What is Multi-layered Threat Detection and Mitigation?
The view of the cyber threat landscape is very different depending on your perspective, this perspective is defined by what type of network you are protecting. Targeted cyber-attacks use an increasing catalogue of clever tactics and innovative attack vectors which are reshaping corporate and governmental security strategies, while wreaking havoc in consumer markets. Remaining secure in 2019 depends on many factors but ultimately defenders who will see the most success will be those who are able to identify and mitigate threats at a more granular level. The constant and ever increasing number of cyber-attacks facing organisations requires cyber security analysts and forensic specialists to detect, analyse and block cyber threats in almost real-time.
In order to adequately protect networks, defenders need access to tools and techniques that provide advanced multi-layered threat detection and agile automated mitigation in real-time to remediate cyber security incidents. And speed up the collection and analysis of cyber security incident related information for accurate forensic investigations. This however, is easy to map out at a corporate level but at a practical level is much harder to implement.
So how should defenders approach real-time threat detection and mitigation? The fundamental starting point should always be network visibility. The ability to see and understand network traffic is crucial to a defenders ability to block an attack, the most efficient and effective way is to use unsampled network flow data such as NetFlow, IPFIX or sFlow collected from probes, switches/routers and network infrastructure. This good practice rule is applicable whether your network size is 1GbE or 400GbE, network visibility is all about creating a stable platform for your security infrastructure such as intrusion detection systems, analysis tools and SIEM’s to work from.
Another important weapon in a defenders toolkit is Cyber Threat Intelligence, this accumulated data gives valuable context and relevance to large amounts of data, enabling agile and improved detection of advanced threats. The UK’s National Cyber Security Centre (NCSC) categorises four type of threat intelligence; tactical, technical, operational and strategic. Together these four segments provide a clear view of the threat landscape from attacker methodologies, tools, and tactics to indicators of specific malware, details of a specific incoming attack and high-level information on changing risks.
Threat intelligence platforms built on 'Cyber Threat Intelligence' have become a critical security tool, using global security intelligence to detect malicious activity e.g. identifying known and zero-day threats such as protocol and application misuse, data exfiltration, DDoS attacks, malware and crimeware, botnet activity and network misuse/contamination inside a network. Defenders should look out for tools that consolidate threat intelligence from multiple sources, automate identification and containment of new attacks, security analytics, and integration with other security tools.
A smart cyber security strategy combines network visibility with threat intelligence but also the ability to block potential security incidents and risks as they happen, ideally this function should be automated to reduce resource requirements and maximise investigation work flow for post attack analysis. The question is how do you go from alert to triage to fix? The process of triaging or sorting the alerts in to relevancy is often made difficult by the vast amounts of alerts that a network can generate, add in to this mix, false positives and alerts that aren’t grouped together, making it difficult to get any real value from alerts and potentially missing important incidents.
One way around this is to use tools such as the TDAC from Telesoft that can categorise and group network infrastructure by area according to IP address, service, application, physical or logical attribute, creating silos or entity sets of network information and alerts. Defenders can use entity sets to prioritise and automate response to incidents and gain contextual insight about an alert, accelerating the reaction time of a threat intelligence platforms. This enables rapid correlation of key indicators of compromise (IOCs) such as vulnerability scoring, attack density and destination IP etc.
Executing smart alert triaging using entity sets allows defenders to identify a priority alert and keep key infrastructure functioning in the face of an attack. In most organisations a cyber emergency response team (CERT) will be responsible for this action, automating some of this activity will allow them to focus resources in other areas. One way to do this is to deploy next generation security tools that utilise Border Gateway Protocol (BGP) Flowspec, BGP-FS is the protocol all internet routers use to talk to each other. BGP Flowspec uses the BGP protocol to distribute flow specification filters to network routers, so when a threat is identified, the entity set or infrastructure inputs a rule to block or deny traffic related to the threat by its source, destination and a number of other characteristics. The malicious traffic is systematically and temporarily filtered off the network, blocking threats globally before they have time to form fully or scale and affect users.