A new report from McAfee, now part of Intel Security, reveals that a majority of companies lack confidence in their ability to detect targeted attacks in a timely manner.
Moreover, companies that are best prepared to handle targeted attacks are taking time to investigate high volumes of events, contributing to a sense of urgency and organizational focus on creative approaches to earlier detection and more effective mitigation.
The report underlines the importance of real-time, multi-variable analysis of subtle attack activity and factor time as well as threat intelligence in to risk scoring and incident response priorities.
Nearly 74 percent of respondents indicated that targeted attacks are a primary concern for their organizations. Further 58 percent of organizations investigated 10 or more attacks last year.
Only 24 percent of companies are confident in their ability to detect an attack within minutes, and just under half said it would take days, weeks, or even months before they noticed suspicious behavior.
Meanwhile 78 percent of those able to detect attacks in minutes had a proactive, real-time Security Information and Event Management (SIEM) system.
Half of the companies surveyed indicated that they have adequate tools and technologies to deliver faster incident response, but often critical indicators are not isolated from the mass of alerts generated, placing a burden on IT teams to sift through threat data.
Intel Security report revealed the top eight most common attack activities that successful organizations track to detect and deflect targeted attacks. They include the following:
- Internal hosts communicating with known bad destinations or to a foreign country where organizations don’t conduct business.
- Internal hosts communicating to external hosts using non-standard ports or protocol/port mismatches, such as sending command shells (SSH) rather than HTTP traffic over port 80, the default web port.
- Publically accessible or demilitarized zone (DMZ) hosts communicating to internal hosts. This allows leapfrogging from the outside to the inside and back, permitting data exfiltration and remote access to assets. It neutralizes the value of the DMZ.
- Off-hour malware detection. Alerts that occur outside standard business operating hours (at night or on weekends) could signal a compromised host.
- Network scans by internal hosts communicating with multiple hosts in a short time frame, which could reveal an attacker moving laterally within the network. Perimeter network defenses, such as firewall and IPS, are seldom configured to monitor traffic on the internal network (but could be).
- Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over a 24-hour period, such as repeated authentication failures.
- After being cleaned, a system is re-infected with malware within five minutes—repeated reinfections signal the presence of a rootkit or persistent compromise.
- A user account trying to login to multiple resources within a few minutes from/to different regions—a sign that the user’s credentials have been stolen or that a user is up to mischief.
“Real-time, intelligence-aware, SIEM technologies minimize time to detection to proactively prevent breaches based on contextualization of indicators during analysis and automated policy-driven responses,” said Ryan Allphin, senior vice president and general manager, Security Management at Intel Security.
“With the power to accelerate their ability to detect, respond to, and learn from events, organizations can dramatically shift their security posture from that of the hunted, to the hunter,” Allphin added.