The Unconventional Guide to Cyber Threat Intelligence
Darktrace_WhitePaper_Needle_final
1. Finding a needle in a haystack:
The continuous approach to cyber defence
WHITE PAPER
2. 2
Executive Summary
The innumerable different ways and forms in which a potential cyber threat may present itself makes the task of foiling
cyber-attackers extremely difficult, and all the more so, given the sheer noise and complexity of today’s computer
networks.
How do you find a needle in a haystack, when the haystack is growing incrementally every day? And how do you define
the needle? With millions of versions of sophisticated malware circulating, thousands of users accessing data, hundreds
of supply chain companies and partners walking in and out of your digital premises every day, knowing what to look for
is not obvious.
Indeed, we are faced with the challenge of finding the needle – the first signs of a compromise or a breach – without really
knowing how to characterise it. We know it is there, but we don’t know where it is, how it is behaving or what its objective
is. This unknowable nature requires a detection approach that is radically different to traditional methods, which may
spot behaviours that have been strictly defined in advance, but are incapable of spotting fast-moving, intelligent and
human-driven threats.
The old, rules-based security stack has inevitably led many companies to spend far too much time chasing after pre-
identified threat vectors, in a continual game of catch-up. No sooner is one vulnerability patched than another one raises
its ugly head, and resources are invested in reactive damage control. The reality is that it is nearly impossible to second-
guess how a cyber-attack will start and finish, at the more advanced (and most dangerous) end of the threat spectrum,
as ongoing cyber-attacks continue to demonstrate.
Our inherent vulnerability to sophisticated attackers today requires a company-wide response, uniting all business units
in a continual process of informed investigation and action, based on evolving evidence of the real potential threats that
an organisation faces at any one time.
The state of cyber-attacks today requires us to go beyond simply finding the needle in the haystack, and get a grasp on all
the unknowable yet ‘strange’ things that are happening beneath the surface of our busy organisations. Companies must
consider cyber security as an on-going process of self-evaluation and informed actions - not as a state of perfection to
be achieved and maintained.
The threats that exist today to your company’s reputation, financials and operations must be kept in constant check to
stop them spiralling out of control and into the headlines. To do this, it is critical to separate out the threats that we can
live with, from the ones that have the potential to inflict existential harm. So a real challenge at the heart of our imperative
for ‘good cyber security’ is one of discovery – of knowing, ahead of time, about the threats that you are going to really
care about.
A continuous approach to cyber security accepts that ongoing cyber threat is an inevitable part of doing business. But
it can be managed by continually assessing your digital landscape for emerging risks and taking remedial action when
necessary. A constantly vigilant approach is only useful, however, if you have the technology and means to be able to parse
the haystack intelligently and at speed. Applying a self-learning methodology to filtering and prioritising the informational
leads that exist within each organisation, companies are empowered to find all forms of inconspicuous threats hiding in
the haystack – and dealing with them in a way appropriate to their specific environment, before they become a problem.
3. White Paper
3
Block them… or clean up afterwards
A large part of the security market today is centred
around the function of blocking threat from the outset.
Anti-virus, firewalls and signature-based tools try to stop
the bad guy getting in. The heyday of such preventative
solutions has now passed, as cyber-attackers continue
to demonstrate their capability of getting round these
perimeter controls.
Guarding the perimeter is a necessary and a valid
defence against many threats, but it is only the first
step in any organisation’s modern security strategy.
Most corporate networks are compromised already to
some degree, with threats that have sidestepped rule-
based controls at the door.
The other major component of traditional defence
consists of reacting to a breach or attack, through
incident event management. Skilled cyber practitioners
with experience of how cyber-attacks work are
mobilised in the wake of an attack, and perform high-
value investigation work, deconstructing the attack,
understanding methods used and sharing their insights
with the wider community for threat intelligence feeds
and rule updates.
