The inner workings of a targeted attack

Vectra Networks' X-Series of appliances combine advanced analytics with AI to identify threats in real time.

If recent IT intrusions, attacks and data thefts have taught us anything, it must be that both security technology and those operating those solutions have come up short in identifying and remediating threats. Obviously, IT security managers are trying to stay one step ahead of the sophisticated attacks that are targeting today's networks. However, trends show that their efforts are sometimes coming up short, with disastrous results.

Enter Vectra Networks, a San Jose based startup that just came out of stealth mode and has introduced their X-Series of appliances, which combine advanced analytics with artificial intelligence to identify threats in real time, and empower administrators with the ability to do something about those attacks before any damage is done. However, Vectra's approach to targeted threats proves to a treasure trove of educational information, even to those who do not adopt the company's products.

Case in point is how Vectra identifies potential attacks using heuristics and AI to create relationships between activities, events, users and systems attached to the network. Simply put, the company has put processing horsepower behind identifying suspicious events in a context that matches how many attacks progress today. To truly appreciate the technology that Vectra has developed, one has to understand how attacks and intrusions escalate on today's networks.

While it could take a thick tome to explain the attack process fully, the basic ideology can be broken down into a few critical steps, which are most commonly used by attackers today, especially those that are promoting targeted attacks.

  • Initial Exploit: Often defined as the first attempt to "break into" a network, where an attacker tries to leverage a weakness in a given entry point, usually predicated by a software design flaw on an unpatched system. Internal attackers do not always need to leverage any type of attack vector that would occur from outside the network perimeter.
  • Internal Recon: Once through the network perimeter protection schemes, attackers start a process called reconnaissance, which can employ a number of techniques to discover the assets on the network. Internal recon delivers information on systems, applications and so forth, helping attackers to build a sense of the network landscape.
  • Lateral Movement: Here, the attack spreads across internal network resources, using automated technologies or brute force mechanisms to attack the identified assets and attempt to infiltrate those systems.
  • Acquire Data: After infiltrating internal systems, techniques are used to gather data deemed as valuable. That data could be intellectual property, customer information, or anything else that has a tangible value.
  • Exfiltration of Data: Here, the data that has been identified and collected is then processed in such a fashion to deliver it to an external resource using techniques that hide the activity, such as tunnels via HTTP that deliver data files to external storage services.

Obviously much more activity and many additional subtasks can be incorporated into an attack that steals information, yet the process stills adds up to the basics of infiltrate, reconnaissance, identify and then acquire.

While one may assume that it should be easy to uncover any of the above mentioned events, the truth of the matter comes down to how those events are hidden within the typical noise of network traffic and each event is separated by time, method and activity. That makes it incredibly difficult to identify an attack in progress and proactively do something about it.

Yet, knowledge is a powerful ally and IT security professionals looking at behaviors on a network may be able to detect an attack in progress, simply by correlating activity with context during traffic audits. For example, if suspicious activity occurs, someone needs to look at the context of that activity - especially if that activity was preceded by a change in user roles. Case in point would be a user recently assigned backup chores, which would drive an increase in network traffic and file access. Under normal circumstances, that would trigger a potential security event - however, when placed in context, the activity can be attributed to SOP. The key here is that context must be included in any evaluation of network events.

While it is possible to do some of those chores manually, IT security professionals would be wise to invest their time into deploying technologies that automate the process of contextual traffic analysis, as opposed to manually delving through logs and notices. At least that is what Vectra hopes will happen.