The Reason Why Biggest Cyber attacks Happen Slowly
Most movies and TV shows about hackers show them using their skills to hack into a target within a matter of minutes. But the truth is, the biggest, most damaging (and lucrative) hacks are rarely planted overnight. Instead, they begin with reconnaissance to map the network and observe user behavior in order to find a seemingly insignificant security hole that can be exploited to get unauthorized access and then open the floodgates to compromise vast quantities of data over an extended period of time - sometimes over many months or even years.
According to The Cost of Data Breach Report by IBM, the
average time it takes to detect and contain a cyberattack is 280 days. That’s
over 9 months! And the cost of detecting and containing a malicious breach is
even longer, 315 days.
A Breach is Not an Event, it’s a Process
The most important thing to understand about cyberattacks is
that their a continuous process that has multiple steps.
The first step usually is infiltration. This is the step by
which the attacker gains a foothold in their target's network. Infiltration can
happen in several ways: it can come by way of targeted credential theft, web
application exploitation, third-party credential theft, and more. However, this
is just the first step to take and there are many more to follow.
Types of attackers will usually try and scope out their
target first by carrying out reconnaissance. Reconnaissance is essentially
exploring the network architecture, investigating what access they have via
their stolen credentials, and where sensitive data is stored. To our example, we
can say that a thief claiming to be a friend of the house owner would have to
act this way because they might be recognized if they don’t take precautions.
Merchants are at risk from many different types of attacks, so how do you
protect your business from getting attacked online?
Once cyber-criminals have finished their research and
reconnaissance of an enterprise, they usually start moving laterally within the
network in search of better access and causing disruption by stealing money or
valuable information.
These steps often take weeks and months to complete, and
they're performed gradually through trial and error. Attackers can be very
meticulous in their efforts to identify sensitive resources.
In the case of a cyberattack, we usually only hear about the first and last steps – the infiltration into the network, and data exfiltration
– but there’s a whole world of activity in between them.
Your Problem Isn’t Detection. It’s Correlation
If a data breach is made of so many individual steps, how are
these steps not detected and immediately identified for the malicious exploits?
The answer is that they are detected but because there is great difficulty with
correlation when dealing with cloud security breaches.
Modern security systems detect too much; they probably detect
enough. According to a study by IT security Bricata, the average SOC receives
over 10,000 alerts each day from an ever-growing array of monitoring and
detection products.
However, despite these massive numbers of alerts, there are a
number of reasons why malicious activity still goes undetected:
Too many
logs: when you have an excessive number of logs, it's difficult to
realize which cautions matter, and which don't. Distinguishing a malignant
occasion in an ocean of bogus up-sides resembles attempting to track down a
difficult-to-find little item.
Low-risk
alerts: while numerous occasions are identified, a large portion of
them are medium and okay alarms that are not worth examining.
• Lack of
context: checking out a singular movement independently, it's
difficult to let whether or not know that action is authentic. That chairman
signing on in the center of night – is this is on the grounds that he is
restless, or did somebody take his client accreditations? That DevOps engineer
conjuring an API call she has never utilized – is that since she is chipping
away at a novel, new thing, or a programmer having a go at something obscure?
Without setting, it is difficult to tell.
Stretching
over time: returning to our unique point – information breaks consume a
large chunk of the day to unfurl. This implies that similar cautions
identified with it will be recognized over a drawn-out period. At the point
when occasions are identified in succession, it is not difficult to tell that
they are connected. In any case, what happens when they are recognized months
separated?
Given these realities, it is not reasonable to assume that
security managers can connect a random event to another event that they saw
weeks or months ago. Far more efficient are automated tools which identify not
only their root causes but also how they relate to one another and provide a
much more comprehensive picture of events as they occur within a given
environment.
Attacks are
Slow, so Defend Fast
Cyberattacks are a long and drawn-out process. It's
impossible to know the timeline for an attack for it could take years for one
to research its extent and magnitude, but by that time is already too late. The
key is to be proactive so you can be more aware of threats before they become
malware nightmares in the future. automated tools fuse images from multiple
sources over long periods of time so they're able to visually present a pattern
of cyber events leading up to an attack which helps businesses monitor their
network pre-emptively.
Conclusion:
Comments
Post a Comment