Mind the gap and investigate
Blocking tools and clean-up services are important
parts to any security strategy, but a conspicuous gap
exists between these two functions of prevention (of
infiltration) on the one hand, and reaction (to breaches
and attacks) on the other. This gap spans from the point
of network infiltration, to the point of data exfiltration
or damage done. This critical window of opportunity,
where the threat is propagated and does its most
high-value work, is a no man’s land in terms of cyber
defence.
Our collective failure to detect in-progress attacks is
evident. The average time it takes to detect a malicious
cyber-crime is 170 days, while attacks involving
malicious insiders with access to the network take an
average of 259 days to uncover. The planning and
execution of cyber-attacks is happening within the
network, without anyone being aware until far too late.
Given this deficiency, efforts are now focused on
shifting the emphasis from the prevention mechanisms
that have failed to live up to all their promises, and
onto ‘continuous monitoring’ or ‘situational awareness’.
A constantly evolving environment
There are two moving components that challenge
us as information security professionals: the digital
environment that we strive to protect, and the threats
that jeopardise this goal.
The inside of our organisations are rarely pretty.
The modern enterprise must be open to the world,
and hyper-connected to customers, supply chain
and partners, as well as to their own employees or
contractors. The sheer volume of data being passed
around amongst these parties and to the outside
world has made for extremely noisy and complex
environments. Added to this, technology is constantly
being revised and replaced, people come and go, and
network architectures are in constant flux.
This increasing connectivity has allowed us to be
efficient and competitive, but has also made the
network a dark and unknowable place for many.
The theory of the network architecture is typically
undermined by the reality of what is actually going on
– a large haystack has been created over time, tweaked
and changed by different operators and has become
difficult to navigate and easy to get lost in.
Threat actors take advantage of this complexity in order
to hide within your systems. Threats are often changing
as fast, and often faster, than your own environment,
driven by a combination of skilled humans and smart
tools. While many lower-level threats may be stopped
on entry, the reality is that an ‘advanced threat’ or
someone with a degree of knowledge and skill, is able
to bypass these perimeter blockers, and infiltrate the
network with relative ease.
Such threats with real potential to do damage
are constantly adapting themselves – the most
sophisticated attackers learn how to navigate your
environment, understand where interesting data
resides, and tailor their methods accordingly. A human
attacker has a whole range of creative tactics at their
disposal, and only needs to be lucky once.
A constantly-changing environment coupled with
constantly-changing threats has rendered traditional
security solutions inefficient. Guarding the gate has
not stopped the recent major attacks against large
media companies, banks, airlines, retailers etc., instead
propelling them directly into rushed and reactive
incident event management, and damage control. We
cannot find the needle, because we don’t know how to
effectively explore the haystack.
4. 4
Ultimately this means acquiring a good understanding
of what is going on inside our organisations (not just
on the border), in order to assess and prevent specific
events or behaviours that may be ‘of concern’ to us.
Amongst all that hay, what looks like it might be a
needle?
Embracing uncertainty must be central within this
goal of gaining visibility and finding abnormalities.
Businesses and threats move too fast for us to pre-
define beyond doubt what ‘dangerous’ looks like, and
abnormality presents itself in a thousand different
forms. The key characteristic that we can be fairly sure
of is that the so-called ‘threat’ will not be the same as
anything else surrounding it. There is a delta of change,
however subtle, which makes the behaviour of a would-
be attacker stick out as ‘weird’, in contrast to everything
else.
Anomaly Spotlight: Advanced Persistent Attack
Darktracedetectedanomalousbehavioronthenetwork
of a large mobile network provider, with over tens of
thousands of employees and many million subscribers,
which indicated a targeted spear-phish attack on the
server. This type of compromise is prevalent on servers
where the crux of customers’ sensitive data is found,
such as resalable information or billing references.
Telephone providers hold large numbers of extremely
confidential information about location and personal
details, so a breach to their systems has the potential to
cause major reputational damage and loss of integrity.
The goal of this advanced attack however was arguably
more complex than merely acquiring customers’
financial information. The objective would have been
to survey specific customers of the mobile phone
provider in detail. The hackers were attempting to
extract data in a repeatable process in order to track
people’s phone calls, the time and place that calls were
being made, and possibly even the current location of
the mobile device.
