Why It’s So Hard to Detect Advanced Persistent Threats

If CISA were to issue an alert tomorrow warning organizations of a widespread SolarWinds-style attack that had begun months earlier, how quickly could your organization determine if and when it was impacted? Would your SOC analysts have capabilities for quickly identifying signs of the attack in historical network data?

If you’re not an ExtraHop customer, then your answer will probably be no. Many organizations lack the ability to identify advanced persistent threats, new malware, and zero day exploits that have been hiding in their environments for weeks or months because they rely on tools based on known indicators of compromise (IOCs) that only detect IOCs going forward. They they can’t run them on older network data. They can only run them on future data, which leaves them with significant blind spots.

Consequently, many organizations are forced to spend days and sometimes weeks conducting manual searches of historical network data to look for IOCs. These cumbersome manual searches of data–sometimes involving hundreds, or even thousands, of IP addresses–often take place during active cybersecurity emergencies, slowing down investigations and breach response.

An example of this challenge came during the 2020 SolarWinds SUNBURST attack, which security researchers discovered months after the malware spread. New network data couldn’t show signs of a long-standing SUNBURST compromise, because it only showed signs of a new infection.

In the aftermath of SUNBURST, organizations lacked an easy and cost effective way to search through past network data for recently discovered, but long active, threats. Some organizations spent weeks trying to find out if they were breached. This scenario remains the case for many organizations today, with average attack dwell time at 24 days, according to Mandiant, and new IOCs, in many cases, not available for months. Oftentimes, organizations lack a process for double checking past network data for anything they may have previously missed.

ExtraHop, however, helps organizations with this threat visibility challenge, by offering a unique service, called the cloud record store, which enables immediate access to 90 days’ worth of in-depth network data and allows for cloud-based queries of the data. The cloud-hosted record store provides the cost-efficient flexibility and scalability required to store huge amounts of packet and related telemetry data.

Since SUNBURST, ExtraHop customers have been able to use its Reveal(x) 360 network detection and response solution to automatically search through historical network data in the cloud record store for IOCs associated with high-profile cyberattacks and zero-day exploits like SUNBURST, Log4Shell, Spring4$hell, and REvil ransomware, as well as other IOCs that were just added to threat intelligence feeds.

In addition, the cloud-hosted machine learning capabilities built into Reveal(x) 360 are capable of continuously analyzing billions of events to cut through the noise, eliminate false positives, and prioritize relevant threats.

The lack of visibility into long-running, but undiscovered, cyberthreats remains a serious issue for organizations that lack tools to look back into past network data for cyberthreats their traditional, signature-based solutions missed. ExtraHop is committed to ensuring that customers have a complete picture of past, present, and future threats. Learn more about our commitment next week during RSA Conference.