In this episode of “In 2 Minutes,” we will address the challenge of finding a way to quickly know if your systems have been compromised. We have all heard the stories about how it can be over six months before an organization figures out that their systems have been breached. By that time it is, of course, way too late. The assets have been exfiltrated or the damage has been done.
Often times it is not even the victim organization that discovers a breach – it can be a third party that finds the data that was supposed to be protected.
So assuming that you have a great recovery plan in place – how do you know when to implement that plan?
Since the 1980s, many have used Syslog to monitor what is happening in our systems with the hope of spotting an active command and control channel or some other anomaly that will tip us off to a breach. This has, for the most part, been ineffective because of the large number of false positive alerts generated. We all know what happens when we generate too many alerts – if everything is an emergency, nothing is.
So we went looking for a modern solution. We spoke with Chris Brenton who is the COO of a startup company named Active Countermeasures.
Active Countermeasures offers a product they call AI Hunter. It includes two components. One a network probe that monitors all traffic headed out toward the internet. And the second is the front end or user interface that a user interacts with.
AI Hunter is specifically looking for an internal system that is calling out to a command and control server. For example, if your internal systems are periodically sending out what could be a beacon signal, you’d probably want to know what that was and where that signal was directed. If it’s headed to China and you don’t have any offices or customers in China. Well, that could be a problem.
This traffic could be coming from an IoT device – say maybe a camera – that isn’t set up for logging. Active Countermeasures says that AI Hunter can alert your security analyst to this type of traffic.
AI Hunter uses a scoring system to help analysts quickly and effectively respond to events that are suspicious. The threat score it delivers is based on several criteria such as traffic to blacklisted sites or the misuse of certificates, for example.
Chris told us that they intentionally designed AI Hunter so that it doesn’t require a highly trained threat hunter to use their interface. In fact, he says that help desk people without extensive training can monitor and track down potential threats.
Simplicity is key for AI Hunter. It is not trying to monitor and decipher your system logs. There are no agents to deploy. It strictly monitors the connection between your internal network and the internet.
They analyze data in 24-hour chunks so even if a beacon signal is programmed to call home only once an hour, they can still get plenty of data points to examine in a 24 hour period.
So, if you’re looking for a simple way to monitor the traffic between your internal systems and the internet – you might want to check out Active Countermeasure and AI Hunter.
Steven Bowcut, CPP, PSP is the Editor-in-Chief for Brilliance Security Magazine