Cybercriminals Don’t Punch a Clock: How to Protect Your Network After Hours
But actually, they do.
Especially over the past five to ten years, industry analysts have observed an increasing professionalization of cybercrime, and a corresponding increase in the sophistication and success rate of their attacks. Although losses due to cybercriminal activities now cost the global economy more than $600 billion per year, it’s easier than it has ever been to monetize stolen data, due to the growth of the Dark Web and more widespread usage of untraceable digital currencies.
Unlike, say, narcotics smugglers, cybercriminals can establish bases for their nefarious operations in ordinary-looking office buildings without attracting undue attention from local law enforcement officials. They can scale their “businesses” by creating as-a-service offerings such as ransomware kits or botnet rentals that allow would-be hackers without much technical skill to launch successful attacks. And they can compete with legitimate enterprises for top developer talent by offering salaries more than twice those paid for aboveboard software engineering jobs in some markets.
To attract employees with highly sought-after technical skills, also, organized cybercriminal syndicates must offer a reasonable work environment. This might mean providing workers with cutting-edge laptops or an ample supply of snacks. Increasingly, it also means scheduling shifts during mainstream business hours.
Although cybercriminals are more likely to be coding, hunting for vulnerabilities, or formulating attack strategies during business hours in their local time zones, their reliance on malware and various automated tools means they can schedule malicious actions at any time of day or night. Today’s attacks are most likely to take place at the times when criminals believe they’re most likely to be successful. When is this? Generally speaking, it’s random. Because defenders are investing time and thought into discerning patterns, attackers try to be unpredictable.
Sleep-deprived humans struggle to detect automated attacks
The problem isn’t that intrusions are more likely to take place at night. It’s that attacks are more likely to succeed when security teams are at their least vigilant. And humans tend to be at their least vigilant when they’re sleepy.
Security analysts staffing the overnight shifts in 24x7 security operations centers (SOCs) face more than their fair share of challenges. It’s a lonely, tiring time to work. The fact that the analysts are contributing to the organization at times when business leaders are sleeping means that the value of their efforts is more likely to go unnoticed. It’s common for them to feel less-than-professional because they’re not working typical business hours. And all too likely that they’ll succumb to disengagement.
According to an old joke among SOC analysts, overnight shift workers are like mushrooms: they live in the dark and are cultivated in a bed of waste. These are challenging circumstances in which to do one’s very best work, yet the organization’s security depends on their alertness and care.
In today’s threat environment, attackers may attempt the initial compromise of an environment at any time. They’ll try to move laterally across the network in ways that are low-profile, slow, and steady. They might be looking for moments when network security sensors aren’t being monitored, or periods of peak traffic and activity when signals of compromise will be obscured.
Yet security operations teams detect more incidents during the day than at night. This isn’t because daytime is prime time for cybercrime. It’s because human security analysts struggle to perform well on overnight shifts, so attacks are more often missed during those hours.
Malware never sleeps, but neither does security operations software
Today’s round-the-clock cybercriminal activity is made possible by the fact that attackers are relying on automation to schedule malicious actions at the most opportune times. The only way that we, the defenders, can win back the upper hand in our battle against them is to turn to automated solutions just like our adversaries do.
By introducing an intelligent automated solution into the security operations workflow, we can ensure that all alerts occurring during nighttime hours are given the same amounts of care and attention as daytime alerts. When security monitoring is automated, the team won’t dismiss alerts simply because their volume is too great to give each due consideration. Your monitoring workflow’s efficacy will never be impacted by the inherent unpredictability of humans. And it’ll never be compromised by suboptimal biorhythms.
With robotic decision automation on board the security operations team, there’s no longer the need for human analysts to spend the darkest hours of the night staring at a console. Instead, the software can alert an on-call incident responder in case of any escalations, and the rest of the analyst team can get some much-needed rest.
When primary responsibility for overnight monitoring is taken over by an automated solution, your security team will have more analyst hours available during the day. These can be spent on higher-value tasks like gathering intelligence, spotting never-before-seen attack techniques and methods, and conducting investigations. Analysts will also be better-rested, happier, and more likely to stay with the organization for the long term.