There are two kinds of systems out there: those that have been compromised and those that don’t know they’re compromised. It sounds quite shocking but it’s much closer to the truth than most people realize. When a big breach announcement comes out it’s almost always the result of months of attackers being present in the system. Nefarious actors get a foothold in the system and persist because it’s more effective to stick around and exploit as much as possible before exfiltration your ill-gotten gains.
Typical security tools think that they are protecting bastions of security. They are intently focused on keeping out the attackers. They aren’t very good at detecting the attacks once they’re on the inside though. If we work from the assumption that our system is already compromised how can we hope to find the things that will identify the attackers and let us regain control?
On the Move
I had the opportunity to talk to a new company that is focused on detecting the attackers as they try to move through the system. Confluera launched at Black Hat 2019 with a novel approach to security in networks. Instead of trying to keep the bad guys out of the system, Confluera works with the assumption that you’ve already been compromised. By focusing on the kinds of things that attackers do when they get inside they can narrow the number of things they need to examine in order to expose the bad actors before they get what they’re after.
CEO Abhitjit Ghosh told me Confluera deploys agents on Windows and Linux servers in your environment and they start sending telemetry back to the Confluera control systems. This discreet telemetry is constantly analyzing for the kinds of things that might be triggers for nefarious behavior. Confluera can identify behaviors that are out of the ordinary, such as clearing access log files or attempting to log in with service accounts on local systems. Some tools can catch these discrete behaviors, but often they are lost in the noise of all the other things that are being monitored.
That’s one of the big keys to avoiding detection when you’re looking around a system. Prey distinguishes itself through movement. The less you move and leave a trail the more likely you are to avoid detection. The longer you can stay silent and collect info the more you can get away with when it’s time to make your exit from the system.
Confluera works by looking for this movement and attributing it back to a lateral attack chain. Even the most discrete events are added to the event that Confluera is tracking. Each trail is assigned a score in the central control component. Thanks to a combination of actions and structured machine learning, Confluera can discard normal actions while focusing on the ones that have a high enough score to look out of place. Maybe it’s a user traversing to servers that they don’t normally log into. Or perhaps it’s a systematic clearing of files on devices that’s out of the ordinary. Or maybe it’s something extremely innocuous like VPN installation or DNS manipulation. Whatever it might be, Confluera can see it.
Once you know what’s going on, you’ve spotted the prey you’re hunting. Instead of relying on traditional tools to pick up the trail far too late, Confluera gives you real-time updates about what’s going on. The scores reflect accurate, up-to-the-minute data and also give suggestions about what you can do to activate a cyber kill chain in order to stop your intruders in their tracks. Confluera also tracks these discrete incidents back to each chain so you not only know what your uninvited guests are up to right now but where they’ve been and what they’ve been messing with. Now, you have a blueprint to clean up their mess and get your systems back to a good state.
Bringing It All Together
Confluera doesn’t reduce the need to have defense in depth in your edge. Instead, think of it more as assurance that you don’t have anyone roaming around inside your enterprise. It’s still a very early product right now with the kinds of things that early releases have issues with. It’s 100% focused on Windows and Linux hosts right now, which means it’s not capable of monitoring containers yet, just their hosts. You also need host OS access to install the agent. If your use case fits that particular setup then you should absolutely look at using Confluera to augment your existing security tools to help you hunt down the things you really don’t want to find roaming around your systems.