Automating the hunt for cyber attackers
In this podcast recorded at Black Hat USA 2017, Mike Banic, Vice President, Marketing, and Chris Morales, Head of Security Analytics at Vectra Networks, talk about the use of artificial intelligence to perform non-stop, automated threat hunting with always-learning behavioral models to find hidden and unknown attackers before they do damage.
Here’s a transcript of the podcast for your convenience.
Hi, this is Mike Banic with Vectra Networks, and I’m here with Chris Morales, Head of Security Analytics.
Chris, before you joined Vectra, you were an analyst at NSS Labs. That last role must have afforded you a pretty broad view of the security market. Why did you choose to join Vectra?
A lot of people know NSS Labs for testing security efficacy, but we didn’t just test how effective tools were, we also looked at usability. We did a lot of very hands-on experience, and even further we didn’t just do product testing. I spent a lot of my time personally developing security processes and architecture for clients around our consulting services. That experience taught me that a hundred percent prevention wasn’t realistic and we need to focus on resilience. The way I define resilience is that you basically just need to assume the breach, and you need to focus on reducing the impact.
I learned that time is everything. For this reason, my research focused heavily on two areas: security architecture designed to reduce the attack surface and slow the attackers, and also more importantly, threat hunting and incident response processes that were designed on how do you make the analyst faster at finding threats, and faster at being able to respond. It’s very important in security in this day and age to be able to slow down an attacker and to speed up the defender. It’s a race.
You recently authored a white paper titled, “Automating the SOC with AI.” Can you share some of the impetus for writing it?
One of the key reasons I did, to answer your earlier question why I came to Vectra, is that I found out and I learned that Vectra, processes written around Vectra were faster, more efficient than anything I was able to write myself without Vectra with existing technology. So I was compelled to come here, and that led to the white paper around automating the SOC with AI.
Having learned again, cyber resilience, organizations’ need to survive attacks I realized also, it’s crazy to believe that we can stop every attack and we do have to assume the breach to reduce the impact. I’ve said that before and again, this is a philosophy and with this thought in mind what I notice is that security operations needs to focus on three key areas: detection, response and prediction.
Prevention becomes a function of operations, of IT operations, and is not something that a smart security analyst should be focusing their time on. They need to think about the attacks that are already in. What that means specifically is analysts need to continuously hunt for attackers already on the inside, they need to be able to respond to these threats and specifically threats that can cause real damage not media threats, not different things they solve but threats that are focused on them and there’s targeted and that’s going to hurt the organization.
Finally, an organization needs to be equipped to learn from these attacks and this doesn’t get done enough. They need to understand what their actual attack surface is, what is their real exposure, they need to know the kind of attacks that are targeting their industry; if it’s healthcare or education it could be different. They need to combine all this knowledge and they need to predict what kind of attack can happen next, and prediction becomes very important.
In short, they need to know where the exposure is on their network to an attacker, they need to know what the motive of the attackers are, and they need to know where they need to focus their time and energy.
Doing all the above; it’s not easy, it’s not even humanly possible. Trying to do it quickly is borderline crazy, and what I’ve learned is that enterprises have three choices here. They can either hire lots of highly skilled people, a good SOC I’ve learned needs at least ten, ten to fifteen I’ve seen him up to twenty to work, and we’re talking about really smart people. They’re hard to find. There’s over a million opening jobs right now, by the way. Second option is they can provide some level of automation and artificial intelligence to augment the existing analysts they already have to be more effective so they can take a smaller group and do more, and do it faster. Or option three unfortunately, is give up and that happens a lot.
I clearly believe the correct and most achievable option here is to augment with artificial intelligence, which is again why I am with Vectra, and this white paper on automating the SOC covers that bases. It was written based on real world experience we had with existing Vectra clients where we have achieved a highly functional and a very successful security operations.
So with respect to detection, can you be specific about the role of AI?
