Detecting and mitigating advanced cyber attackers
Advanced cyber attackers and malicious insiders regularly circumvent IT protection measures and breach highly sensitive data. Such breaches often take place over several months – the current average detection time for a data breach is nearly 200 days – and happen in plain sight, hidden in millions of regular activities caused by the web browsing of employees. For example, 20 GB of data was stolen this way during a cyberattack against the Swiss defense company RUAG, which remained undetected for more than a year. The attackers used a hidden HTTP(S)-based command and control (C&C) channel to exfiltrate the data from RUAG’s network.
During such an attack, the attacker often control the infected client remotely to discover valuable data and to infect further clients and servers within the corporate network. Since these attacks are only executed against relatively few organizations at once, they are often not detected by traditional anti-virus systems and blacklists.
ExeonTrace features a number of network traffic analyzers to identify corresponding attacker activities. ExeonTrace’s machine learning is for example able to analyze every HTTP(S) request in a multi-dimensional feature space in order to identify suspicious connection patterns. But not only HTTP(S) based attacks are detected, also other hidden attacks can be founds by ExeonTrace.
Visibility into network activities for the detection of shadow IT services
Every day thousands of new web services go online. Consequently, the blacklists used by secure web gateways to block access to shadow IT services typically lag behind and access to web services that pose major privacy and security risks is not blocked.
ExeonTrace’s machine learning and data flow analysis detects such services not based on static blacklists, but based on their behavior. That is, ExeonTrace provides visibility into the use of shadow IT services that are not yet listed by blacklists. Corresponding scenarios include sharing corporate data via cloud services, data transfer via unauthorized webmail services or employees uploading corporate documents to online utility platforms, such as pdf document converters.
Identification of unauthorized, outdated and misconfigured internal devices
Unauthorized devices that are connected to the internal network pose a major risk, as these devices could easily be used by attackers to attack a corporate network or critical infrastructures from the inside. An infamous example is the case of a casino that has been hacked through an Internet-of-Things (IoT) thermometer in its lobby aquarium.
Similarly, outdated internal devices, such as legacy Windows XP systems or outdated browser plug-ins, pose a high risk for the corporate network because exploits to infect such devices are often publicly available. Infecting such a device again allows an attacker to hit the corporate network from the inside. Misconfigured devices are not necessarily a security risk, but they can cause a lot of load in a network due to millions of failed activities.
With ExeonTrace’s clustering approaches those potential risks can be identified.