What is Perception?
Perception is a dedicated cyber security tool designed to find malicious activity or configuration vulnerabilities on a network regardless of source or exploit. It analyses all network traffic at a network core, or multiple cores, and identifies types of behaviour of that traffic. It then carries out anomaly detection, and then carries out deeper analysis on the more unusual traffic through the network. The data collected by Perception includes everything an analyst could need to discover malicious activity, possible network vulnerabilities, or network misconfigurations. This data is presented to the analyst in the most simple format possible, so they can rapidly triage each behaviour, and with packet captures collected, they're able to see exactly what was travelling through the network if anything looks suspicious. We believe Perception can increase the efficiency of any analysis team by an order of magnitude, why don't you contact us for a free trial to see for yourself?
What Does Perception Detect?
Perception is designed to allow the user to take a more secure approach to their network by alerting them to issues before, during and after any incidents.
The term ‘zero-day’ refers to threats that use undocumented or unknown exploits. The majority of cyber defence tools require
previous knowledge of these exploits to generate ‘rules’ or ‘signatures’ to identify the threat. If the activity matches the rule or signature, then it is stopped and identified as malicious. However, since zero-days by their very definition are not known, no rules or signatures exist, and therefore the majority of cyber defence tools do not have any way of stopping them.
Perception works differently to rule or signature- based systems. Rather than requiring a specific rule for each specific threat, Perception uses the concept of behaviours. The majority of new threats are only slight modifications of existing threats designed to not match any rules, the way they actually behave on a network is incredibly similar. By looking at this behaviour, Perception takes a more generalised approach to detecting threats, easily identifying all variants of a threat, including new modifications/variations that are designed to avoid signature based systems.
By defining activity behaviourally, rather than using rigid rules or signatures, the only way for a threat to pass Perception unnoticed is for it to fundamentally change the way it behaves without being anomalous, a massive undertaking of engineering effort. The chances of this occurring are even further reduced by the fact that there’s only so much malicious activity you can do on a network (steal data/destroy data/modify data/disrupt communications/move within a network), all of which is covered in some way by the behavioural identification system within Perception.
Although it is often thought that the greatest risk to an organisation’s data is from the most advanced attacks, in the real world the picture is vastly different. Studies have shown that the greatest threat to network security are the humans inside the network accidentally causing data breaches, accounting for around 37% of all data breaches (2015 BakerHostetler Data Security Incident Response Report). This statistic doesn’t include malicious insiders, users who intentionally misuse IT systems to cause financial and reputational damage.
The simplest question to ask regarding these types of breaches is why can’t traditional network security systems contain them efficiently? The problem that organisations are faced with is that these users are often fully authorised to do what they are doing, and the network cannot inherently understand that what they are allowed to do may not be safe.
There are steps that can be taken to mitigate this type of threat, such as restricting access privileges so that all data is strictly ‘need to know’. The problem this leaves us with is when users require access to certain data, that data is still at risk should the user misuse the network.
Identifying user behaviour that could put an organisation’s systems at risk is an important part of Perception. Looking at network activity behaviourally, rather than matching it to signatures, allows Perception to detect risks of data breaches regardless of whether they are software-based or human-based.
Perhaps the more valuable area of Perception’s capability is pre-empting this type of activity. Poor user behaviour is seldom, if ever, a one-time activity. Perception allows the security team to identify users who may be breaching standard IT policy or accessing data they shouldn’t. This enables them to inform the user of more secure ways to use the network, or allow IT to implement a technical control to ensure that users can perform necessary tasks without increasing risk to systems. Alternatively, the security team can monitor the situation by designing a scheduled activity report on a specific high-threat user.
Networks are constantly changing, connections need to be opened and closed temporarily, and the IT team often have to carry out repairs and maintenance on devices remotely. This type of activity often goes unnoticed in organisations, however, it can sometimes lead to innocent mistakes being made.
Devices on a network need their settings changed from time to time, but it is often difficult or impossible to track the ‘safest’ settings required for every device on a network at all times and alert the network security team to which ones aren’t compliant. Even when devices are set up for the first time, optimal security and operational settings may not be configured, leaving the network vulnerable to system outages or security breaches.
Perception is constantly monitoring every network it is deployed on, and as a result it can detect and alert on changes in configuration for a single device, or unexpected configurations for any device. This includes remote access to a device being left open, or encryption on sensitive communications being turned off. All of these configurations have perfectly valid reasons for being used, but they are often used only temporarily for testing/servicing reasons and shouldn’t be left this way for extended periods of time. The ability of Perception to identify and alert to misconfigurations allows the user to close the vulnerability before it is exploited, making the network far more secure.
Even the most secure networks have some level of vulnerability, they are part and parcel of maintaining an IT system. As a network evolves over time, and new software and hardware is deployed, new vulnerabilities are inevitably exposed.