Detection is easily the most obvious spot or area to start with AI and probably the most important. Threat hunting is already hard, and threat hunting 24/7 is unrealistic, I said that before, and current detection methods focus on finding malware at the perimeter. They’re trying to stop things coming in but they’re not spending a lot of time looking for the guy who’s already there.
Threat hunting requires an understanding of how attacks really work, how attackers really do things, and what attacks look like which is beyond malware. Often malware is not part of that. Threat hunting also requires innate knowledge of the organizational environment itself; things such as who ministers what servers, where are work stations, there’s a lot of factors in that. Threat hunting also needs to consider the entire attack surface – from users to data center, to IoT, to cloud environments. This is a really big ask for humans. No matter how good they are, this is a lot to ask from a person. Machines however, are very good at this tedious type of work. Machines are also very good at remembering things they learned when given the correct direction on what they should be learning.
What Vectra does is combine the intelligence of a team of security researchers with decades of combined experience in attacking networks. With the intelligence of a team of data scientists with decades of experience in developing machine learning algorithms. By working together, they can teach the machine not just what is different on the network, which by the way I don’t know when being different became bad you know. Steve Jobs used to tell people “Be different”, now we tell people difference is bad. But instead of focus on being different, we focus on what an attacker really does and what are attack behaviors. The machine is able to watch the network 24/7, and alert the analysts not just when something happens, but when that thing is something they should really care about – like someone stealing data or ransomware targeted at the company – as it happens not after it happens.
There’s a lot of people who are talking about AI-washing by vendors today, do you have data that substantiates the claims that Vectra makes?
Absolutely, and for us, that’s easy. What I’ve learned is that any company that has real data scientists must therefore have real data; it’s just the nature of data scientists. And so a lot of people when they have a machine learning algorithm to improve their detection, they don’t really have a lot of data behind that, they’re just trying to prove their intention.
We try to focus on improving the analyst themselves and I would say personally, one of the best parts for me working at Vectra in my current role as head of security analytics is that I get to analyze this data on attacker behaviors across multiple industries on a regular basis. I get to see hundreds of deployments with millions of hosts, and here’s what we’ve learned from this data.
We’ve learned that across every thousand IP addresses within an organization, you’re going to see around 841 security events, and security events are every type of anomaly, there’s every type a little thing, there’s all kinds of things to care about. Other security events we find that we can distill those down to about 65 detections, and this is per thousand addresses. Of those 65 detections, we find that that gets down to 29 hosts that actually had something happen with multiple behaviors on it, and most importantly, we find that every thousand hose there are 5 hosts that are considered critical or high risk that really matter. This is why we need to focus on their time.
From this analysis, are you finding that there’s conclusions that are specific to different vertical industries?
Absolutely. So while we see that while attackers have access to the same tools, the motives and attack surface for every industry are not the same. Examples here, healthcare has doctor saving lives we all hear that, they also have patient records, they also have very large exposed attack surface for medical devices, because doctors save lives, they can’t lock things down. Huge IoT there, and health records are worth a lot. So what’s interesting is ransomware seems to be rampant here. They’re continuous every day.
We see very controlled environments within financial services as a different example, where they have high levels of maturity for response. They’ve spend a lot of time around this, they’ve thought about money, very strong teams. But even in those areas with those very mature response, we’ve seen a large influx in attacks against IoT like exposed IP video cameras in the bank hosting botnets, or even ATMs are trying to do things out of sequence. Like people don’t think about what an attack surface is.
Higher education, that’s a tough one. They have to contend with large student environments which they not only need to protect, but very well might be ground zero. We often find the hackers are coming from universities. They also have large research environments with a lot of interesting intellectual property. The very same students that are designing things in our future, are also the same ones that could be the problem or not the problem they’re bringing it in. Every university we’ve ever looked at has large botnets in the student body. Higher education has to build gaps between administrator systems and the students, where their response is segmenting the two, sometimes in air gaps.
