Iconic filmmaker John Carpenter once said this about horror flicks: “There are two different stories in horror: internal and external. In external horror films, the evil comes from the outside, the other tribe, this thing in the darkness that we don’t understand. Internal is the human heart.”
Similarly, there are two main cybersecurity horror stories – external attacks and insider threats. Like cliched horror movies where teenagers are stalked by maniacal killers, or families are haunted by unwelcome ghosts and specters, most organisations are under continuous attack from fearsome cyber threats in one form or another.
Companies need to beware of both external cyberattacks and insider threats. Like a classic horror film, both threats come with their own elements of mystery, suspense and fear. Fortunately, it is possible to defend each type of attack vector using a similar cybersecurity strategy for each. More on that later. First, let’s set the scene of the current security landscape.
Ghosts Float Through the Walls
In the past, IT focused on hardening the network perimeter against outsiders. The idea was that if you stop the villains from getting in, then nothing bad happens. It was the classic fortress-based approach to keeping the zombie hordes at bay. But there was a fatal flaw. Many organisations fixated on perimeter security gave implicit trust to anyone already on the inside. Needless to say, this approach triggered a number of horrific data breaches and paved way for the zero trust movement.
Of course, companies should continue protecting the perimeter and defending against known threats, as they’ve always done. Known cyber threats represent an omen of doom looming over every organisation. But today’s enterprises must go further and watch for those unpredictable threats that spook you when you least expect it.
Like sub genres of the horror film industry, there are classifications for different types of cyber threats. Let’s look at four of the most frightening cybersecurity horror stories, some originating from the outside and others coming from within.
To conjure up their nefarious schemes, cyber criminals need access. Methods for gaining access vary, but one of the most common tactics is account compromise – hijacking an account that already has the right access.
Like the horror flick “Paranormal Activity” where an evil entity possesses the main character, a compromised account is taken over by an attacker for their own wicked purposes. This means the intruder can get into any of the systems and applications which that compromised account has access to, and no one will know anything is amiss.
How does account compromise happen? Usually it involves password guessing, malware, malvertisements or keystroke logging. It can also happen through Pass-the-Hash attacks and brute force password hacks. But targeted spear phishing is still probably the most prevalent technique for compromising accounts.
Account compromise attacks are difficult to uncover because they resemble an insider threat from a detection standpoint. Conventional whitelist / blacklist type security solutions are ineffective at stopping account compromise, because to these solutions the account appears legitimate. So, what’s the holy water that can be sprinkled on the account compromise nemesis? Behaviour-based security analytics.
With behaviour analytics, it’s possible to spot these “possessed” accounts based on anomalous behaviour patterns. Such abnormal activity can include unusual access to high-risk or sensitive assets, a lot of access requests in a short amount of time, activity originating from dormant accounts, and more. Anomalies identified as inconsistent with a user or peer’s normal activities trigger an alert allowing SOC teams to intervene.
The Shadow Lurker
Privileged access abuse is an attack vector that overlaps with account compromise. First the antagonist breaches perimeter security through one of many ways. Once inside, they seek SSH keys, passwords, certificates, Kerberos tickets, and similar assets. Their goal is to steal the credentials that let them elevate their access, gain unrestricted movement on the network, and anonymously steal data at will. Because cyber geists use automated hacking tools, this entire process can occur surprisingly quickly.
But, like the patient predator stalking his victims in a teenage slasher film, the attackers usually bide their time. They’ll quietly monitor activity and then use the information they gather to expand their control of the network. According to Ponemon, hackers lurk like ghostly apparitions on the network for an average of 206 days before being discovered. That’s a lot of time for any malicious entity to prowl around.
Many skilled cybercriminals have an arsenal of automated tools they can continuously hurl at unsuspecting targets. Such witch craft puts immense pressure on cybersecurity teams to fight sophisticated cyberattacks that they’ve never seen before, often using a Frankenstein like amalgamation of various security products.
And it’s not just outsiders who should be feared. There’s also an element of insider threat. IT personnel typically have anonymous access on the network through shared privileged accounts, with passwords that rarely if ever change. This gives unsavory individuals the opportunity to snoop out and take confidential data without anyone being aware. So what can you do to cull these phantasms in your midst?
