Sophisticated, targeted cyberattacks, such as ransomware, have become the biggest threats to modern society, as well business. Attackers often exploit security vulnerabilities in traditional static, rule-based cyber defence technologies that are usually deployed at the network perimeter. Malware and viruses designed by these hackers breach into the intranet of the corporate networks and hibernate for certain periods of time, looking for and identifying high valued targets inside the corporate network (such as database servers), then try to gain access to these servers and ultimately steal valuable data and other information or demand ransom by disrupting normal business operations.
Traditional, static rule-based cyber defence technologies deployed at network perimeters turn out to be ineffective in detecting and preventing today’s complex APT attacks, because the attacker can usually avoid detection at perimeters using BYOD or other means, including social media networks or private Wi-Fi networks. Comprehensive technologies, products and solutions on post breach threat detection and prevention are crucial as these solutions protect critical information from being leaked or stolen, after a breach has occurred.
A Server Breach Detection System (sBDS) adopts user behaviour analytics (UBA) and network traffic analysis (NTA) technologies using big data analysis based on machine learning modelling to effectively detect the lateral movement of threats after they breach the intranet, to protect critical servers and host machines from being further compromised. Additionally, after a threat is detected, the sBDS platform conducts comprehensive threat hunting and provides security administrators with detailed threat information, restoring possible attack kill chain based on threat attack behaviour.
Such a solution provides security administrators with comprehensive visibility by providing different views into the entire network security posture, including views on critical assets, risky hosts and threat events. Deep insight of threat intelligence and comprehensive attack visibilities is vital for security admins to understand the nature of the threat attack and adopt effective mitigation mechanisms to break the attack chain and abort the hacker mission.
The sBDS platform is typically deployed inside a corporate intranet, near the critical servers and host machines it is protecting. It continuously monitors any post breach threat activities such as lateral movement, internal scanning or data exfiltration. It also monitors network traffic among critical servers, host machines as well as traffic between these servers and host machines to or from the internet.
Using multiple threat detection engines that include both traditional signature-based technology as well as large-scale threat intelligent data modelling and user behavioural analytics modelling, the sBDS platform provides the ideal solution to detect unknown or 0-day threat attacks, to protect high-value, critical servers and their sensitive data from being leaked or stolen. Together with deep threat hunting analysis capabilities and visibility, sBDS provides security admins the effective means to detect IOCs (Indicators of Compromise) events, reconstruct the threat attack kill chain and provide extensive visibility into threat intelligence analysis and mitigations.
Core Threat Detection Technologies
The new generation of multi-phased, server centric, intranet focussed, post breach detection and prevention technology is leading the industry in technology advancements.
- Advanced Threat Detection (ATD) The Advanced Threat Detection (ATD) Engine analyses millions of known HTTP based malware samples with regular updates. It extracts the common characteristics of each malware family for further analysis. Using unsupervised machine learning algorithms and mathematical modelling, the common features for each of the thousands of malware families is poured into a clustering model and is loaded on the device. The model is also regularly updated from the Cloud.
- When a suspected malware is detected, the packet is further inspected and relevant features are extracted and processed through the model. It is given a predicted result with a specific confidence level and is also delivered with forensic evidence, threat intelligence, as well as a proposed action, shown in the threat details pages in the iCenter.
- Abnormal Behaviour Detection(ABD) The sBDS platform’s user behaviour abnormal detection engine monitors and learns the normal behaviour of server or host machines in the protected internal network. It extracts behavioural features to render a mathematical model, uses this normal behavioural model to detect any abnormal activities of any host machines. For example, an internal host machine which is potentially compromised sends out a large amount of SMTP packets, exceeding the threshold of the normal SMTP activity in the learned model. It is possible that a hacker has gained unauthorized access of the email server and is using it to send out large amounts of SPAM emails, which can result in the loss of data and/or a server crash.
- Network Traffic Analytics The sBDS platform’s network traffic analytical engine provides server-centric protection and visibility. It continuously monitors and collects metadata of traffic between internal servers, between internal servers and internal host, as well as between internal servers or host and the internet.
- Server-centric network traffic analysis starts with a configurable learning period. During the learning phase, traffic baselines for the configured servers, subnet host and external networks are created. This includes hourly baselines for traffic from server machines and daily, weekly, monthly baselines from host machines or external network to servers or to other host machines. As the result, meaningful traffic thresholds for these servers and hosts are also established.
- When the learning period ends, it automatically switches to detection mode, and traffic is checked at hourly, daily, weekly and monthly periods. When it exceeds the threshold, an alert is generated displaying corresponding traffic data.
- Server traffic monitoring can be viewed with traffic topology graphs. Lines with arrows point to the traffic direction: red lines indicate abnormalities, and green lines show normal traffic.
- Threat Intelligent Correlations Pluggable Engines use Indicators of Compromise (IOCs) as building blocks and correlate these IOCs with other threat events according to the defined rules over time and space spectrums. Using PE engines can effectively find the underlying relationships of multiple threat events, surface potential attacks in progress, improve detection accuracy and reduce false positives.
- Deception Technology The local deception engine is configured on the deceptive zone with an IP address taken from one of the “black” IP addresses within the subnet. Various hidden TCP services are also configured on the deceptive IP address. Typically, after a malware breaches an internal network, it tries to locate high value targets by scanning the network or gaining access to critical servers with elevated privileges. When it hits a deceptive point, an alert is triggered and a threat event will be identified with a high confidence level and high severity level.
Today’s advanced, targeted and persistent threats and their variants bring new challenges to the modern cyber security defence landscape. Traditional security mechanisms no longer prove to be effective for new breads of threats. sBDS provides accurate and effective threat detection, powerful threat hunting capabilities, threat intelligence analysis and comprehensive threat visibility to take on the most challenging cyber security tasks.
Francis Teo, South East Asia Regional Director, Hillstone Networks