Darktrace successfully averted a crisis for this
organization by alerting their security analysts of the
anomalous behavior before any sensitive information
was lost. By catching this threat early, Darktrace
ensured that the established reputation and economy
of the business remained safe.
Intelligence agencies the world over face a challenge
that is comparable in many ways to the cyber security
challenge that businesses are today grappling
with. Tasked with protecting national security, and
concentrating on specific areas of threats deemed to
be of greatest importance, an intelligence agency relies
entirely on intelligence – strands of information from
a variety of difference sources and of differing quality
or reliability. This intelligence points them to areas and
actions that could be considered ‘strange’ – a crime
report, a sighting of someone in an unusual place, an
overheard conversation that contains certain terms, or
an unexpected purchase of certain chemicals.
These snippets of information, or ‘leads’, are monitored
and correlated, allowing agents to piece together a
compelling picture that helps them decide where
to focus their efforts and dedicate resources. Some
snippets will not amount to much on their own, others
will combine to provide critical intelligence that feeds
a deeper investigation. The process of sifting through
and parsing segments of information is a continual
process, which is constantly informing and re-informing
how their time is spent and where to look.
Digital environments – whether a corporate network
or industrial computer system – are similarly full with
different snippets of information, which are necessarily
of varying degrees of interest to the security officer,
depending on his or her business goals and risk
appetite. Some leads may be straightforward policy
breaches, others are behaviours that could be
considered suspicious in some way.
This mass of leads must be looked at and sorted, in
order to form patterns and draw conclusions that
may in turn inform appropriate courses of actions.
Intelligence agencies employ leading cyber analysts
to perform this skilled task, people who apply their
experience of threat patterns and technical know-how
to investigate and determine the strength of differing
pieces of intelligence, based on the available evidence.
For companies tasked with the same challenge,
employing large teams of skilled cyber analysts is rarely
either possible or justifiable. The volume of data and
speed of its travel around the network and across the
wider internet necessitates technology to do the heavy
lifting. New technological advances in cyber security
are capable of intelligently making sense of all this
information, providing a comprehensible oversight
of an organisation’s activities and directly pointing
people to where the problem is. This frees people up
to focus on taking action appropriate to their specific
5. White Paper
5
set of circumstances and empowers them to change
the course of threats, mitigating risky situations before
they need to call in the incident response team.
Automated cyber intelligence
Automation of the filtering process is then therefore
indispensable, if we are to understand where to
spend our time and how to bring about a meaningful
reduction to the risk our enterprises face. Automated
Lead Intelligence is the technology process by which
individual snippets of information are monitored,
correlated and pieced together, to form strong
anomalies that require investigation.
A requirement of this process is technology that can see
the entirety of your network – down to which machine
is talking to which, what files are being accessed by
who, how much data is being transferred, etc. – and
performs advanced analysis on that data in real time.
This smart analysis must be capable of working out
the organisation’s ‘pattern of life’ and, critically, revising
its assessment of normality continually, based on the
evolving evidence that it sees. This perpetual evaluation
cycle allows for the dynamic prioritisation of potential
threats, which may escalate or diminish in seriousness
dependent on the behaviours manifested.
Self-learning, ‘immune system’ technologies are
performing this fundamental function of adaptive,
intelligent monitoring of highly-complex data
environments. Using advanced machine learning and
mathematical techniques, this school of technology
is capable of understanding ‘normality’ and surfacing
statistically anomalous events that are worthy of an
organisation’s investigation.
Knowing if, where and when to take action, and selecting
the appropriate level of intervention or surveillance is
an age-old problem for intelligence agencies – and will
never be a perfect system. But all good decision-making
is dependent on good intelligence. By automating
lead intelligence, companies are empowered with the
visibility of their specific threat landscape that lets
them take action against developing anomalies.
