Malware is created to be undetectable so attackers can launch cyberattacks without attribution, making them hard to source -- but a key difference in state-sponsored malware that makes it stand out, the topic of an Infosecurity and ESET webinar on Tuesday, is that it is often highly sophisticated and targeted.
Because it's impossible to stop all attacks, network monitoring can help make detection faster, experts say.
No matter how strong an organization’s defense, some attacks are going to get through, so monitoring networks is just as important as adding security software, said Tom Burton, Head of Cyber for Defence at BAE Systems Detica.
“The ability to identify attacks is critical…but by its nature, you don’t know what you’re looking for so you must be searching for concerning behavior,” Burton said during the online meeting. “These behaviors will be described by activity over time hidden in vast quantities of data.”
There is no real manual on what to look for so you have to understand your network, know how it works, and be able to identify abnormal activities, says Righard Zwienenberg, Senior Research Fellow at ESET.
Zwienenberg and Burton say the network monitoring they advocate could have had helped detect Stuxnet, which wasn’t discovered until an error in the malware allowed it to be released on the Internet.
“One of the ways Stuxnet was spreading was that infected nodes would look for open shares over the network. Where more and more systems in the network get infected, you would be able to notice the enumeration,” Zwienenberg said by e-mail Wednesday.
State-sponsored attacks manage to fly under the radar because the attackers often have inside information on what types of security tools their targets are using. Administrators should look for things like unusual login patterns or data going back forth from countries or servers they don’t usually do business with. It’s also suspicious when unauthorized systems connect to the network, Zwienenberg said.