Tech Insight: What You Should Know About Detecting A Targeted Attack

  /     /     /  
Publicated : 22/11/2024   Category : security


Tech Insight: What You Should Know About Detecting A Targeted Attack


Logging events and running a SIEM are key, but so is properly training your first line of defense, the end user



With recent targeted attacks like that against HBGary, weve seen firsthand how no one is safe from a data breach -- not even a well-known security company. Whats fascinating about targeted attacks is that the details are rarely made public, and when they are, the lessons learned typically cover the vulnerabilities and prevention, with little to no focus on detection.
On nearly every breach case Ive worked, there has been evidence in the Windows Event logs, Apache logs, or the intrusion detection system (IDS) that, had someone been monitoring them, would have alerted staff to an attack.
Verizons 2010 Data Breach Investigation Report
parallels my experience: It states that 87 percent of victims had evidence of the breach in their log files, yet missed it.
Incredible statistic, right? Now step back and ask yourself if your company would be part of that 87 percent if an attack took place this weekend. Are you prepared to survive a targeted attack, or better yet, ready to detect it as it happens?
The challenge of detecting a targeted attack is that it can come from anywhere. The first attempt may be a probe of your Internet-facing servers to see what vulnerabilities affect your Web and mail servers.
If that doesnt turn up anything interesting, then the next attempt might be a spear-phishing attack against the soft, chewy center of your company -- its people. Detecting attacks attempting to exploit human assets is often nearly impossible without regular training and awareness. You cant install Snort on your CEO and CFO.
To detect a socially engineered attack requires both technical controls and user awareness and training, backed by policies. The external probes would go unnoticed by users, but an IDS, a Web application firewall, and possibly rules monitoring the Web server logs would flag the activity as malicious. On the other hand, mail security solutions would likely miss a well-crafted spear phish while trained users could identify the message and forward it onto the security team for analysis.
On the technical side, logging needs to be enabled, and monitoring of those logs needs to take place so that early detection can occur. Open-source log monitoring and commercial SIEM solutions can help by identifying patterns indicative of an attack that an analyst can then investigate further.
Say that the external probe includes a brief brute-force attack against a websites form-based authentication, or SQL injection attempts. A log monitoring system should be able to alert the security team where an entry-level analyst will investigate and pass it along if it needs attention of a senior team member. Analysis will confirm whether the attack was successful and if a rule needs to be placed on the firewall to block the attack source.
The key is to have logging enabled
before
an attack occurs. However, even if monitoring isnt performed in real time, its important to have logs because they provide a forensic trail if an attack is discovered later. And with the ever-decreasing cost of drive storage, that shouldnt be a complaint anymore.
Good communication among the security team and an incident tracking system are also crucial in large environments to help spot trends. An attack against a server or two at one location may seem insignificant until you find that the same attack occurred at two other locations. Or the source of the attack was identified sending malware though the mail server.
And, of course, theres the people side, where detection gets infinitely more difficult. Many security professionals will tell you that user awareness and training is simply useless. My advice to the security professionals is to stop trying to do the training themselves and hire someone who specializes in training and awareness.
There are many professionals out there whose specialty is developing effective awareness programs and training personnel on complex topics like computer security. Work with those professionals to create information fliers, posters, e-mails, etc., that communicate to the users in your organization the threats they will face through e-mail, online, and on the phone. Users rarely realize that attackers can pick up the phone and use it for a social engineering attack. Instead, theyre stuck in the mindset that attacks will always be computer-based.
A key area of focus for awareness and training is the detection of the different threats and how they should be communicated to the security team. Users are often the first line of detection with spear-phishing and client-side attacks -- they just have to know what to look for. And when they do identify something suspicious, it should be put into the incident tracking system to help correlate it with other potentially related issues.
Logging everything or buying a SIEM certainly isnt a panacea, but both of these approaches do help. Just dont forget that the detection of targeted attacks takes more than technical controls.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Tech Insight: What You Should Know About Detecting A Targeted Attack