In the online game of cat and mouse, cybercriminals always seem to be one step ahead. But how can that paradigm be reversed? How can we anticipate and detect tomorrow's (and today's) cyberattacks in order to provide better protection? Here are some clues to solving the puzzle.
Cybersecurity professionals are constantly on a knife edge, walking a line between present and future, reaction and anticipation. Increasingly innovative cyber-criminals are anticipating the protection techniques being implemented by cybersecurity solutions, and sometimes manage to outwit even the most effective systems. We take a deep dive into strong and weak signals to identify how to detect tomorrow's cyberattacks today.
Cyberattacks: a constantly-evolving threat
In terms of attack sophistication, cybercriminals have always demonstrated an ability to develop new strategies to access their final targets. You already know about phishing, a spoofing technique that distracts users to steal personal information, for example; spear-phishing, a phishing attack combined with social engineering; polymorphism, the ability to fool antivirus software with a series of contradictory fingerprints; and the now-classic ransomware, with its threefold extortion model. You may have heard of fileless malware: attacks that run only in the memory of information systems. And now you’ll need to be alert to threats such as the “browser-in-the-browser” attack, which creates a fake pop-up window designed to trick users into providing as much personal data as possible.
It has to be said that corporate attack surfaces have been growing steadily in recent years. With the widespread adoption of cloud and mobile devices (whether connected or not), the development of APIs without consideration of security issues, IT-OT convergence in industry, and now hybrid and multi-cloud environments, the cybersecurity world is seeing a progressive intermingling of information systems. The result: new security breaches every day. Cybersecurity professionals spend “considerable time auditing systems and products”, confirms Arnaud Pilon, head of the incident response team at Synacktiv. The aim of this constant watchfulness is to “detect new vulnerabilities while, on the flip side of the coin, having the ability to come up with new modes of detection”; in the largest companies, the result is the creation of entire Cyber Threat Intelligence (CTI) teams. But not all have the luxury of benefiting from it… “Our work consists of unpicking sequences of events,” Arnaud adds. “In particular, the presence of a bad actor in the systems is investigated by running detection scenarios.”
Strong and weak signals: a difficult analysis
This research is based on the analysis of weak and strong signals. More difficult to spot are weak signals such as a lateral shift in the information system or the presence of obfuscation in a file, pointing to the possibility of a cyberattack, which must be confirmed by careful cross-checking of the data. Strong signals, however, are a reliable indicator of the threat, in the form of “malicious code markers or patterns, i.e. operating modes already identified as malicious,” Arnaud explains.
In fact, an almost infinite set of logs is generated by companies’ various surveillance devices, from the galaxy of endpoint protection solutions on the one hand to their network equivalents on the other. To analyse all this data, companies are systematically using centralised systems such as SIEM (Security Information & Event Management). The SOC (Security Operation Center) teams then dissect all this data to identify strong and weak signals of cyberattacks. And to help them, some SIEM solutions are capable of machine learning and behavioural analysis to identify suspicious activities, compile contextual reports and even quarantine certain endpoints. However, effectiveness can vary greatly depending on the type of attack, and there is a greater or lesser risk of false positives. “Machine learning or advanced statistics systems work for specific use cases, such as phishing, but this method cannot be applied universally,” adds Arnaud. This requires additional human intervention, especially to investigate weaker signals such as unusual behaviour.
However, this method has its limitations. All analysts are familiar with the feeling of engaging in an endless task every day when faced with the ever-increasing volume of logs to process. Overwork, fatigue, reduced efficiency and, by analogy, increased false positive rates are additional problems for a profession that already has its work cut out. To optimise resources and prioritise activities, Security Orchestration, Automation and Response (SOAR) platforms now provide a triage capability and automated security actions to support analysis teams.
How can we anticipate tomorrow's cyberattacks today?
