Not every hacker is created equal. You have the professional criminal, the whiz kid hacker, and the teenager who found a hacking tool online and attacked your company “for lulz”. Each type has their own tools, techniques, and levels of experience. In order to be secure, your company needs to be able to identify and block them all.
One of the big differences between different attackers is the noisiness of their attacks. Some attackers take a brute force approach to testing for vulnerabilities, trying every possible attack until something works (think shotgun). Others take a more targeted approach, doing their research before trying anything in the hope of slipping in unnoticed (think sniper).
Unlike hackers, who only need to find and exploit one vulnerability in a network’s defenses, network defenders need to find and protect them all. To accomplish this, you need to understand the challenges of detecting each type of attack and the tools you should be using, like a web application firewall(WAF).
“Spray and pray” attacks
Some attackers take the quantity over quality approach to finding vulnerabilities and attack vectors. Instead of crafting a spear phishing email designed to get a single large payoff, they send a less targeted one to as many people as possible, counting on getting many small payoffs from the portion of the recipients that fall for it. Brute force password attacks, where hackers try a large number of passwords for an account, has proven to be effective as well, even compromising accounts of members of the British Parliament in 2017.
The same approach is common in web application vulnerability scanning as well. Some hackers will make thousands of attempts to hack a web app, hoping that just one will get by. Most attempts will fail and they’re extremely noisy, but the sheer number of known vulnerabilities is common software and poor organizational patching processes means that one will probably get in, and that is all the hacker needs.
With this type of attack, detection is not the issue. Brute force attacks light up a network defender’s dashboard. The main challenge isn’t picking out the malicious traffic from the benign but identifying successful versus unsuccessful attacks. While protecting against a DDoS attack, defenders are much more likely to miss something subtler.
While large, imprecise attacks are a very visible threat to an organization’s cyber security, they are rarely as dangerous as subtler, more targeted attacks. By investing the necessary time in reconnaissance and low-visibility information activities, an attacker can learn the probable vulnerabilities within the target network before taking action, greatly decreasing their visibility and probability of detection.
This is the attack methodology of most Advanced Persistent Threats (APTs). These skilled hackers and hacking groups gain access to a target network and often maintain it for significant periods of time before taking action. This type of patient attack allows them to identify valuable data and methods for exfiltrating it in a way that is less visible to the network defender. As a result, the average time that an attacker was present on an enterprise’s network without being detected was 101 days in 2017. With this sort of access to the network, the attacker has the ability to plant a variety of persistence mechanisms, making them very difficult to remove.
With this type of attack, detection is the real challenge. An attacker with knowledge of how the network normally operates and with no time pressure can develop attacks that can blend with the normal traffic on the network.
This attack traffic has few indicators that can be used to differentiate it from normal traffic and it takes significant time on behalf of the network defender to analyze the traffic and identify that it is malicious. With the sheer volume of traffic experienced by the standard enterprise network, this kind of in-depth analysis is infeasible, and many attacks slip by under the radar until something detectable (like a breach) occurs.
Achieving comprehensive network protection
In order to fully protect a network, it is necessary to identify and defend against both brute force and targeted attacks. Doing so at scale is difficult or impossible for a human defender due to the sheer amount of data to search through. While automated tools are coming to the rescue, different tools can be better for different use cases.
For brute force attacks, traditional tools like firewalls, intrusion prevention systems, and anti-Distributed Denial of Service (DDoS) systems are an effective first line of defense. By blocking most attacks at the perimeter, they reduce the load on the analyst and enable more careful analysis of the traffic that is let through.
Identification of more subtle attacks requires more sophisticated detection software. These attackers take the time to research their targets and craft their traffic to blend into the background, so only subtle clues exist to identify malicious traffic. Some next-generation network defense tools have begun providing advanced functionality to help with identifying these threats. For example, tools with correlated attack validation perform an in-depth of incoming and outgoing traffic, looking for anomalies. Rather than alerting on any anomaly (and creating false positives), they aggregate these detections, ensuring that the most prominent alerts on an analyst’s dashboard are those most likely to be malicious.
Finding the hacker
There are all sorts of hackers out there and what works for detecting one will completely miss another. Many tools are adept at detecting one type of attacker or the other; however, it is a careful balance between missed and false detections. To minimize the risk of compromise, it’s important to choose and configure the right tools to protect your network perimeter. When choosing a network defense tools, make sure that they’re capable of detecting both the obvious and the subtle attacks.