There are three words to explain why IT professionals need a dose of healthy paranoia: Advanced. Persistent. Threat.
The term "advanced persistent threat" was coined in 2006 to differentiate from hacktivists and opportunistic attacks. Advanced persistent threats bypass or thwart traditional IT security tools such as IPS/IDS and firewalls by using approved ports, stolen credentials, and even stolen private keys. These types of attacks take months, even years, and therefore are usually attributed to state-sponsored organizations or well organized criminal groups intent on stealing valuable data.
Advanced persistent threats have grabbed significant attention in recent weeks. Consider the following headlines:
- JPMorgan Hackers Came In the Front Door -- in June. Two Months of Mayhem – Bloomberg: "With sophisticated tools, the intruders reached deep into the bank's infrastructure, silently siphoning off gigabytes of information, including customer-account data, until mid-August."
- U.S. Hospital Breach Biggest Yet to Exploit Heartbleed Bug: Expert – Reuters: "The hackers used stolen credentials to log into the network posing as employees, Kennedy said. Once in, they hacked their way into a database and stole millions of social security numbers and other records, he said."
- U.S. Finds 'Backoff' Hacker Tool Is Widespread – New York Times: "The hackers use those footholds to crawl through corporate networks until they gain access to the in-store cash register systems. From there, criminals collect payment card data off the cash register systems and send it back to their servers abroad."
How Wire Data Analytics Can HelpIn response to this relatively new threat, IT organizations should no longer concentrate their defenses only at the perimeter of the network. Instead, in addition to traditional perimeter defenses, IT professionals need to be able to identify abnormal and suspicious behavior inside the perimeter, even if it looks like it is coming from an approved user. In other words, a little more paranoia is needed in enterprise IT, especially if your organization deals in data that would be valuable to state-sponsored or criminal groups.
ExtraHop equips security-conscious IT teams with the context and visibility they need to understand what is abnormal and suspicious behavior. As Solutions Architect John Smith wrote earlier, ExtraHop works as a CCTV for your datacenter that helps to spot data exfiltration. Vincent Yesue, another member of the Solutions Architecture team, wrote a separate post about how to create rule sets to define and alert on abnormal activity using ExtraHop.