Machine behaviors that threaten enterprise security


Machine learning has moved enterprise security forward, allowing for visibility inside the network in order to better understand user behavior. However, malicious actors are using what is done with machine learning on the inside in order to attack the perimeter.

Specifically, these types of attacks include DNS tunneling, attaching to Tor networks, and sending rogue authentication requests to directory services. Tom Gorup, security operations leader for Rook Security, said that in addition to these threats, “In general what we are seeing across the board is phishing, from wire fraud to distribution of malware. Generally we’re seeing scans they’re attempting to exploit.”

Even though DNS tunneling is not as prominent as it used to be, attackers trust that most people aren’t monitoring their DNS, which “Enables a hacker to bypass proxy servers and firewalls that protect internal data from attack,” said Gorup.

Attaching to Tor networks is also becoming more and more painful for as it is more expensive to defend the environment. Gorup said, “If you don’t see that initial packet, everything else just looks like SSL traffic. Some malware do use Tor, and when they do it, it’s definitely difficult. Depends on how much effort the attacker wants to put into it.”

has allowed hackers to gather even more intelligence than they had previously been able to obtain. Black said, “If you look at traffic on the internet, very few people are familiar with what is supposed to be happening. These guys are using connections, carriers, carrier calls, health checks, and parody analysis to gather additional intelligence.”

Security practitioners are monitoring traffic, but Black said, “Previously we would see someone running active scanning on us. Now, they are able to utilize malicious code to gather more than they used to. This is going to be huge in the IoT space.”

A return to basics, said Black, might be the best measure of defense. “Development is moving quickly, but we need to go back to basics. Applications are supposed to do certain types of transactions at each port. We need to clearly define what good traffic is and what it should look like. If it deviates from the published standard, that might be bad.”

Relying on modeling and machine learning, said Shteiman, is another way to protect the gaps that aren’t covered by blocking access to known Tor IPs. “I work on Tor, but I can model how I work on my computer. Access is only allowed when there is a keyboard interaction, or during working hours so that if I’m not on my computer, Tor can’t be used.”

As is most often the case, mitigating these threats requires education and training. Gorup said, “Regular code review and training developers will lower risk and vulnerabilities.”

Black agreed noting that, “Coding is going to be a major step forward. The internet and the carriers of the world have allowed dirty data to come to our door. As consumers of that data we need to demand that they clean up our pipes.”

Everybody is getting tired of the constant breaches and attacks. Creating more clarity on what carriers and companies’ responsibilities are will work towards cleaning up those pipes.

“We need to understand what is going into our facilities and what is going out,” said Black. “They’re also going to see encrypted traffic that is not encrypted by companies and countries, but if they don’t have the keys, they’re going to block the payload.”

Simplifying and consolidating with fewer layers will also be a necessary part of the clean up process, said Black. “I’m more confident now than I have been in a really long time for several reasons. The number of technologies you need to layer on are being rapidly consolidated. Simplification is going to be critical.”

This story, “Machine behaviors that threaten enterprise security” was originally published by