March 26, 2015

Data Theft: The Four Attack Models and the Key to Stopping It

IP Protection

In previous posts we described the five types of perpetrators who threaten your data and the challenges to securing Intellectual Property (IP). Now we’re taking a closer look at the four main attack models and what you can do to prevent attacks on your data from happening in the first place.

1. The Impulsive Attack

The “impulsive” attack is the preferred attack method used by employees leaving an organization with sensitive data, as well as by insider hacktivists. This type of attack is accompanied by significant anomalous activity and can occur over days or even just few hours. In many so-called “quick-action” incidents, attackers access data they have rarely or never accessed previously, execute events that change or obfuscate that data, and move large amounts of data to external storage devices.

2. The Below-the-Radar Slow Attack

“Below-the-radar” or “slow” attacks are more common in government or corporate espionage. To remain undetected slow attacks often move data at very low rates over long periods of time. Most commonly the data is migrated from the network onto removable media or personal devices. Slow attacks are not limited to insiders; it is also common for outside attacks to use this method to avoid detection.

3. The Outside or Targeted Attack

The “outside” or “targeted” attack, often called an APT (Advanced Persistent Attack), is characterized by highly sophisticated technology combined with a long duration. Undertaking such attacks requires significant resources and are therefore usually sponsored by, if not directly controlled by, government or military organizations. Outside attacks typically target pre-determined organizations and particular datasets. They are very difficult to defend against with existing security tools because of their “continuous, changing attack” model with the ability to find and bypass defenses.

4. The Twofold or Inside/Outside Attack

The “twofold” or “inside/outside” attack involves an insider who introduces malware within an organization on behalf of an external entity. With the malware present and obfuscated, the software now controlled by the Command and Control server is used to quietly and continuously exfiltrate data out of the organization. This approach minimizes the evidence of any association between the data theft and the entities involved and therefore greatly minimizes risk to the insider and the external sponsoring organization (again, often government or military) .

The Key to Stopping IP Exfiltration: Extreme Visibility

These different methods of cyber attacks and types of perpetrators have the following elements in common:

  1. Individuals or entities access sensitive internal IP (data and other assets).
  2. They create anomalous activity compared to “normal baseline behavior.”
  3. After accessing the IP it must be externally exfiltrated by the perpetrators, causing additional anomalous data activity.

The biggest challenge to deterring these attacks is that they cannot be detected effectively using existing perimeter-based or signature-based security technologies. The security breaches are therefore typically not detected, until months after they have occurred.

To successfully protect critical IP against these data security threats, organizations should adopt a data-centric approach to identifying suspicious activities and potential threats. This approach can quickly identify the users, machines and projects associated with the anomalous behavior, then proactively investigate these instances to greatly decrease the potential for future breaches in data security.