Mainstream media have repeatedly described the threat landscape as constantly evolving, that attacks are becoming more sophisticated and the people behind these are more equipped. This assertion, though certainly true, elicits questions on how sophisticated these targeted attacks are, how a digital insider stays hidden, and how to mitigate these threats.
By now, we are all aware that traditional defences are no longer effective in addressing these threats. In fact, based on a Trend Micro research, over 90 per cent of enterprise networks contain malware with one new threat created every second. Enterprises are also besieged by other challenges such as:
- Increasing cloud-based IT environments hounded by the increase use of employee-owned mobile devices in the workplace.
- Availability of cybercrime tools on the Internet, in turn making the accessible to any potential attacker.
- Cyber attacks initiated by organized crime gangs are also becoming more sophisticated and precise than ever before.
The big problem, however, is not just that a digital intruder will attempt to control the network, but that it will propagate, exfiltrate data and maintain its activities hidden. Its ability to evade detection, ultimately, is what makes these targeted attacks more problematic.
Digital Insiders: One Step Ahead of IT Admins
Digital insiders are aware on how IT administrators would respond to a possible data breach. Typically, they scout for possible exploitable vulnerabilities and signs of communication with an unknown IP address. To circumvent their efforts, attackers may patch vulnerabilities. This serves another purpose: patching vulnerabilities prevents other hackers to piggy back on their efforts.
Digital insiders also moves their communication and control inside the ecosystem and impose a ‘sleep cycle’ to avoid easily detectable communication. They may attempt to reach out to an outside IP address once in a while such as with the recent Ixeshe campaign. In the case of the recent Flashback Mac malware, the bad guys may use specialized technique that prevents security researchers from doing malware analysis.
Thwarting Digital Insiders
This is a new breed of sophisticated threats that require an advanced persistent response from organizations. To gain an upper hand, firms must be able to spot the unwanted intruder and constantly foil their efforts through:
- Correlating and associating cybercrime activities in the wild with what is happening on an enterprise’ network using big data analytics. This enables organizations to spot possible correlations between the two and giving them the needed information to create a concrete action plan.
- Multi-level rule-based event correlation such as featured in Trend Micro’s Deep Discovery. Given that these guys are experts in keeping their activities hidden, this is a useful tool to identify any dubious activity inside an organization’s network and point out possible threat actors and monitor their activities.
In other words, this may require organization to increase their awareness of the activities on their networks and the ability to correlate events to thwart the digital insider’s malicious activities.
Read the full report How to Thwart the Digital Insider – an Advanced Persistent Response to Targeted Attacks.