Page 74 - Cyber Warnings
P. 74
It drains resources and pulls teams away from the more important priorities.
This methodology also allows security teams to focus on malware that really is a threat – not
every bit of redundant malware floating around that’s inert or inactive. It’s a bit like learning to
live with slugs in your garden.
You can probably deal with them if they are not doing any damage. But if there are flesh-eating
ones, you might want to get some slug bait.
However, understanding what constitutes suspicious activity is no mean feat. It takes a great
deal of expertise and understanding to codify and implement. But it is possible. To do so, you
need to get inside the head of the attacker and understand their motives and intent.
Broadly speaking, there are only a handful of things that a hacker is trying to do: steal
credentials, extract funds, undertake reconnaissance, shut something down (such as critical
infrastructure) or embarrass someone.
To achieve any one of these, there are many different tactical pieces of malware, which change
and become ever harder to identify over time. But regardless of the malware being used, there
is a process that often looks very similar.
If you can understand the intent and the process that goes with it, you can spot suspicious
activity that is indicative of the intent and stop the attacker in their tracks. The example of
malware connecting directly to an IP address is just one of many.
Organizations need to work with experts to identify these processes and the types of traffic they
create. They need to keep up with the cyber criminals and how they operate once they are
inside a network.
They need to constantly extend the breadth of detectable behaviour patterns and identify the
cause and spread of attacks to power remedial action. Of course, this is a huge investment for
an in-house team, which is where security vendors can step in.
In conclusion, while still important, perimeter security is increasingly losing its ability to protect.
Building bigger and better walls will stop a proportion of attackers, but it is increasingly
expensive with diminishing returns.
The real effort needs to be turned to the grounds within those walls i.e. the network. Doing so
will take bravery, but if we do not, organizations run the risk of disaster and security
professionals will have lost the battle. And probably their jobs.
74 Cyber Warnings E-Magazine – April 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
