Many companies use a security technique, Anomaly Detection, that relies on non-characteristic online activities to trigger an intrusion alert. The non-characteristic activity, or anomaly, is when a user does something different than usual.
In this post, we will explain how an experienced threat actor can easily and repeatedly avoid being caught by Anomaly Detection security systems.
What’s an Anomaly?
There are many variations of an anomaly as the term applies to IT networks. Examples include:
- A legitimate user’s credentials are used in an attempt to log on from a different location than is usual, such as an employee working while on vacation.
- Someone attempts to log on using a machine that is new to the network, such as an employee with a new personal computer, or smartphone.
- An authenticated user requests access to resources that have never been accessed before or are not authorized for those credentials
- An authenticated user sends files that are exceptionally larger, or possibly executable files that are atypical for that user.
Anomaly Detection – How It Works
PayPal uses a 2FA system that has been shown to be vulnerable. Anomaly detection tools compare the current online activity with a historical pattern of that user’s activity profile. If any aspect of the current activity is anomalous to the profile data, an intrusion alert is triggered. Many security companies tout their anomaly-based security solution as a complete, end-to-end solution that can detect any threat, any malicious activity.
There is a serious flaw in that reasoning.
Anomaly Detection can work well against inexperienced, would-be intruders. Inexperienced attackers typically will not progress so far as to get authenticated on the network. Should they be successful in gaining access, they likely will stumble into the anomaly detection because they have not done their homework.
It will not work so well against experienced threat actors.
Anomaly Detection – Why It Fails
Experienced hackers perform like professionals. They know about anomaly detection as well as the many other security methods that are deployed. For example, sophisticated hackers will pose as a legitimate network security company so they can perform tests and analysis on security tools. Being prepared in advance is characteristic of professional attackers that enables them to evade detection.
They research the target company and do reconnaissance on as many of the employees as they can identify. They are especially interested in employees with high access privileges to corporate resources. Facebook, Twitter, and other social media platforms are frequently a rich resource for personal information. Smart threat actors know that many people reuse their passwords. They also know that many personal accounts have compromised credentials that continue to be in use. Phishing and Malware exploits are common techniques for acquiring user credentials.
When the attack begins; the smart threat actor has already acquired:
- A clear understanding of the best attack vector to use against the target company based on researching the security system’s weaknesses
- A well-researched profile of a high priority employee(s)
- Authenticated credentials that provide unrestricted access to corporate resources
With these assets in hand, the attacker proceeds without performing any anomalous behaviors that could be detected. All activity simply appears to be an employee doing their job. Think of it as a burglar entering a home using the owner’s keys, with a complete floor plan, a schematic of the security system and the knowledge of how to avoid or defeat each security device.
Working undetected, hackers freely explore corporate resources; helping themselves to the valuables. Because the security system does not detect an intrusion, the hackers are free to pillage for as long as they like. In a 2015 threat report by Mandiant, the median time that threat actors were present on a target’s network before detection was 205 days. Obviously, they were very successful in avoiding the anomaly detection system.
Anomaly Detection – Bulked Up and Ripped
Anomaly Detection is a good technique to include in your security arsenal. But it is not muscular enough to do the job as the sole method for intrusion alerts. The first step in achieving a stronger security system requires companies to put more effort into securing the keys (user credentials) that access their networks. It is not always possible to manage your users’ behaviors, especially away from work. It is definitely possible, though, to know when your user’s credentials have been compromised and take proactive steps to prevent the damage this may cause.
Anomaly Detection coupled with a Credentials Monitoring Service such as offered by VeriClouds, creates a purpose-built, more powerful security solution.
VeriClouds was founded by Rui Wang and Stan Bounev in 2014 to resolve the authentication security issues in Cloud Services. Information Security is not just a business opportunity. It is a calling, a passion, even an obsession. Rui and Stan joined forces to create ways to make the world more secure by making it safer to do business online. Rui has a Ph.D. in Cyber Security, and Stan is a successful entrepreneur with over 14 years of corporate and startup experience in the banking and technology industries.