Again and again, we read about hacking incidents where attackers can spy on a company, an authority or a ministry and remain unnoticed for months without affecting the systems.
Imagine the following scenario:
A company has been infiltrated but knows nothing about it. Sensitive data flows into the hands of cybercriminals; either intellectual property (industrial espionage) or personal data used for criminal activities such as credit card fraud through identity theft.
If the infiltration is noticed and becomes public, it is already too late for the company concerned. the costs of rescuing the systems and eliminating the defects are performed by data protection law penalties and the reputation damage of the company's image toward their customers, suppliers and other business partners.
Why do attacks take place undercover?
- Targets of the attackers are e.g. the targeted spying for a later attack,
- the collection of valuable information (e.g. for later sale) or
- (industrial) espionage.
So we are not dealing with quick and obvious blackmail by data encryption or a compromise of the systems, which means an immediate loss of work and data. At least not yet.
How do you recognise the intruder if he is already in the system, but remains stagnant?
Let's take a step back. Did the controls fail before?
Experts largely agree that despite protective measures such as firewalls, anti-virus protection, application or interface controls, 100% protection is not possible. Malware and attack methods are simply evolving rapidly and people are falling into (increasingly sophisticated) traps.
Furthermore, not all attacks are carried out by explicit malware. So-called Living-off-the-Land (LotL) methods largely make use of what is already present in the environment. There is no need to develop malicious files from scratch. Rather, they exploit entry points that already exist in IT systems.
This tactic can achieve several things: First, they often bypass traditional protection systems - virus scanners do not raise an alarm when software appears to be secure. In this way, they allow cybercriminals to infiltrate IT systems unobtrusively and thus often unnoticed. Even if an infiltration case is detected, under these circumstances it is much more difficult to identify where the attack comes from. Many traditional cyber security solutions are not able to detect dangerous behaviour when performed with tools that are considered legitimate.
But how do you track something down that you don't know is in your own system?
The analysis of behaviour and the search for abnormalities are particularly relevant in this context. Endpoints (end devices such as PCs, laptops, mobile devices) must be continuously monitored.
Events on the end devices and in the system should be analysed to identify traces of hackers, determine employee misconduct and detect security gaps.
With the help of definable rules, security managers should be able to set up which events can be reacted to with which behaviour, e.g. by defensive behaviour such as shutting down processes. This relieves the burden on IT departments, which are often deployed on many fronts.
Endpoint Detection & Response solutions (or EDR for short) are available to those responsible for analysing and reacting to these events.
What are the features of an EDR solution?
Detection and containment security incidents, not just file-based malware.
Security incident investigation and threat detection.
Provision of response options for recovery after a security incident.
Prediction of potential security breaches
e.g. the current security status of an endpoint is displayed and advice is given on how to avoid threats.
Details about the function of such solutions can be found in the next blog post.