The key to preventing crime is to understand how criminals work. The FBI caught notorious serial killer Ted Bundy after its Behavioral Analysis Unit discovered how he usually found his victims. In the same way, behavioural analysis can help in the fight against cyber crime.
Looking for indicators that an attack has occurred is ineffective as it assumes you already missed the attack. Instead, focusing on detecting behavioural cues allows you to recognise and stop the attack chain regardless of whether it is a known attack and before damage is done.
Understanding the tactics cyber criminals use is vital to counter increasingly complex cyber threats. This understanding played an essential role in how Cybereason successfully tackled two major nation-backed cyber attacks in recent years.
Prevent cyber attacks with behavioural analysis
Most cybersecurity tools on the market today were designed to fight against attacks from 20 years ago. They are only able to detect cyber attacks after they happen. For instance, the 2019 SoftCell attack only came to light after the victim – a telecommunications firm – noticed suspicious activity on their servers.
Cybereason later discovered that the attackers had already avoided detection for seven years. They had access to 10 admin accounts, every username and password, and could do anything they wanted in the system.
Organisations should focus on detecting behaviour, which can clue them in on attacks before they happen. Cyber criminals follow a predictable pattern regardless of their motive or objective.
Behaviour provides clues about what is happening now, or what may happen soon. This allows organisations to take preventive measures.
For instance, we were able to help Seton Hall University detect two previously undiscovered cyber attacks on their data through behavioural analysis. Additionally, our behavioural prevention programme shut down ransomware threats when a user accidentally infected his device with ransomware two days in a row, completely mitigating damage.
Once bitten, twice shy: preventing repeated attacks
Discovering a cyber attack does not always mean the threat is over.
In 2021, Cybereason discovered an attack on the telecommunications industry across Southeast Asia by three notorious threat actors, which we called Operation DeadRinger. We acted promptly to contain the incident, but the attackers returned three to four times before they left for good.
Governments need to take a strong stance to prevent repeated incidents. They need to go beyond legacy tools like antimalware. Rather, they can use programmes capable of threat detection and response across user devices, cloud systems, user personas and applications.
Such software immediately sends a beacon to cyber attackers that any hacking attempts are bound to fail. Additionally, these programmes are able to uncover attackers’ identities, methods and processes. This hinders their ability to carry out future attacks.
Tackling the increasing sophistication of cyber threats
Cyber attacks on the telecommunications industry like SoftCell and DeadRinger are not isolated incidents. Telecommunications companies in particular are prime targets for nation-state espionage programmes.
This is because they hold valuable information such as location or communication history, which helps criminals with cyber espionage. Infiltrating them gives cyber criminals access to private information about their subscribers, which often include government employees, political leaders, business leaders and other elected officials.
The SoftCell attackers, for instance, were tracking a targeted list of individuals and following their whereabouts around the clock.
There will be sequels, and you won’t see them coming. Governments need to be more vigilant and prepare for the worst if they want to defend themselves. Presume infection and get good at preventing it, finding it, recovering from it, and limiting the blast radius when it happens.
Cybercriminals are constantly evolving and looking for new and better ways to do harm. Governments need to evolve with them in order to keep up and counter these threats with defense as the focus. Understanding their behaviour is the first step to doing so.
CK Chim is the Vice-President and Field Chief Security Officer (APJ) of Cybereason.