In this online cat-and-mouse game, cybercriminals are continually seeking to overcome technology and target the blind spots in the detection and protection arsenal. This means that anticipating tomorrow's threats is not only a question of relying on tools and algorithms, but also of developing a control and protection methodology that adapts to the working environment. The equation includes a mix of constant auditing, fine-tuning and understanding of the data, and internal sharing based on the principles of collective intelligence. On the downstream side, the consistent combination of knowledge of the attacker, threat hunting and systematic use of SOCs forms a solid foundation.
Cybersecurity must also be proactive. For example, by using Cyber Threat Hunting – the active search for as yet unknown threats and behaviours – to constantly seek out the operating methods of the future. Publishers require a Cyber Threat Intelligence team in order to continuously adjust their protection engines and rules and be able to provide their customers with real-time data flows to protect against identified threats. Using tactics, techniques and procedures (TTPs), indicators of attack (IoAs) and indicators of compromise (IoCs) from similar cyberattacks, these teams can independently identify areas of compromise or new malware, uninfluenced by alerts triggered by the SOC. However, recruiting “hunters” is not an easy task in these times of tight labour markets, and is a luxury that most companies cannot afford.
An even bigger problem in the industrial world: do hunter profiles with knowledge of IT and OT environments really exist on the market? Because IT/OT convergence and the emergence of Industry 5.0, which puts the human being back at the centre of the factory, accentuate the areas of risk in production environments. The former facilitates the lateral movement of ransomware from one environment to another, while the latter further increases individuals’ dependence on their computer environments. So the systematic application of compliance audits of production machines and security audits of IT and OT infrastructures need to ensure that networks are segmented and that good cybersecurity practices are being applied. Another approach is the increase in the number of detection probes in IT and OT environments, which should make it possible to provide SOC analysts with indicators of attacks. Before it can be used, such data must be correlated, contextualised and shared in the form of a CTI stream, with the aim of capitalising on knowledge of the attacker and its modus operandi. To be effective, this work must be carried out by all players in the same sector. How? In the future, CTI analysts will require the ability to acquire specific knowledge of industrial environments. This requires an understanding of how an operational network functions, its components (different from those of an IT network), its particular challenges (such as the focus on system availability), and also the security solutions used. This is no simple task, as it involves working with existing equipment, some of which was developed several decades ago. “If CTI analysts have no understanding of the communications being exchanged on the industrial network, and therefore no understanding of how the industrial protocols work, they will not be able to analyse them and identify legitimate or suspicious behaviour,” confirms Vincent Nicaise, Stormshield's head of ecosystem and industrial partnerships. “Such knowledge should, for example, make it possible for traditional IT probes to detect PLCs and identify the firmware version in place, and then perform updates.” In efforts to address these issues, IoT probes offering such analytical insight and the creation of cross-functional teams of cybersecurity and IoT experts are an important way forward. While waiting for these two approaches to become a reality, a combination of detection and protection tools remains the best solution for ensuring the security of industrial infrastructures.
Finally, for the most critical environments, so-called disconnected security (which prevents any computer intrusion from the outside) is a radical solution. The infrastructures do not communicate with the Internet, and are therefore updated by the IT teams only manually, and on a case-by-case basis. But even in such remote environments, the Stuxnet episode demonstrated that direct attacks on machines can happen.
Moreover, in an environment in which attacks take on a variety of forms, with multiple points of entry, human beings remain a central link in the chain. In the future, analysts will be required to deal with the emergence of technologies that facilitate spoofing, such as “deepfakes” for video, faces and even voices. Or text augmentation, which generates thousands of emails with the same message but with different nuances in the text – a technique that can circumvent detection signatures. In the future, we will certainly need to tighten up identification methods to ensure that the person we are talking to is a real person, and the right one! The Uber company was recently targeted by a hacker who simply asked one of the company's employees for access via a chat window. When dealing with social engineering practices of this type, what happens “between the chair and the keyboard” is becoming more relevant than ever.
