Vodacom talks cyber hunting
When it comes to SA's cyber crime landscape, the country - and Africa at large - is very much on par with other developed countries.
This is according to Vodacom's chief technology security officer, Vernon Fryer, who will speak at ITWeb Security Summit 2015 at the end of May.
Fryer says the company has detected a significant increase in distributed denial of service (DDOS) attacks against Nigeria, Tanzania, Zambia and Kenya over the past 18 months.
"South Africa is very much the same as Nigeria; we are detecting an increase in botnet traffic and digital ransomware is more mature. Most of the malicious threats are coming from Russia via the US."
Information security and cyber threats are no longer about firewalls and anti-virus, Fryer says, but rather the ability to "visualise the global landscape using multiple sources of information to detect, predict and hunt the malicious threats".
"Hunting," explains Fryer, consists of spending a lot of time searching for something that is elusive by nature.
"To locate entrenched threats, your hunt needs to be dynamic and adaptable. Plus, you need to be able to easily pivot from one dataset to the next to evaluate the full context of the attacker's digital footprints. This might include moving from operating system events to netflow data and then to application logs."
Hunting toolsets need to be able to support this kind of nimble data exploration, he adds. "Once you've identified an item of interest, you'll also need to be able to quickly identify the entire context associated with that item, including its relationships to other entities on your network, its historical activity, how it correlates with threat intelligence, or how it relates to non-technical data, like social media information.
"These datasets make for productive hunting, but may be more than your security information and event management can handle." Fryer says, given that advanced attacks can often evade observation for weeks or months, Vodacom often sees organisations that want to store all this data for a year or more.
Far from being an automated process, hunting is driven by questions and hypotheses, says Fryer. "One question might be 'is data exfiltration happening?'" He adds: "A starting hypothesis might be: 'If there is data exfiltration happening, it is most likely going on through this part of the network'.
"So, you may want to check to see whether there is any exfiltration going through that subnet, and then you might try to figure out what protocols the attacker would use and what that activity would look like in the logs."
And finally, he says, knowing the lay of the land and where attackers may hide, is a key element to hunting.