6. 6
Interoperability: an integrated security
stack
With various different security products readily
available, deciphering the marketplace can be a
daunting task. At the forefront of a good security
procurement strategy must be the effective integration
of different components together to deliver a cohesive
model of prevention, investigation and response.
Immune system defensive technology fills the widest
gap in the security stack today, because it sits at the
heart of the organisation, where all the interesting
behaviours happen and where small changes to the
‘norm’ can point to the beginning stages of an attack
lifecycle. Even the most advanced attackers cannot
ultimately hide from the wire – they must move, take
action, change something. The Enterprise Immune
System picks up immediately on those small deltas of
change, amid all the day-to-day noise of the network.
It is critical too that immune system technology is
designed to integrate with the full range of other
traditional security tools, such as log readers, endpoint
security products and anti-virus, allowing the value
that these other solutions may deliver to be enhanced.
The interoperability of the Enterprise Immune System
means that it becomes a central hub of intelligence
that complements other parts of the security
infrastructure, bringing together all forms of leads to
better understand potential threats and help inform
security practitioners.
Anomaly Spotlight: Insider Threat
Through an oversight in the security lockdown, an employee of a large retail company found that they were
able to read all of their colleagues’ emails. Had they immediately reported this mistake, there would not have
been a problem. However, Darktrace detected that the employee proceeded to access company emails in
the same way from their laptop and read all their CEO’s private messages on two separate occasions. In a
surreptitious attempt to remain concealed, the employee then accessed the CEO’s emails on two further
occasions from two separate devices.
As a result of the complete network visibility that Darktrace provides, the company were alerted to this
anomalous behavior and were able to pin point exactly where the inadvertent breach first took place and
each subsequent location, enabling them to identify the employee and take action. In this case, what started
as an accidental oversight, turned into an insider exploiting their own organization with the potential to gain
and take advantage of sensitive information.
Joining the dots
Effective cyber security is ultimately about good people,
technology and process.
Technology is critical to automate lead intelligence,
analysing at speed the vast swathes of data that flow
through the organisation all the time. It does the heavy
lifting, getting through all the noise and distractions of
an organisation’s systems and producing actionable
intelligence about genuine network anomalies.
Empowered by technology, people can focus on the
high-value job of investigating specific events and
taking key decisions, based on their unique knowledge
of their business environment and risk appetite. This
investigative role requires an analytical mind and
technical skill set.
Processes must support the goal of preventing
intrusions where possible, but also fundamentally
enable the perpetual monitoring and reassessment
of the inside of the network, as part of an integrated
continuous approach.
7. White Paper
7
Conclusion
As cyber security is now firmly on the company board’s agenda, we have seen its status escalate and begin to affect all
business units. ‘Cyber’ is no longer simply an IT issue, but a consideration for all parts of the business that interact with
the lifeblood of the organisation – its data.
Boards further recognise that cyber security is not a topic that can be addressed once and for all. Processes must be
implemented so the business is continually assessing the threats that it faces, and readjusting its assumptions, in order
to proactively address issues as they arise, at any moment.
Recent data breaches that have affected major corporations, across the complete range of industry sectors – from energy
to media, transportation to banking, healthcare to legal – demonstrate that investment in traditional, security controls
is not sufficient to protect them, because they fail to adapt to an ever-evolving environment. The advanced persistent
attacker will always find a way in – not to mention the people that are already on the inside.
Today’s leading enterprises view cyber security as a mainstay in their risk management agendas. In order to convert this
attention to a meaningful reduction in risk, companies need to consider whether they have the right technology that
can intelligently monitor the organisation’s activity on a continual basis – without disrupting the business or IT functions.
Critically, this capability must be sensitive to the most dynamic and wily of attackers – ones that do not come up in any
‘threat intelligence’ feed, ones that breach network borders, ones that bypass endpoint controls.
Threats that you do not know exist must nevertheless be found. This is only possible by moving on from rules, and
embracing a continuous and more subtle approach that blends self-learning machine learning with skilled people and
good process. Doing this, we give ourselves the best possible advantage in the perpetual battle against the sharp end of
the cyber-threat spectrum.