Simply identifying and responding to attacks may no longer be adequate to protect information assets. Superior to after-the-fact forensic analysis, real time monitoring is trumped by actually predicting attacks. We think that predictive capabilities might be part of the future of SIEM (security information and event management) solutions. We asked Warren Axelrod – an industry speaker and author – what his experience has been with predicting attacks.
From the desk of Warren Axelrod: Awhile ago I read a whitepaper, “Defense in Depth Strategy Optimizes Security”. It was published by Intel and written by one of their employees at the time, Matthew Rosenquist. Mr. Rosenquist describes the multi-layer approach that Intel takes to security and includes prediction. He states that “prediction capabilities include analyzing emerging threats as well as classifying likely threat agents and their methods.” Whether this capability ever becomes commercially available, I believe that attempting to predict attacks will give us an advantage over the bad guys.
I recall a presentation several years ago by Ed Amoroso, CSO at AT&T, in which Ed demonstrated how creators of viruses regularly test out their “products” in advance of a major launch. After all, isn’t that the usual way new products are launched? Ed showed that, for a particular virus attacking through a specific port, you might see sporadic increased activity against the port weeks or even months ahead of the attack. If you collect the data as AT&T does, you can look back to see how this activity might have occurred, but it takes more expertise to anticipate an attack and protect against it going forward. I believe that AT&T has used such a capability to protect clients and themselves from impending attacks.
In my own experience, I discovered some relatively low level securities account hijacking and pump-and-dump activity months in advance of a major attack of this nature. For those not in financial services, a pump-and-dump exploit is one in which fraudsters buy a substantial inventory of low-priced, thinly-traded “penny stocks.” They then increase the price of the stock through some illegal manipulative activity or other, at which point they divest themselves of their stock holdings at a large profit. While I saw the pattern early, management wasn’t ready to accept this as a red flag for this type of attack on a large scale. Unfortunately, tens of millions of dollars were subsequently lost to this scheme.
These two examples convinced me that it is indeed possible to predict an attack if you’re able to connect the dots fast enough. Maybe Intellitactics is considering giving their SIEM customers the tools to predict impending attacks.
Powered by Compendium Blogware
Comments for Defense in Depth - Predicting Attacks