Getting Past Partial Attack Detection

There’s an old joke that goes, “What’s worse than discovering a worm in your apple? Discovering half a worm in your apple…” Security Operations (SecOps) has more than its fair share of half-eaten worms, and that’s a big problem. The SecOps teams discovers an infected endpoint, for example, and remediates the problem. However, they’ve only caught part of the broader infection. The undetected half of the attack can continue on its mission of destruction without anyone being the wiser.

“There was a malware attack affecting ten endpoints. However, the company’s SoC had only spotted the infection on seven of them. They had quarantines on those seven, but the other three were still running the malware, free from interference.”

SecBi, a provider of AI-driven autonomous investigation technology, has seen this phenomenon up close many times. Gilad Peleg, CEO of SecBi, described an encounter with a partially-detected attack at a global company with more than 200,000 employees. “We deployed our unsupervised machine learning to do its usual analysis of cluster behavior,” he said. “Pretty quickly, we saw something really interesting. There was a malware attack affecting ten endpoints. However, the company’s SoC had only spotted the infection on seven of them. They had quarantines on those seven, but the other three were still running the malware, free from interference.”

Gilad Peleg, CEO of SecBi

How can a big company with a highly sophisticated SoC miss something like this? “Easily,” explained Peleg. “Attackers have gotten so good at hiding themselves, you have to rethink your approach to detection.” The SecBi method is to run what is essentially an automated investigation using machine learning. “Unsupervised ML, configured the right way, can see patterns of network communication in cluster analysis. The trick is to specifically avoid rules and deliberately not look for signatures. Assume you will see any known threats. That’s basic. Instead, you have to watch carefully for extremely subtle hints that an attack is in progress. The cluster analysis will reveal signals that are often easy to miss.”

Of course, after that comes the next big question: “Now what?” Detection is one critical, but limited step in cyber defense. SecBi is taking on this challenge by offering automated response features. “Our tool can instantly block a machine that’s suspected of being compromised,” Peleg explained. “In our experience, it’s better to shut the door on a possible attacker and worry about opening it later, when we truly understand what’s going on. If it’s a false alarm, too bad… But, if we’re right, and we’ve caught a previously undetected attack in progress, everyone’s a lot better off if we block it on an automated basis.”

Photo Credit: kevin dooley Flickr via Compfight cc