We see interesting things in these open environments. I really like getting data from universities – like students downloading legitimate free AV from China, that wants to port all your data back to China. It’s interesting, but it’s also concerning when you have the research that shouldn’t be leaving the country.
Vectra doesn’t sit in line in traffic, which means it’s not able to block things that are malicious. Can you illustrate how Vectra can help SOC personnel respond to things you detect?
I mentioned earlier, the problem with responding to an attack is that the response varies depending on the organization and the attack. Security operations might and should have dozens of playbooks catering to every imaginable scenario. I like to picture them as fire drills; you need action plans. This idea that you have a malware, an AVM block it, is very outdated and it’s not realistic, but what it means is that you might need network access controls in one scenario, or it might be acceptable to block a single process in another.
Vectra has taken this into account and it understands this, and we develop our AI to provide outputs through industry standard APIs that you can use anywhere. It allows for integration Vectra AI intelligence into whatever response methods are appropriate. To further this, Vectra also fully supports automation orchestration platforms such as Demisto and Phantom. It’s very important for interoperability between tools; they’re designed to be best of breed, so they can focus on doing what they do best and we can all work together.
With partnerships being pretty critical, can you give people an example of what the range of partners are supported today?
Yeah. On the endpoint, we’re looking at endpoint detection response tools such as Carbon Black, Tanium, and CrowdStrike. They focus heavily on isolate host, killing processes. For network access controls, we partner with Cisco, ForeScout to isolate entire devices off the network. Even with firewalls, we partner with Cisco, Palo Alto, Juniper.
A lot of focus there is around blocking the initial command and control, exfiltration tunnels, ways people are trying to get data. And then lastly, our client base they all have SIEMs and we partner with all the big ones with ArcSite, QRadar and Splunk. SIEMs provide a really good operational point and a really good point, starting point for threat or forensic investigations.
So the notion of AI and prediction to me sounds a little bit sci-fi, can you make this little bit real for average folks?
You know one thing to tell people is that AI, they think of general AI which is like Terminator in a self-thinking machine, but what we’re really doing here is focused AI. This is an AI that’s been trained to understand attacks, and attack behaviors and specific. So what we realize is that while we’re looking for attack behaviors, we’re starting to see things that create risk on a network such as applications that have SQL injection built-in and the application’s behaving badly, or administers doing the things shouldn’t.
You start to see the exposure and you start to see hidden threats that others missed, you start to see things are like, “Okay, well this guy was using SolarWinds off the Wi-Fi network, he’s an admin, or he’s using RDP from home because he wants to work from home, and he’s backdoored your whole VPN.” You start to see these exposures where you’re like, “Wow, I’ve just exposed my network and it’s open, and there are real-time vulnerabilities”. As we start to get into predictive analytics, we can start to learn these behaviors in the network that these guys shouldn’t do that, and should do that and start reporting. It’s not an attack but it’s not something should be happening, and you know it could lead to an attack.
Oh yeah, so I have a question for you actually Mike. You know here at Black Hat, we’ve got some big billboards up over the Hollywood Boulevard and I saw in the airport as well, and everywhere I walk. Vectra’s introduced Cognito can you tell us more about this guy?
Yes. So here at Black Hat, we’ve introduced a new brand for our software. It actually came from customer input. We had customers saying things like “With Vectra software I’m actually able to reduce threat investigations from many hours to minutes.” I mean, people say, “I’m able to use Vectra software to enable and intern to do the job of a tier one analyst that I can’t even find in the marketplace to hire”, and we’ve had customers like Pinterest tell reporters, “I’m actually using Vectra as head count augmentation”.
All this gave us an idea. It’s like well, if our product is actually serving to fill an important gap enabling people to do their job better well, why don’t we actually market it that way. And so we created this personality, Cognito and it’s very ever present on the Las Vegas Strip and in our booth. If anybody’s here at Black Hat, seek us out and find a T-shirt, or reach out to your sales team and that’s a way to learn more about Vectra and Cognito, and how AI can actually help automate security operations.