Newer Security Technology Goes on the Offensive
For two decades, network security has implemented age-old perimeter defense mechanisms in an attempt to secure valuable assets. While the tactic of protection, detection and infection has had varying degrees of success, it’s never approached an impenetrable fortress. Perimeter defense technologies will always be the mainstay of any security operation center, but new offensive tactics that go directly after the attacker are starting to emerge. Instead of detecting threats that have already breached the security perimeter, newer technologies are seeking threats at the source through identity analytics, deception and public data mining.
Attacking the threat at the source enables an early warning system that reveals the identities of threat actors prior to any breach of the perimeter defenses. These identities could be a domain name, website, URL, network address, email address, or any piece of meta-data that can be associated with an identity. If a perimeter defense system gains access to these identities in near real-time, it can be armed with enough information to thwart any downstream attack.
The simple act of a threat actor attempting to disguise its actions can be valuable information. For example, the Tor network attempts to create a social web of servers to disguise the original identity of the threat actor through a complex series of hoops. This approach has two downfalls for the attacker: First, the Tor web is an open system that allows discovery the server’s identities and the actual packet flow of a multi-hop environment has very different characteristics than a single hop system. Second, both the servers and flow information can be discovered in real-time, and provide important information of potential attackers. That is, the user trying to gain access to one your assets within your perimeter is disguising their identity, but the actions they take in order to do so could reveal the very thing they’re trying to hide.
Companies that deploy deception technologies at the perimeter of customer’s networks to fool attackers into thinking that it’s a vulnerable system are also beginning to emerge. This is different from a honeypot as it disguises itself within the customers network. The decoy has to be realistic enough to attract the attacker, and it has to be viable long enough to collect the identity of the attacker. Think of this as an easily opened door with a poor lock inside your house: If a stranger opens it just because the lock is weak, they’re probably not trustworthy, and should be watched carefully. In the same way, when an attacker enters a decoy, it can record the identity of the attacker and continue to log the attacker’s methodologies and additional identities, such as CNC servers and exfiltration locations.
A team of researchers from Princeton University and the University of California developed PREDATOR, a data-at-rest technology that attempts to quantify the risks associated with a domain at the time of registry. Using machine learning combined with the correlation of registry and identity data, they were able to determine malicious intent from benign intent in new registries. This type of offensive warfare detects malicious intent at the genesis of the threat.
IBM is embracing this new generation of offensive technology, and is aggressively implementing new tactics that focus on the threat actors outside the defenses. IBM actively scans newly observed phishing sites. These scans collect information on how the site was constructed, and compare these construction elements to new websites in order to discover hijacked sites or new phishing sites. Attackers use similar elements from shared phishing kits to construct new or duplicate sites. IBM is simultaneously identifying phishing sites earlier in their genesis and gathering valuable information about the content and construction of these sites for future analytics.
IBM’s Q-radar Network Insights product is implementing technology that discovers when flows are trying to disguise themselves using proprietary packet inspection technology created by the Watson security research labs. This information will be used in conjunction with Q-radar log data to identify malicious intent as the intruder is accessing the network. The Network Insights product can also identify malicious websites in real-time using globally observed domains, enabling IBM to scan and quantify the website prior to additional attacks.
IBM’s Watson research is heavily invested in these new offensive technologies that enable an early warning system to identify malicious intent at the genesis of threats prior to larger scale attacks. These types of technologies and tactics are not as transparent as other products, as the disclosure of these discrete methodologies would aid the attackers in disguising their intent. IBM is a leading research in this area, and actively deploying offensive functionality into security products such as Q-radar, Q-radar Network Insights and X-Force Exchange.
Like what you just read? To receive technical tips and articles directly in your inbox twice per month, sign up for the EXTRA e-newsletter here.