Beyond traditional threat detection
There is a widening gap between the sophistication of cyber attacks and the traditional methods employed by many organizations to detect and neutralize these threats. The industry is at a critical juncture, requiring a shift from outdated paradigms to innovative approaches that can effectively combat evolving threats. The opportunity lies in recognizing and addressing this gap in thinking.
The Industry’s Struggle with Detection
Currently, organizations are predominantly focused on three main strategies for threat detection: deploying firewalls, leveraging Endpoint Detection and Response (EDR) systems, and utilizing deterministic decision-making tools. Firewalls and EDRs are designed to identify and block malicious software by relying on known signatures and patterns of attack. Deterministic tools, on the other hand, aim to differentiate harmful activities from benign ones by analyzing data and making binary decisions about what constitutes a threat.
However, this traditional approach is proving increasingly inadequate in the face of sophisticated tactics like “living off the land” (LotL) attacks. LotL attacks are particularly challenging because they use legitimate tools and processes within a target’s environment to conduct malicious activities, thereby evading traditional detection mechanisms. There is no malware to flag, no signatures used to detect, and no obvious indicators of compromise for traditional tools to catch. This is where the crux of the problem lies: the existing tools are not equipped to handle such nuanced and covert threats.
Technical Director of EMEA of Corelight.
The Gap in Industry Thinking
The main gap in the industry’s approach to cyber is the reliance on deterministic tools that are inherently limited in dealing with advanced persistent threats (APTs) and LotL techniques. Companies often believe that their current arsenal of cybersecurity tools is sufficient, failing to realize that these tools were not designed to counter the subtle and sophisticated methods used by modern attackers.
One significant oversight is the lack of temporal awareness in threat detection. Companies tend to think in terms of detecting threats based on current activities (using TTPs—tools, techniques, and procedures) but fail to consider the historical context of an attack. This short-sightedness is problematic because sophisticated attackers can dwell in a network for extended periods, waiting for the right moment to strike. Without the ability to look back in time and analyze past activities, organizations can misidentifying long-term intrusions that have already infiltrated their systems.
Embracing a New Approach
To bridge this gap, a new way forward involves three key shifts in thinking:
1. Adopting Retrospective Analysis: Organizations must incorporate solutions that enable retrospective analysis, allowing them to look back in time and investigate past activities for signs of an undetected intrusion. This approach requires retaining and analyzing historical data, huge amounts of data, which can reveal patterns and anomalies that are not apparent in real-time analysis.
2. Leveraging Behavioral Analytics: Instead of relying solely on deterministic tools, companies should adopt behavioral analytics that can detect deviations from normal behavior. This involves creating baseline profiles of typical activities and identifying outliers that could indicate a security breach. Behavioral analytics, such as for example a camera with an IP address that is exfiltrating files, are particularly effective in spotting LotL attacks, where traditional signature-based detection fails.
3. Learning from Elite Defenders: The practices of elite defenders such as top-tier financial institutions and government agencies provide valuable insights. These organizations do not rely on traditional methods alone but use advanced threat-hunting techniques and continuous monitoring to stay ahead of attackers. Companies should take cues from these progressive approaches and integrate them into their own cybersecurity strategies.
Moving ahead
In conversations with customers, the “aha” moment often comes when they realize the limitations of their current tools and understand the importance of historical data in detecting sophisticated threats. By illustrating real-world examples, such as the prolonged dwell times of attackers in high-profile breaches, cybersecurity professionals can underscore the necessity of adopting a more comprehensive and proactive approach.
Ultimately, bridging the cybersecurity gap requires acknowledging that the traditional tools and methods are no longer sufficient. Embracing retrospective analysis, behavioural analytics, and learning from elite defenders will equip organizations to detect and neutralize even the most sophisticated threats. By closing this gap in thinking, companies can enhance their security posture and better protect their critical assets in an increasingly complex threat landscape.
We’ve featured the best identity management software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
There is a widening gap between the sophistication of cyber attacks and the traditional methods employed by many organizations to detect and neutralize these threats. The industry is at a critical juncture, requiring a shift from outdated paradigms to innovative approaches that can effectively combat evolving threats. The opportunity lies…
