23rd March, 2021
A defining feature of today’s cyberattacks is the way they unfold at such a speed that even minutes after one has been initiated, returning to the stable pre-infection state becomes a major challenge. The longer this continues, the harder that challenge becomes, and there eventually comes a point past which containment turns, belatedly, into one of recovery.
The topical example of this is ransomware, which uses a single successful compromise as a bridgehead from which to spread and replicate that across as many systems as possible over hours, days, and even weeks as a way of upping the extortion demand. The only way to stop ransomware is to stop it quickly.
Nevertheless, while the clock is still ticking, there is hope. The longer an infection takes, the more opportunity defenders have to notice the traffic patterns and anomalies this generates and react to them in real-time before they spread. It’s easier said than done of course, which is why a large part of the modern cybersecurity industry competes to solve the detection and security management problem, including in Telesoft’s case through its 400GBPS FlowProbe, 100G Intrusion Detection, and Telesoft Data Analytics Capability (TDAC) analysis system with forensics.
CHALLENGES OF SIEM THREAT DETECTION
This should be straightforward – define what is anomalous and issue an appropriate alert when it is detected. However, as threats have grown more complex and varied, detection has become less and less about spotting the anomalous so much as correlating multiple events, some of which might be anomalous, many of which might not.
Every one of these will be connected to a specific alert, often hidden amidst a greater number of probably false alarms. This is the world that today’s SoC teams work in, one in which sifting and prioritising genuine signals from false trails in their security information and event management (SIEM) systems becomes a huge challenge. And it’s a challenge that demands comprehensive security tools and even better management. Worse, somehow this must be done in real-time, all day, every day.
Threat actors understand this, exploiting the likelihood that even if an alert is generated in a SIEM system, the balance of probability is that it won’t be investigated or understood often enough to keep them out.
ENTITY SETS AND AUTOMATED THREAT MANAGEMENT
A concept Telesoft’s TDAC utilises to impose order on alerts in high-throughput networks is to process them through something called entity sets, groupings of network resources which makes it possible to monitor them by context. Essential for hyper-scale networks, these are logical asset categories, for example, groups of IP addresses (IPv4 or IPv6), specific services, protocols, applications, of physical assets. In the communications service provider (CSPs) context, they can also be entire subnets of customers, grouped by type (for example, healthcare), or a specific customer.
They can also be used to understand specific types of equipment such as IoT or smart city infrastructure, groups of web servers, or groupings of equipment used by critical national infrastructure. While it’s true that all network management groups resources in some way, in TDAC using entity sets offers the potential not simply to break a network down into logical sub-units but to use this to optimise the workflow of threat detection.
Importantly, a member can be part of more than one entity set at the same time, effectively giving defenders a way of analysing the same resource from different perspectives. Entity sets can be manually provisioned by CSPs, or auto-provisioned based on the traffic data captured in the TDAC, for example, protocols (FTP, SSH, HTTPS) that might be connected to suspicious traffic.
Within that, the TDAC captures patterns of traffic, noticing small differences that indicate specific types of threat. But the real power of entity threats is that they allow defenders to automate their incident response before a human operator has set eyes on a problem. How this works depends on the context. The simplest response is to block groups of IP addresses through a firewall to isolate them from the further spread of an infection, or from their command & control. Alternatively, a second process might do the same for a specific domain, or simply aggregate logs so that a human SoC admin can quickly appraise them.
One issue with an automated threat response is the worry of blocking legitimate traffic, with unpredictable and unwanted side effects. A good example of this is DDoS mitigation that solves the immediate problem by sending traffic from certain destination addresses into a black hole. This stops the DDoS at the expense of stopping everything, creating its own denial-of-service.
A way around this is to exploit the properties of protocols such as Border Gateway Protocol (BGP) Flowspec, through which routers offer a greater granularity when managing traffic. These include destination and source, IP protocol, source/destination ports, TCP flags, ICMP type, packet length, and differentiated services code point (DSCP) priority, which allows defenders to filter traffic without needing to block everything. This, too, can become part of automated routines.
SOAR AUTOMATION IN AUTOMATED INCIDENT RESPONSE
The use of automation in cybersecurity is logical, with the growing use of Security Orchestration Automation and Response (SOAR) seen as the next staging post after SIEM threat detection towards ever greater levels of cybersecurity automated incident response. In principle, this removes human error and allows certain security responses to be turned into a menu of routines that intercept malicious actions before humans have time to react.
At some point, the underlying machine learning AI elements of SOAR threat analysis could encourage even more automation in a cycle that focuses the job of human operators to a higher and higher level. Likewise, it has been hypothesised that attackers will start doing the same, probing networks with ever more complex and unpredictable attack patterns designed to mislead this layer of defensive AI.
MACHINE LEARNING AND CYBER SECURITY
The demands of this perhaps predict that, just as the era of network security gave way to the current one of cybersecurity, so it might eventually give way to one of semi-autonomous cybersecurity. This would be a world in which machines make more decisions because, without that speed of reaction, cybersecurity starts to fail.
We are some way from this yet, but it’s at least possible to imagine future networks, supported by a lot more machines, providing analysts more relevant activity to focus on.