[White paper] A new approach to cyber defense automation
Cyber-attacks are a daily occurrence. While the largest attacks make intermittent headlines, the attacks as a whole are unrelenting. Day after day, hour after hour, our computer and network infrastructure, both enterprise and personal, are probed, scanned and attacked in attempts to penetrate and gain a foothold from which subsequent attacks can be staged.
The reasons these attacks are taking place are many, but that is not the focus of this paper. This paper focuses on how automation must be adopted to better defend our digital systems, resources and assets. The attacks of today are largely automated. Computers, as automatic machines, are very good at performing repetitive tasks endlessly. The more computers that can be enlisted and coordinated to work together, the more work can be performed. This is the fundamental principle behind botnets. Botnets are collections of computers that have been co-opted to perform some malicious activity under the control of another computer system. With a herd of computers at their command, botnet masters can instruct their botnets to execute many types of attacks; from simply flooding networks with distributed denial of service (DDoS) attacks, to email spam generation, to exfiltration hosts for storing stolen computer records.
While botnets are not the only type of attack, they do exemplify how computer automation is used for attack purposes. Other attacks may use computer automation as tools in an attack as assists to human operators. These automated tools are used to monitor progress toward an objective, perform evasive maneuvers and detect countermeasures. These tools are often deployed in conjunction with stealthier operations where low observability is the chief priority. Although these attacks may not be as noisy as those performed by botnets, their damage may be more significant. The use of automation versus tools from the attacker’s point of view is largely based on the amount of noise generated during the attack.
Detecting and thwarting attacks and cleaning up the aftermath is a difficult task. Most cyber defense systems are neither automated nor integrated. They operate as sets of individual tools which may have aspects of automation incorporated into them. For instance, automating the updating of signature catalogs is necessary but insufficient, because signature based solutions are reactionary and are unable to detect zero day and polymorphic attacks. An automated cyber defense system must provide better protection than this. The concept of cyber defense automation is not new. The most prominent example of cyber defense automation was the shift from Intrusion Detection Systems (IDS) into Intrusion Protection Systems (IPS). Elements of this can be seen in products by IBM, Cisco, Palo Alto Networks and FireEye.
For more insights about Cyber Defense Automation, download this white paper sponsored by BlackRidge Technology.