Intelligent cyber security solutions
- 2. Threat oday’s synergistic corporate infrastructure along with federation of their information is building an agile and cohesive environment. However it also introduces newer challenges to protect information assets from ge;ing into adversary’s hands. According to an article in Forbes , the cyber crime costs are1 projected to hit $2 Trillion by 2019 with cyber a;ack projected losses of at least $9.7 Billion in 2020 .2 With recent a;acks on Equifax, Kaspersky, SonicWall, Deloi;e, and Whole Foods its just ma;er of time when these projections will turn into a reality. Identifying cyber threats is particularly challenging. First, hackers collaborate across geographical locations, making it difficult to trace the a;acking source. Second, complexity and a;ack payloads are evolving rapidly, making it slow to monitor and prevent many vulnerabilities and consequences in synergistic cyber networks. Third, the advanced persistent threats (APT) are implanted across multiple stages, making it troublesome to catch real time incidents out of normal network traffic. Last but not least, it is extremely hard to manage the volume, velocity, and complexity of the data generated by the myriad of security tools. It can easily take months’ effort of even the most experienced security experts to comb through these massive amount of data and find the needle in the haystack. In order to build an intelligent and proactive security program, security evangelist and thought leaders must investing some time on following, 1. Build a;acker’s portfolio 2. Behavior Analysis 3. Deeper learning and feedback loop Building Attacker’s Portfolio - Know your adversary! Asset Discovery In order to build resourceful and content-driven security team, security thought leaders should identify the critical assets the team is protecting. If you are protecting The Wall against Night Walkers than you will need a Sworn Brother of the Night’s Watch to protect it (a GOT reference :)). However if you only have public data classification and an adversary may not have any monetary gain than you can avoid heavy investment in information security organization by focusing on automating against hacktivists, script-kiddies or pranksters. https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-1 trillion-by-2019/#63c9e44b3a91 https://www.bloomberg.com/news/articles/2017-07-18/global-cyber-attack-could-cost-121-4-2 billion-lloyd-s-estimates Challenges • 1
- 3. Cyber Adversary Profiling Once asset discovery is performed, charactering cyber adversary and build an relevant a;ack’s profile is next in line. Over the past decade, information security evangelist has done a splendid job in building a template and database of various cyber adversary. But it comes with a disclaimer it is not a one size fits all. Based on the data assets and where it lies in the infrastructure you start building control access around them. Image Reference - h;ps://blog.illusivenetworks.com/cyber-a;ackers-evolution-4-profiles Cyber Kill Chain Lockheed Martin coined the term Cyber Kill Chain and is aggressively adopted in security3 community to describe stages of cyber a;acks. The intrusion-centric model focuses on seven different steps 1. Reconnaissance, information gathering 2. Weaponization, use of known exploits or create new ones 3. Delivery, plant malicious payload on target machines https://www.darkreading.com/attacks-breaches/deconstructing-the-cyber-kill-chain/a/d-id/3 1317542? Challenges • 2
- 4. 4. Exploitation, execute the exploit 5. Installation, install malware 6. Command and Center, create C&C to operate a;acks remotely 7. Action on objectives, perform the steps to achieve actual goals Below is an example of one such cyber kill chain Challenges • 3
- 5. Behavioral Analysis The common thread across various forms of threats is the deviation of an asset or user’s behavior. Security evangelist needs to map behavioral pa;erns to cyber adversary characterization. This deviation can indicate fraudulent or malicious activity , which is important in detecting such a;ackers. Behavior of users, devices, system accounts, and privileged accounts should be monitored to reveal anomalies. Deeper Learning And Feedback Loop Next in line is implementing systematic solutions using the most advanced statistical and deep learning techniques to detect and prevent threats in real-time. Each a;ack tree is implemented to cover certain stage along the cyber kill chain. Once such a;ack trees are discovered an automated alerting process must be triggered and first layer of incident responders must be trigger for a review. Responders can than triage various trigger sources and decide on appropriate actions, like blocking the corresponding web traffic, removing the responsible extensions, or acting over the suspicious segment. After a few iterations one can build a supervised security threat models to tune overall detection rate. In practice, malicious application, licitly or illicitly, draw characteristic signatures through their network traffic logs. Building an artificial neural network would trace down these traffic pa;erns then generate alerts that are potentially tied to different phases of the threats. Challenges • 4
- 6. To identify lateral movement across net-flow data, we build graph model using PageRank algorithm to measure the in/egress fluctuations of the endpoints across the subnets. In theory, the PageRank score of each node corresponds to the net-flow counts among other nodes. Therefor a drastic score change of a node reflects the impact of its neighbors and suggests possible propagation of suspicious actions. Network intrusion detection can be the vital mechanism where the a;acker’s trace should be definitely identifiable. Finding malicious activity on Visa network depends on humans’ intervention to properly code and configure them. We create profiles of users behavior based on different network activity related features, such as egress, ingress, data volume sent or received etc. Rareness of usage of different access pa;erns, such as, protocol or port are also brought into consideration to determine deviation from normal user’s behavior. Profiles are also created based on roles of employees. Deviation of a user’s activity is determined based on a user’s own profile deviation and from his peer group’s profile deviation. We use historical knowledge base and histogram approach to determine anomalies for this net-flow-UBA based model. We also profile network behavior in different network entity level i.e. VMSN servers, shared scanners, printers etc. Using time series model we learn the normal behavior of network traffic pa;ern over time using historical data and determine the risk of network flow in sliding window fashion. Using different combination of features, we determine reconnaissance, port scanning, privilege escalation, lateral movement, data exfiltration from network activity. One of the very common a;ack scenario these days is Distributed Denial of Service (DDoS). Excessive Domain Name system (DNS) request is widely used to instigate DDoS a;ack. Applying natural language processing and machine learning techniques, we are able to determine the legitimacy of the requested domains and determine whether it is coming from a;ackers or not. The distribution of number of requests in sliding time window fashion is investigated to identify a;ack scenario. We also determine the probability of a requested domain whether it is generated randomly or by malware using deep neural network learning based LSM method. Ports and protocol access pa;erns are profiled from network flow data. Using advanced ML- classification algorithms, i.e. KNN, SVM etc., for a new network flow, we determine the probability of it to be unknown or malicious compared to legitimate network flows. We apply clustering techniques to firewall data to determine outliers for further investigation and determine the accurate functionalities of firewalls. We investigate users escalation in privileges based on historically occurred access pa;erns of that user and the pa;ern of that escalated critical group. We also use different decision tree based approaches to determine the sequence of events that created the escalation. Challenges • 5
- 7. Some models at VSA follow specific rules based on which threat of an a;ack is determined. Specific scoring mechanisms depending on various factors are outlined. When the event activity score is beyond a threshold value, alert is generated and validated by security specialists. With their feedback, the model keeps tuning itself over time. This is where self-learning comes into picture. Future Prospect As the sophistication and technology of cyber-a;acks continue to evolve, we foresee the following trends will become the priorities of the next generation cyber security solutions in the coming years. We’ll implement more intelligent deep learning model to understand cyber intelligence report and take its up-to-date scenarios into consideration. The model shall have self-learning and evolving capabilities to catch the most critical information from the intelligence. Ideally it can automatically update its own design and thinking logic to adapt to the real practice. We’ll also extend our protection measures to address today’s rapidly growing a;ack surface. This moves beyond the network endpoints, to involve applications, databases, cloud environments and the Internet of Things (IoT), etc. We’ll continue to provide high detection rates with low computational overhead. Challenges • 6