Micro Focus is now part of OpenText. Learn more >

You are here

You are here

How to track the attacks that matter to your organization

Johannes Ullrich Dean of Research, SANS Technology Institute

Each year at the RSA Conference I sit on the SANS panel discussion about the most dangerous new attack techniques. The most common questions people ask are how to stay up to date, and how to find out which attacks matter in their specific environment.

In intrusion detection, every network is different. An attack that matters to me may be of no consequence to you. It is no surprise that hardware and software inventories are front and center when it comes to critical controls—you need to know your network.

But where do you go from there? Here's how to get started, and how to make sure you're tracking what's most important to your organization. 

Start with your logs

My logs are the first thing I look at each day. Because I'm part of the SANS Internet Storm Center, I have an advantage: I receive logs from a large number of organizations and honeypots. But the process should be the same for you.

The questions you want to answer are: What's new, and what is different today? This usually doesn't require the use of a large, expensive product, but it helps to have a convenient and efficient means to create custom reports for your logs that highlight differences.

It is the one-offs, the anomalies, that I am interested in. As an analyst, the number of events I am working each day is irrelevant. My metric for success is "what did I learn from the events I analyzed today?"

Traditional intrusion detection and prevention methods rely on monitoring network and system logs for anomalies. But in complex enterprise networks, it can be exceedingly difficult to define “normal.” Even if the security team has been somewhat successful in defining “normal” at one point in time, constant change will make it difficult to maintain this baseline.

Deception techniques, which use software to manage a large number of decoys that provide highly actionable alerts with a low false positive rate, can help in solving this problem.

These techniques are quickly establishing themselves in the enterprise as a way to cut through the clutter of events by delivering actionable alerts. Traditionally, intrusion detection and prevention methods have relied on monitoring network and system logs for anomalies.

A skilled analyst may be able to detect indicators of intrusions early, and then direct incident response to limit the impact. However, networks are often too complex and dynamic for you to define anomalies well and to extract actionable events from logs collected enterprise-wide.

[ Special Coverage: RSA Conference 2019 ]

Why honeypots won't work in the enterprise

Researchers have long used honeypots to learn more about attacks, and these are still one of the most effective sources to learn about new attacks in our research. There have been several attempts to transfer this concept to enterprise networks. But honeypots have not delivered the same value to enterprise networks that they have to researchers. 

Why don't honeypots don't work as well in enterprises? Researchers often look for broad new trends. We try to measure the "background radiation" caused by large-scale Internet intrusions. We hardly ever look at singular events. And if we do, we use them as a sample of a larger trend and as a representative of a new wave of attacks.

Enterprise networks, on the other hand, are often concerned with singular attacks and events that are targeting specific, unique components in the organization's network.

Traditional honeypots have an inherent collection bias to attract simple and automated intrusion attempts, as they are often seen as part of larger attack waves. In an enterprise, honeypots have not been able to scale to provide ubiquitous coverage.

[Honeypots] suffer from the same problem as other technologies: Networks are too complex and diverse for you to adequately cover them with decoys that are diverse enough.

Deception works

Instead, the concept of "deception" has been used for a more data-centric approach to building decoys. Rather than attempting to mirror complete production systems, deception adds markers to critical data stores, providing sensitive sensors to detect and alert on intrusions. These deception techniques are great resources to identify new intrusion techniques in your own network.

To protect a network from intrusions, a classic honeypot creates copies of entire database servers and related infrastructure to entrap attackers. This approach is costly, and unless the attacker chooses to attack the decoy systems, the technique will be ineffective.

Most sophisticated attackers will be able to detect and, in some cases, evade these decoys. Even if they are configured just like the live system, their workload will differ and they usually hold different data than the live system. This doesn't matter for researchers looking for large-scale intrusions but will be an issue for organizations looking for targeted attacks.

Modern deception techniques, on the other hand, instrument production systems to detect intrusions better. Combined with the ability of sophisticated consoles to deploy detection decoys efficiently, and to collect the data and integrate it with other sensors, deception techniques have shown great promise and are becoming a standard "due diligence" technique to prevent attacks.

Don't get blindsided: Know what's coming next

Traditional intrusion detection systems can easily become dated, so learning about up-and-coming new attacks is critical. Too often, analysts focus on yesterday's attack that they learned about in a class.

Excessive dwell times for attackers allow them to use new attack techniques undetected until defensive techniques catch up with them months—or even years—later. A skilled analyst lets automated systems take care of older attacks and focuses on finding what the next new attacks are that the organization needs to worry about.

For more on the most dangerous new attack techniques, drop in on the SANS discussion on March 7 at 11:55 AM at the RSA Conference, which takes place March 4-8 in San Francisco.

Keep learning

Read more articles about: SecurityInformation Security