the firm’s Security Information & Event Management (SIEM) was unable to detect this type of attack, so all looked well. But through detailed security analysis, the organisation’s security team was able to expose the faceless phisermen for what they really were.
2) The Case of the Sheep in Wolf’s Clothing
In this example, the behavioural analytics system at a large e-commerce firm detected a user attempting to access a server fifty times per minute. Initially, the firm’s security analysts suspected some form of malware attack was in progress, attempting to move laterally around the network. However, further detailed analysis showed that it was actually a system administrator testing new deployment scripts. A red herring.
3) The Case of the Phantom Employee
In the final example, an HR specialist within the company was accessing a variety of employee files sitting on multiple fileshares. During the same day, a database admin (DBA) backed up a payroll database containing sensitive employee information such as social security numbers, dates of birth, addresses, etc. Initial analysis didn’t highlight a threat, since it was an HR employee managing HR files, and a DBA managing databases: no red flags.
However, further investigation and the discovery of additional clues revealed a different picture. The DBA account was used by the HR employee’s machine; she remotely accessed the payroll database using this DBA account. Detailed analytics showed that she had never accessed the database before, she’d never used that credential before, nor had anyone else in HR accessed that database directly before. Suddenly the situation began to look very different.
In reality, the employee’s credentials had been stolen via malware before she went on holiday and the activity was actually a hacker using her domain account to access the network and a stolen DBA credential to access the database.
When companies begin uncovering the events that comprise an incident, they often discount the reality they are facing. “This can’t happen, because we use two-factor authentication”. “This isn’t a problem, because I’m sure the DBA had a good reason for backing up those records”. “This shouldn’t happen, because we encrypt our data”. However, as Sherlock Holmes once said, when you have excluded the impossible, whatever remains, however improbable, must be the truth.
In today’s business environment, cyber security professionals have their work cut out. They know there are hundreds of adversaries out there, but with so many red herrings causing unwanted distractions, it can be extremely difficult to spot the real threats. Even Sherlock Holmes would have struggled if faced with solving hundreds of cases simultaneously. Fortunately, where Holmes had Dr Watson to assist on particularly tough cases, cyber security professionals can use technology to join the dots, IF their organisation has invested wisely.