2020-02-13

Is Your Business Immune to the Next Gen Cyberattacks?

By Susan Hu


Introduction

Earlier this month, four members of the Chinese military have been charged with hacking into the computer networks of the Equifax credit reporting agency and stealing sensitive personal information of 145 million Americans. According to an earlier report, Equifax was to pay at least $700M in data breach settlement.

How did an attack of such a large scale go undetected for so long?

According to a 2019 report by Forrester Consulting, 80 % companies experienced a cybersecurity incident in the past year. Even more interesting, 69% of organizations don't believe the threats they're seeing can be blocked by their anti-virus software. (Ponemon Institute's Cost of Data Breach Study).

As technology advances, cybersecurity is becoming a big concern for individuals and businesses, which begs the question: is your organization immune to the next gen cyberattacks?

Different stages of a typical cyberthreat

Let's take a look at how a cyberattack typically happens.

Take the Equifax breach as an example, on May 13, 2017, an attacker used SQL to query Equifax's backend database (based on Apache Struts, which had known vulnerabilities), got database scheme and stole some sample data. The attacker then uploaded shell script to Equifax's web server, collected login credentials, ran about 9,000 SQL commands, stored data in multiple documents and compressed them. The hacker then used 34 machines in 20 countries to get into Equifax. Very cleverly, they didn't leave any trace and cleaned logs daily. By using Equifax's existing encryption mechanism to query and send commands, directories were deleted after data was sent out. Over time, tens of millions of Americans' sensitive data were stolen like that.

This was a very typical cyberattack that can be broken down into different stages. It's usually a gradual process from the initial infection to the moment where massive data extraction occurs. During each stage, different data sources are compromised, allowing hackers incrementally greater access to private information. As the hackers became more cautious, they also started to clear the trace as they go, making the security breach even more difficult to detect.

Alt Text An example of cyberattack stages as well as data source needed for analytics to detect the attack. (Source: Arubanetworks.com)

So how do we detect the next gen cyberattack? What's the future of cybersecurity?

Most of the cybersecurity systems available now only focus on a single event and attack, making it impossible to detect and prevent advanced persistent track (APT) or threats that already broke-in and reside in the system. As hackers become more sophisticated in their methods, it is essential to implement long term monitoring and real-time analysis.

To be able to detect and catch the new type of cyberattack, it is important to take all activities within an organization into account and analyze user behavior to detect any unknown vulnerabilities.

A deep learning model with Bayesian networks installed can help analyze causality and identify uncertainty modeling. Using recurring historical data as a baseline to predict the likelihood of potential attacks, it is important to compare to self, individual behavior-based model, peers behavior model, Graph-based database, identified security rules as well as aggregate risk assessment.

Graphen's Alice Security: CyberImmune and SecureAI Database

Take Graphen's CyberImmune product as an example, it is a user behavior analytics-based cybersecurity monitoring system that detects insider threats. Built upon SIEM (Security Information and Event Management), CyberImmune gathers all relevant and available information about users, devices, applications and networks, detecting anomalies at various levels. It provides an aggregate risk assessment to predict the cybersecurity risks of all entities within the organization.

The solution provides advanced capabilities to detect threats that already entered and reside in the organization. It can detect through both contextual analysis and human behavior reasoning, breaking free from the limitations of existing anti-threat applications and event management systems. It also reduces false positives. The advanced AI solution automatically analyze entities and activities and rank real-time risks of each entity in context. Terabyte-scale, long-term monitoring and automatic detection reports and predicts APT including, but not limited to, espionage, sabotage, fraud, etc.

Utilizing various data sources, data process, analysis, and anomaly alerts, CyberImmune defends an organization in the next gen cyberattacks. Compare to ruled based system, CyberImmune has the following advantages:

  • Protection against advanced persistent threats
  • Identification of previously unknown anomalies
  • Evolution via auto adaptive learning
  • Detection of insider threats

It has advanced features in Event Detection, Prediction, and Visualization.

Like how the immune system functions inside the human body, CyberImmune self-defenses abnormal behaviors by autonomous learning. Built with advanced AI technology, CyberImmune system is already deployed by one of the top three banks in China as its internal cybersecurity solution.

Use cases

According to a recent survey from Verizon, 34% of data breaches involved internal actors.

Many of the advanced cyberattacks can be prevented and detected with next gen AI cybersecurity systems such as CyberImmune.

Here are ten possible use cases: 1. Stealing Login Credentials: An employee steals usernames and passwords from co-workers and emails them to an outside party. 2. Exfiltration Prior to Termination: An employee is leaving the company and decides to take all of their emails and files with them. 3. Masquerading: One user is masquerading as another on an unattended workstation. 4. Bona Fides: Prints a bona fides package and takes it to a foreign embassy. 5. Hiding Undue Affluence: An employee possesses undue affluence because of ongoing espionage activity. 6. Exfiltration of Sensitive Data Using Screenshots: An employee steals proprietary/sensitive documents by taking screenshots of specific pages, recursively encrypting the files, and emailing them to a webmail address. 7. Exfil with Complex Steganography: An employee uses steganography to hide data in an image file, then uploads that file to a website. 8. Anomalous Encryption: A subject wishes to pass sensitive company information to a foreign government in exchange for that government setting him up with his own business in the foreign country. Subject researches monitoring capabilities regarding encryption. Subject exfiltrates sensitive documents by encrypting them with the key and emails the key to an accomplice/handler by including it as an email signature… 9. Insider Startup: Three co-conspirators collude to steal company IP. They coordinate the synchronized theft of proprietary information before leaving the company. 10. Circumventing SIEM: A user circumvents SIEM monitoring to commit a crime.

Conclusion

Standing at the beginning of 2020, cyberattacks are becoming more and more intelligent and persistent. As traditional anti-virus software and legacy cybersecurity methods are no longer effective to detect such attacks, you and your organization need an intelligent system that learns and adapts to the newer threats from within and without the organization.

How are you protecting your organization from the next-gen cyber-attacks?


If you want to learn more about effective cybersecurity, Graphen's Alice Security and how it can protect your organization, please reach out to me at susanhu@graphen.ai.

--

Other info

Alt Text