Author: Robert Knake
You Already Have the Data You Need to Find Advanced Persistent Threats in Your Network.
When I worked in government, I helped set up the Cyber Response Group (CRG), a mechanism for the federal government to pool intelligence and information on cybersecurity incidents and coordinate the federal response. As part of that effort, I saw how the government was able to use intelligence and law-enforcement capabilities to determine who was behind any given cyber incident. In each case, they were able to conclusively determine which of the many Advanced Persistent Threat (APT)-actors were involved.
Case in point: the 2014 indictments of five Peoples Liberation Army officers for cyber espionage. In that incident, U.S. cybersecurity professionals were able to track down the existent individuals behind a sophisticated, state-sponsored attack, leading to the “first-ever charges filed against known state actors for hacking.” When you are able to unmask the attacker down to name, rank, and serial number, and put their face on a wanted poster, any argument that “attribution is impossible” in cyberspace goes out the window.
Advances in cybersecurity incident response capabilities and digital forensics make this level of attribution possible. Working backwards from a breach, incident responders can reconstruct the entire course of events, moving back the cyber kill chain to the initial breach. If the government can do it, so can corporations. So why do so many SOC teams fail to identify attacks sooner or put in place protective measures that stop bad outcomes?
If you have the data you need to enable forensics post-incident, you also have the data you need to detect an adversary before they achieve their objective.
In many organizations, missed opportunities lead to the ultimate recognition of truth: if you have the data you need to enable forensics post-incident, you also have the data you need to detect an adversary before they achieve their objective. In short, you should assume your network is compromised, and you should always be hunting inside to look for signs of an intruder.
This reality has led to an ongoing convergence between incident response and threat hunting. Threat hunting is, after all, just digital forensics before you experience an incident. To that end, organizations like SANS have begun to converge their training on these subjects and view threat hunting simply as the most advanced form of incident response.
Those gifted in the dark arts of threat hunting command huge salaries and almost godlike status within the cybersecurity community. They are tough to find, expensive to hire, and difficult to keep. Therefore, anything that can improve efficiency, or provide greater access to threat-hunting capabilities, will be of enormous value to every industry. This is where Versive™ comes into the picture.
After I left government, what excited me most about going to work for Versive was the ability to bring threat hunting to companies that would never be able to stand up their own 24/7 SOC operations, much less employ a dedicated team of threat hunters.
Using sophisticated artificial intelligence, Versive automates the process of threat hunting inside networks. While most compromise assessments look for known Indicators of Compromise (IOCs), or use manual techniques to identify novel threats, the Versive Security Engine uses machine learning on standard data sources from across the business to recognize connected systems, learn “normal” behavior for your unique environment, and identify suspicious behavior. By connecting suspicious behaviors across the network and over time, the engine visualizes the progress of a threat in context, with an extremely high degree of confidence.
Versive does not replace the need for threat hunters. Rather, it enables threat hunting teams to be much more effective, and makes the skill set needed to establish a threat hunting operation more accessible, so that lower-level SOC analysts can take on and be highly successful in the role.
If you are reading this, advanced adversaries are probably targeting your network or already inside. Once they succeed in exfiltrating data or locking up your systems with ransomware, your forensics team is going to figure out how they did it. You already have the data they will need. It is sitting there, waiting for them. Why not use it now to hunt in your network and find them and avoid the inevitable Monday morning quarterbacking when you realize you had every opportunity to avoid becoming the latest victim of a data breach?