Attack detection is currently coming to the fore, especially for companies that are operators of critical infrastructures (KRITIS). With its amendment to the BSI Act (BSIG) in December 2021, the German Federal Office for Information Security (BSI) obligated all companies with KRITIS to operate their own attack detection systems from May 1, 2023 at the latest.
But attack detection is also becoming increasingly important for organizations without critical infrastructure. Malicious and targeted attacks are now both more advanced in execution (example Lockbit – a recurring successful attacker) and more severe in their mission-critical consequences. Detection and Security Information & Event Management (SIEM) are thus becoming important components of enterprise security, for any company regardless of size and type of infrastructure.
Why preventive measures are no longer enough
However, the systems described are no longer sufficient on their own to guarantee corporate security. The reason for this is often a few individual gaps in the system that are exploited by hackers for initial access to the corporate network. The greatest weak point for an attack is the human being.
If one imagines the security architecture of a company as a castle that has fully implemented all technical protection measures (for example, drawbridge, steel gates and a moat), one danger still remains: the population. Since each inhabitant of the castle has a password for access, there is a risk that the password may be inadvertently or even intentionally transmitted to attackers, or that the inhabitant himself may become the attacker. Once the castle has been penetrated, even the sturdiest drawbridge and the deepest moat no longer serve as protection.
The consequence for companies and the security industry
From here, attackers move around the network like a seemingly legitimate user, identifying and exploiting further vulnerabilities until they finally execute the actual malicious action. The goals of the attack can vary from encrypting important data, exfiltrating sensitive information, to sabotaging systems.
Today’s world is characterized by a constant arms race to see who can find and close the next security gap first, or exploit it. The term “arms race” also refers to the ongoing battle to see who can execute the next malware undetected or prevent it. Hundreds of thousands of malware variants are sighted every day, and yet there is still the risk of infection by malware that is not yet detected by endpoint protection.
BSIG: This will change for companies as of May 2023
The BSIG only roughly specifies what this means in concrete terms: “The systems used for attack detection must continuously and automatically record and evaluate suitable parameters and characteristics from ongoing operations. They should be able to continuously identify and prevent threats and provide appropriate remediation measures for incidents that have occurred.”
Functionally, such an attack detection system must essentially provide logging, log analysis and detection as well as an appropriate response. In essence, then, we are talking about SIEM systems.
How detection and SIEM systems contribute to attack detection
The basic principle of attack detection is to identify anomalies or traces of attacks. Typically, modern SIEM systems are used for this purpose. A SIEM system aggregates, normalizes and analyzes data against known attack patterns and provides the results to Security Operations Center (SOC) analysts. The SOC analysts can trigger appropriate response processes based on the results. In some cases, these tasks can also be automated so that responses are faster and more efficient. Additionally, a SIEM system informs the relevant people about the current security status of the company. Some simple examples of such events are:
- Unusual use of user accounts, e.g. in parallel from different computers or several locations or at unusual times of day
- Detection of brute force attempts, where software is used to try to crack passwords in rapid succession of different character strings.
- Detection of unusual network traffic, e.g. very many DNS requests or those with unusual payloads
- High number of firewall denies or drops due to internal hosts
Such detections do not necessarily have to represent an attack, but can result from errors or simply legitimate yet unusual usage scenarios. Therefore, these cases must be examined in detail. Modern SIEM systems provide important support for this: they correlate data from other log sources to such events or offer functions to obtain further information on such events. This enables the security analyst to decide more quickly and reliably whether an actual attack has occurred.
We support you
By implementing a SIEM system, every company ensures that potential and also advanced attacks can be detected as quickly as possible. For KRITIS companies, these systems are the recommended option to comply with the legal regulation that will apply from 01.05.2023. COCUS AG supports companies in the introduction of SIEM systems, but also in the optimization of existing implementations or the migration and replacement of old SIEM systems with more modern ones.