There’s a universal truth regarding every cyber attack: attack behavior never appears normal. This seemingly simple fact holds true whether the attack was executed by a first-timer or perpetrated by a nation-state and is crucial to preventing future information security breaches like Anthem’s.
The future of IT security is technology that consistently and accurately identifies behaviors that aren’t normal. By employing a behavioral analysis approach, organizations will no longer be behind the power curve of the endless streams of new and morphed exploits to which they find themselves vulnerable everyday.
The question then becomes how can abnormal behavior be accurately detected. The process requires monitoring, analyzing and applying machine learning to accurately identify the abnormal behaviors indicative of an attack at the outset. Accuracy is paramount in importance to avoid wasting valuable resources chasing false alarms.
Let’s examine how one may have taken the approach of identifying abnormal behavior in the context of the recent Anthem breach to gain valuable insights. While details are still emerging, we already know the attackers were able to pose as administrative insiders to access Anthem’s databases. Could the attackers activities have been identified before all 80 million records were breached?
To answer that, it’s important to understand how the Anthem attack was eventually discovered. It has been widely reported that “suspicious activity of an administrator” tipped them off. An individual at Anthem recognized abnormal behavior and began to investigate. It was at that point that Anthem uncovered one of the largest Personally Identifiable Information (PII) data breaches in history.
This abnormal behavior went unnoticed for many months. The attackers activities were opaque to Anthem’s defenses and security staff, yet it turns out the activities were not stealth; there just weren’t tools in place to monitor or analyze database traffic to identify the abnormal behaviors.
From the reports that have emerged, the Anthem attackers implemented a “backdoor” process on a database client to exfiltrate the records from Anthem’s databases. Using compromised administrative logins and passwords, the attackers submitted database queries remotely to leak the PII records.
Intelligent continuous monitoring and behavioral analysis technology would have been able to detect the Anthem attack very early. If the system the attackers used to access the database had never accessed the database previously, technologies from DB Networks would have immediately issued an alert for abnormal behavior. On the other hand, if the compromised system were previously known to the database, then behavioral analysis could be easily employed to identify abnormal activities and volumes of database queries. These abnormal activities are indicative that an attack is occurring. DB Networks DBN-6300, Vectra Networks X-series Platform, Aorato (recently acquired by Microsoft) and McAfee’s Network Threat Behavior Analysis are examples of products in market today that utilize machine learning and behavioral analysis to identify abnormal activity.
Through behavioral analysis the Anthem attack would have been identified in its earliest stages when it could have been contained with minimal or no loss of records. As a result of the Anthem breach, another large financial service company simulated the Anthem breach and tested the ability of DB Network’s behavioral analysis technology to detect it. As expected, behavioral analysis was successfully able to detect the installation of “backdoor” malware the moment it began to communicate, in addition to the unusually large volume of administrator traffic to the database.
The Anthem breach is yet another in a series of wake up calls regarding the complex and, at times, overwhelming problems with cyber security. It’s time to break away from business as usual and remember the universal truth: identify abnormal behavior.
This article was written by Frontline from Forbes and was legally licensed through the NewsCred publisher network.