Identity analytics technology can discover who has privileged access with entitlements that may have escalated after provisioning, or exist within applications and unstructured data. This enables IT security leaders to manage, monitor and control privileged access with optimal effectiveness.
And with user and entity behaviour analytics (UEBA) it’s possible to automatically analyse data to reveal suspicious activities – accessing inappropriate files, systems and applications being accessed from new locations or new devices, and even stranger things that could indicate risky behaviour.
The Threat Came from Within
Like the horror scene where the threatening phone call is traced back to the house in which the victim resides, sometimes the threat comes from within. While an organisation usually faces more external cyberattacks, they should be just as concerned with insider threats. An angry employee who already has access to company files could turn psycho and secretly leak documents to competitors, or sabotage systems because he is peeved at his employer.
There are no shortage of tales of insider threat horror. Consider Terry Childs – the City of San Francisco employee who held the city hostage for two weeks while sitting in a jail cell. Or the world’s most infamous NSA contractor – Edward Snowden. And then there’s Anthony Levandowski, an engineer at an Alphabet subsidiary who is accused of downloading company files about self-driving car technology – and took it with him to a competitor (Uber). It shows that, like Jack Nicholson’s demented character in the isolated Overlook Hotel, sometimes even reliable, trusted people can turn.
Malicious insiders are ominous because it’s challenging to detect them before they inflict horror. They’re not as obvious as a creepy clown or a freak in a hockey mask. An insider threat could be anyone – an employee, a third-party contractor. Unlike the previously described attack vectors, insiders don’t have to bother with breaking in and secretly searching out valuable data. They’re already on the inside and know where that priceless data exists.
Without an insider threat detection solution, it can seem impossible to decipher if an employee is performing his regular work activities or involved in something more sinister. Complicating the matter, it’s not just the creepy characters who are a concern. There’s also the accidental insider to fear. A normally effective, loyal employee could still succumb to a carefully crafted phishing email or social engineering campaign. In a sense, every employee is a possible insider threat suspect.
So, is there a silver bullet that can neutralise the threat? Not with conventional cybersecurity tools. However, security analytics technology can combine different data sources across an organisation and link behaviours from multiple feeds to a single identity. Then, machine learning can identify risky behaviour, and deliver insights with as much context as possible. This tactic – providing a correlated, risk prioritised view for security teams to respond to – is one of the keys to handling the insider threat.
There are a number of reasons why someone might launch a cyberattack. Perhaps it’s to conduct espionage. Maybe it’s to inflict damage. But the most common reason is simple theft – stealing valuable information that can profit the attacker. Today, data is the gold inside the vault at most organisations. It’s the final destination of the cybersecurity kill chain.
So, whatever the tactic used – account compromise, privileged access abuse or the others – it usually boils down to protecting the data that criminals seek. DLP and SIEM tools were once the preferred solutions for blocking access to data. But SIEM and DLP solutions became ineffective because of their rules-based nature of blocking only known threats. Additionally, they generate too many alerts that would require a human analyst to have a sixth sense for deciphering the real threats.
Preventing data exfiltration starts with security teams knowing who is in their environment, what they have access to and what they are doing. Many organisations operate in an eerie, gray area of unknown risk. Addressing this scary problem requires an accurate and timely measurement of the risks that lurk like monsters in those darkened areas.
We need a solution that intervenes before data is exfiltrated. But how can that be done? In the aforementioned cyberattack thrillers, there was one common factor – aberrant behaviour. Behaviour is a leading threat indicator, as we like to say.
Some horror movie buffs say you can predict which characters will live and which will die, based on some particular patterns of behaviour. Similarly, if you can spot behaviour that’s outside the range of normal activities on a network, it is possible to detect and predict activities associated with sabotage, misuse and data theft. It takes a combination of the right data sources, machine learning and data science to pinpoint the aberrant activities indicative of malicious actions.
Gurucul’s behaviour-based security analytics can bring SIEM, DLP, PAM, IAM and network monitoring solutions into a unified analytics platform. The platform combines context-aware alerts and automated security against those things that go bump in the night in today’s enterprises.
Ready to exorcise your security demons? Request a demo to see how we can resolve your cybersecurity horror stories.