Many security professionals today subscribe to the axiom that networks are already compromised, and that guaranteed prevention is so costly, the expense cannot be reasonably justified.
This has led to the focus of IT security moving from prevention, to detection and remediation, says Azhar Desai, research with Thinkst. "In this paradigm, reducing the time window between compromise and subsequent detection becomes a battle defenders can fight, perhaps win, even with small budgets."
Desai will be presenting on 'Agentless detection' at the ITWeb Security Summit 2017 to be held from 17 to 19 May at Vodaworld in Midrand.
He says detection usually takes the form of either of single-purpose monitors such as network intrusion detection systems (IDS), AV, FireEye and suchlike, or agent-based software that implements a mix of signature and anomaly detection on end-user workstations. "Both of these are complex and usually require a concerted effort to integrate into the network."
He said this is no longer necessary, as Thinkst has developed an agentless open source tool, called 'CanaryTokens', which picks up signals that attackers may be present, without needing any central monitors.
"The focus is solely on detecting a network compromise after a breach has occurred. In contrast to AV or IDS which have painted themselves into the corner of promising to defend against all attacks, our approach is limited to detecting actions which carry a high chance of being malicious. The beauty of our approach is that it is administrator who decide what those actions are, since they have the best understanding of their environment."
He explains that following the initial breach, a typical attacker finds themselves in an unfamiliar environment and need to reconnoiter the network, often lurking for many weeks on internal networks, leaving broad window period for detection. As they explore the network, they'll access files, browse mailboxes, trawl databases and so on.
"During this time defender has many opportunities to detect someone trawling through the network with tiny well-placed alerting tripwires, which would even snag insiders rummaging in places they shouldn't be," Desai adds. "The trick here is that the tripwires are not software, but data accessed in ways that they can self-alert. The talk will cover easily deployed techniques for clear alerts of compromise."
During his presentation, Desai will discuss the techniques employed by this new tool. "The actual techniques take diverse forms - anything from dropping a PDF file that alerts when opened, to Javascript that tells you when your Web site has been cloned. We'll show how to construct a CanaryToken that lets you know if an attacker is rummaging through a SQL Server database, or hide a file in a source code repository that reports when it's been opened."
He says the possibilities are extremely varied. "Importantly, these aren't agents needing costly deployments to fleets of machines. These are once-off, simple deployments into well-chosen locations. This means that the Tokens are deployed into your production environment, as opposed to having a separate monitoring infrastructure. We see the Tokens as a complementary approach, rather than a replacement, filling in the gaps of other detection mechanisms."
Desai describes CanaryTokens as a technique specifically for detection. "What constitutes a breach is fairly broad, however. If you use a Gmail account, it's easy to embed a CanaryToken in an e-mail with the subject "Passwords", and get notified if anyone opens the e-mail. A breach in that case indicates your mail account was compromised, rather than an attacker landing on your corporate network."
The power of CanaryTokens is that they're a building block, he concludes. "We're constantly finding new places we can embed them."
Share