Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
Editor's Blog and Industry Comments

Sniffing out attackers from within

10 January, 2017
Jonathan Newell met LightCyber to discuss how cyber attacks can still be thwarted even when intruder detection methods have failed

With so many products on the market to prevent intrusion, detect malware and keep the doors into your IT domain tightly closed and barricaded, it isn't as easy as it once was to gain access to sensitive data and user accounts. For a long time, constructing these barricades has been one of the main focuses of the IT security industry with less thought being given to intruders that may already be on the network and indeed may have been for a long time.

No perimeter defence is infallible and intruders are persistent, not giving up at the first hurdle that they come across. Once they're inside the perimeter, it can be a long time before they're detected and during that time they can wreak havoc.

To discuss ways of overcoming this and adding extra layers of security to detect and eliminate the intruder within, I met LightCyber in central London for pre-Christmas lunch and a demonstration of their behavioural attack detection platform.

Intrusion inevitability

The premise on which the system is based is that intrusions will take place and without behavioural detection software, there's little that can be done to detect what's going on within the network once an intruder has gained access. Such intrusions could occur from countless sources. With an increasingly mobile workforce, being tempted to connect through an insecure network whilst on the hoof is a common way of gaining access through a compromised device.

The "Bad4all" Wi-Fi hot spot set up by LightCyber in our meeting room wasn't quite the benevolent gesture to provide connectivity on the move that it first seemed. Releasing the dormant hacker that's within all IT security company's technical staff, LightCyber's cyber ace Peter Nguyen invited me to connect so he could show how easy it is to use widely available tools to hack a computer and record everything that's typed on it.

The goal isn't just to gain access to an endpoint, but to use this to siphon off user credentials to valuable networks. Once retrieved, the hacker has the same privileges as the user that's been hacked. The hacker can log onto the network as that user and has immunity to any perimeter security measures that are in place.

Legitimate data access

In this example, using legitimate credentials to access a network, other protective measures are also compromised. An example is encryption. Most important data is encrypted and some (such as credit card numbers) must be hashed and accessing this data at rest is extremely difficult. Accessing such tables as an authorised user through password control decrypts it.

Currently, the dwell time between a hacker gaining access to a network and being detected is five months, according to LightCyber. During that 5 months, the damage that could potentially be caused is incalculable.

Behaviour is the key

To overcome this problem, LightCyber concentrates on the detection of behavioural anomalies within the network rather than trying to protect the boundaries. Strange behaviour patterns can be demonstrated by users or endpoints and can include Internet of Things (IoT) endpoints.

All elements of a network have expected behaviour patterns. For example, a shop floor machine tool in a factory may send small packets of data across the network to a computer with machine monitoring software, connections to other devices would be abnormal. A user in the accounts department wouldn't normally be expected to download large quantities of data from the engineering design department.

The LightCyber software learns such expected behaviour patterns and adds it to the information it has about behaviours that are always considered abnormal, whatever the network. During a period of 2-3 weeks from first installation, the software builds a comprehensive profile of network behavioural expectations and can then reliably raise alerts when something abnormal occurs on the network.

Typically, on a network of at least 250 endpoints, LightCyber will raise approximately 1 alert for every 1000 endpoints, a considerably more managable number than the 100s or 1000s of alerts raised by systems that trigger based on other parameters such a spam link detectors.

The behaviour of things

The ability of LightCyber to apply its behavioural detection technology to machines as well as office systems puts it firmly into the frame for securing the Industrial Internet of Things (IIoT), a nebulous collection of connected devices that could number billions and cover such critical applications as traffic management, energy generation and healthcare.

Whatever the application, whether industrial or otherwise, behavioural detection technology can sort out the benign from the malicious and could have a significant effect on securing billions of devices.

Read LightCyber's 2016 Cyber Weapons Report

Jonathan Newell is a broadcast and technical journalist specialising in security systems and transport safety. He contributes to a range of titles in the technical press. He shares his time between the UK and Kazakhstan

Bookmark and Share