Don’t Wait for Zero Day – Proactively Detect Threats with Alluvio | Riverbed

Leigh Finch

Your personal information being leaked or sold online is something that strikes fear into the hearts of most people. Identity theft takes this one step further and can destroy your credit ratings and land you on blacklists for services such as utilities, rental housing or mobile phone plan.

In September 2022, Optus announced that an unknown actor had compromised their systems and accessed current and former customers’ personal information (Passport, Drivers Licenses, Medicare numbers). The unknown actor then posted proof (about 10,000 out of 2.1 million) exposing this personal information in a bid to sell the remainder.

While the impact of this leak cannot be understated and is devastating for the people involved, there is some small comfort that various government agencies and Optus are offering assistance to replace exposed identity documents.

The reputational and financial damage to Optus (or any organization that has their customer data compromised) is massive. Some customers will want to discontinue services, and potential customers may reconsider their options. Even if an organization increases their security posture, the memory of this incident will last for decades to come.

Attacks steal the headlines, but threats lie in wait

What we know about the Optus cyberattack is that it wasn’t a sophisticated one, and they could have avoided it by securing all their ports and APIs. This is a very common slip-up—which occurs most often due to rushed development or integration—and one that shouldn’t happen, but when it does, it can become a major issue.

Alternatively, when an actor decides to attack a well-secured target, they become an APT (Advanced Persistent Threat). APTs do not make much noise, as their role is to stay under the radar so they can learn as much about the target as possible. The reconnaissance period can be long as a year—they take their time to learn the environment and find things such as:

  • Where is the sensitive information saved?
  • Where is the data backed up (in the case of a Cryptolocker ransomware attack)?
  • What cyber defenses are in play?
  • What are the skills of the DFIR (Digital Forensics and Incident Response) team?
  • What does a regular usage pattern look like?

With the average APT able to remain in an environment for over 200 days without being discovered, APTs can hide in plain sight using normal protocols and authentication standards to avoid detection by signature-based and machine learning defenses. This is where proactive threat hunting becomes a crucial defense in your arsenal. Threat hunting is the process of looking at traffic patterns, log files and other telemetry to identify unusual activities that could be an IOC (Indicators of Compromise).

Games make the process a bit more interesting

I like to talk about the gamification of threat hunting which can make the process more enjoyable. We use games that offer high value and leverage the power of Alluvio NetProfiler and AppResponse full fidelity data. If you have not already played cybersecurity games I highly recommend using them. These games are a testament to how real-life simulations can advance cybersecurity skills. While playing these games you learn to see failure as a learning opportunity and prepare for real-life incidents.

APTs often use zero-day threats, since signature-based tools do not detect them because the IOCs don’t exist until after the threat has been identified. It’s not enough to only detect these threats after they are known; we need to go back in time as well and see if they have happened in the past. NetProfiler is able to run historical reports on threats based on some types of known IOCs because of its full fidelity flow storage.

log4j, full fidelity data, cyber security

The other benefit of this game is that you’re going to be asked about something that’s in the news anyway.

Let’s look at how Riverbed Alluvio is helping its customers proactively find such vulnerabilities so that they can safeguard the valuable data and privacy of their end customers.

With ATPs using normal traffic to blend into the environment, it’s a smart idea to monitor for administrative traffic in places and at times that you may not expect. Something that doesn’t make sense, such as loads of data transfer, open APIs or lousy passwords are signals that need to be picked up. Alluvio can help catch the red flags and send alerts notifying you about unusual activity, so you can take action before getting locked out of your network.

Alluvio to the rescue

In the following example we have used NetProfiler to detect SSH traffic between midnight and 6AM. While we might detect the occasional developer performing a late-night change, we might also find some things we weren’t expecting as well. Other examples might be database traffic directed to places it shouldn’t in an attempt to exfiltrate records.

NetProfiler full fidelity data

Security audit or threat hunting can easily become a full-time job, but with Alluvio you can invest some time and take care of a host of activities to keep adversities at bay:

Detect unencrypted data transfers

NetProfiler full fidelity data

Analyze DNS traffic

NetProfiler full fidelity data

Analyze certificates

NetProfiler full fidelity data

Dedicating a bit of time to these activities will help you understand your environment better and know what normal looks like.

Full fidelity observation speeds up recovery and saves millions in downtime when under attack. You can go back in time and look at everything to find the extent of damage—when it all started and what services/data have been compromised.

You don’t know today what you will need tomorrow. Make Riverbed Alluvio monitoring a crucial part of your overall cyber strategy.

This post was first first published on Riverbed Blog’s website by Leigh Finch. You can view it by clickinghere