Eddie Schwartz, Executive VP of Cyber Services, DarkMatter, outlines why we need to turn the tables on cyber thieves.
The “common cold” runs amok through our offices, schools and gyms. Even though we can send human beings to live in outer space for months at a time, and have shrunk incredibly powerful computers to fit in our pockets, we’ve still not conquered the all too common cold.
That’s because not only are there hundreds of different cold viruses attacking our bodies, but they also are constantly mutating into different ones, so our immune system doesn’t have the antibodies to recognise and defend against whatever new viral strain is making its rounds this winter. Does that sound familiar?
Unfortunately, this “virus” metaphor for cyber security threats continues to demonstrate that it’s exactly the right comparison, particularly as evolving and increasingly sophisticated threats take inspiration from nature to bypass today’s most advanced cyber security technologies.
We don’t want to wait for our networks and systems to fall sick before we find a solution. There is too much at stake to lag behind the threats we face. After all, threats today have long ago blown past any notion that we can be safe by building walls or moats around our assets and infrastructure.
We must be one step ahead. We must deploy robust, agile and evolving immune systems to keep our networks and other assets safe. We should employ cyber security products and services such as advanced managed security services that include threat information feeds, both off-the-shelf and bespoke network and endpoint security solutions, and other specialised cyber security services that can recognise potential threats before and while they are happening.
But we must also do more. Our immune system is constantly and proactively scanning the body for anything foreign that doesn’t belong and so could pose a threat. Then it takes immediate action to eliminate that threat. That, fundamentally, is what “threat hunting” does in cyber security.
The immune system understands what’s foreign to the body and what’s not. It also keeps a registry of every harmful virus and bacteria that it has previously encountered and looks out for these.
This “registry” is consisted of antibodies previously developed in response to a specific virus or bacterial threat. If that virus enters the body again, the immune system recognises it as foreign and harmful and immediately attacks it before it can replicate and make us ill.
Where this breaks down is when the body is invaded by a new (cold) virus it has never seen before. The immune system doesn’t immediately “recognise” the virus, and this gives it a chance to grow – think “dwell time” in cyber security parlance – and, at least temporarily it overwhelms our immune response. The result: we become sick.
In cyber security, we create databases of known malicious software. We study their “signatures” and use these to programme antivirus, endpoint security and other software to monitor for, isolate and remove this malevolent software.
As already noted, however, today’s advanced threats can be polymorphic, so signature-based detection engines won’t work. They use code obfuscation techniques and encryption at the execution layer and network transport layer to slip detection. The most sophisticated malware is able to identify and disable security software.
But to address the increasing polymorphism of malware, signature-based anti-malware solutions should be combined with behaviour-defined identification. This gives added information by looking at network flows and packet capture, in search of operations that shouldn’t be happening.
However, there is one problem: the body’s much-valued immunity generally only comes after you’ve been attacked by a virus and been made ill.
That model won’t work for cyber security. We have to constantly assess and create our immunities before a new threat arises.