Lead Image © Kurhan, 123RF.com
Detecting intruders with Suricata
Finder
In the past, network attackers were much like purse grabbers or "smash and grab" muggers: They would find something they wanted, grab the goods, and run. Today's Advance Persistent Threats (APT) are much more insidious and dangerous. Instead of smashing and grabbing, attackers can find a way to steal your identity and hang around for a long period of time (see the box titled "Dwell Time." To thwart this type of long-term attacker, you need a different, more methodical approach.
Dwell Time
Most organizations are already at the 80% threshold in regard to security. Getting to 90% and above requires hard work and smart allocation of resources. A custom framework is part of the solution. In addition, you need to be aware of the attacker lifecycle:
1. Initial attack: The attacker is able to gain access to the system.
2. Lateral movement: The attacker moves from one system to the next, usually by exploiting unsecured systems or trust relationships between systems.
3. Exfiltration: The attacker moves data from the internal network to a remote network.
The key to arresting the hacker lifecycle is to reduce the dwell time – the time between the initial attack and detection. One security professional I know told me that his daily goal is to reduce dwell time from 14 days to 3 days.
The concept of dwell time contradicts the philosophy embodied in many traditional security metrics. Many people still feel the most important thing is to focus on the number of vulnerabilities found and solved. However, a single attacker only needs one vulnerability to get in; the dwell time on the network is often a much better indicator of the severity of the attack and the insecurity of the network. The key to reducing dwell time and creating a truly resilient defense is deceptively simple: Protect the data where it resides. Focus on pathways
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
- Suricata Intrusion Detection System Fixes Bugs
-
OPNids: Suricata with built-in machine learning
Does OPNids combine the Suricata IDS with machine learning to detect attack threats automatically, as advertised? -
Security analysis with Security Onion
Security Onion offers a comprehensive security suite for intrusion detection that involves surprisingly little work. -
Centralized monitoring and intrusion detection
Security Onion bundles numerous individual Linux tools that help you monitor networks or fend off attacks to create a standardized platform for securing IT environments. -
Discovering indicators of compromise
Open source pen testing tools help you view an attack from the perspective of both the attacker and the defender.