There aren’t many standard methods of identifying these vulnerabilities. One method is by stumbling across it by chance, this entirely relies on luck and/or how investigative the IT staff are. Another method is perhaps the most proactive method, by penetration testing, but this can be costly and may not provide full coverage of all possible vulnerabilities within a network, and only represents a single snapshot in time. The final method of finding vulnerabilities is unfortunately once they have been exploited, which is the most common method of discovering weaknesses in a network, a fully reactionary method of improving network security over time.
Due to its behavioural identification, Perception has a fairly unique capability whereby it not only identifies active malicious behaviour, but also alerts the user the most vulnerable points in a network. Identifying the greatest point of weakness in a network can allow for a move to a proactive improvement in network security. Constantly identifying and fixing vulnerabilities not only helps keep the network secure over time, but also stops an organisation being hit by attackers aiming for the ‘low-hanging fruit’
Perception has been used to protect some of the most secure networks in the world since 2013. During that time Perception has detected a broad range of vulnerabilities and threats to networks that otherwise would have gone unnoticed, using multiple advanced military grade behavioural detection systems.
The following list of real-world threat identifications represent just a thin slice of those that Perception has detected in customer networks. In every one of the below scenarios the customer was able to use the information within Perception to take the most appropriate course of action to resolve the issue, well before any major damage was done.
DATA EXFILTRATION USING DNS TUNNELLING
A device was using the DNS protocol, which is often less secured or monitored, to communicate with external servers. This was identified using the DPI element of Perception, reporting high volumes of DNS activity with higher than average data volumes. The DNS protocol is often poorly monitored by network security systems and is left fairly open since it is required to use the internet. Without this level of monitoring, DNS tunnelling could be used as a form of remote access, Command and Control or a method of egressing data from a network without detection.
ZERO-DAY MALWARE VARIANT
A device on the network was infected with a malware variant using a Domain Generation Algorithm (DGA) to communicate with Command and Control servers. DGA typically uses a pre- defined algorithm to compute a domain name for the Command and Control server. Perception identified the high volume of failed DNS queries where the client queried computed domain names until it got a valid response for a server to communicate with. A small number of successful queries were seen
when communication was established, and the volume of data exchanged with the malicious servers once connections were successful was identified. As a new strain of the malware, existing firewalls and anti- virus solutions did not detect the malicious payload, however the behaviours were consistent with previously seen malware which allowed Perception to identify and report the event. The goal of this malware was to steal personal data (banking details) from the client device, however undetected malware could lead to a number of different scenarios such as data loss, service outage, etc.
UNAUTHORISED USE OF CLOUD SERVICES
Users on the network were using authorised cloud services to store confidential corporate data that should not be sent to the cloud. Perception reported a correlation between a user transferring data from a corporate file server containing confidential data and uploading data to an external cloud server, and then used a combination of statistical data and deep packet inspection to support the claim that it was confidential corporate data being sent. Perception reported data volumes transferred from the server to the client, then from the client to the cloud. Typical security measures fail to discern whether external cloud transfers are confidential or not since the traffic is encrypted, but Perception’s correlation of internal and external transfers identified and detailed the breach in policy. These behaviours are often users simply trying to do their job and misunderstanding security policies, however the loss of data and visibility poses a risk to any organisation.
CONFIGURATION CHANGE LEAVING DEVICES VULNERABLE
An IT admin applied a change to an external facing device which increased the attack surface area of the device. The configuration change enabled more enhanced remote management capabilities that should have been enabled on an internal interface only. Within seconds, Perception reported high, sustained inbound session activity on the newly exposed port/service, something which had not been seen before and would not be expected. The activity showed sessions were established, however authentication was failing, providing reassurance that while attacked, the server had not yet been exploited. While this information would have been reported in logs, it is often the case that the logs can become lost in the noise where Perception was able to highlight this behaviour and bring it to the attention of the analyst. Had this had gone undetected, persistence may have enabled external parties to breach the system or an attack could have been launched against the service if a vulnerability was identified. The extra detail that no exploits were successful before the issue was fixed also saved several man-hours of investigation into the extents of any attacks.
MANAGING APPLIANCE FAILURES
A component device within the network experienced a part failure and started reporting errors at a high rate. Perception reported the change in behaviour from a normally ‘quiet’ device where it started generating a high volume of logging data, however this logging data was not seen by IT personnel. While component failure is not the primary purpose for using Perception, it generates events based on behaviours or in this case, changes in behaviour and while the device was reporting the failure, they were not being seen by IT personnel. This proactive monitoring of the network allowed the failing appliance to be replaced with a planned outage rather than reactive fixing, resulting in minimal system impact.
UNAUTHORISED DEVICES JOINING NETWORK
An IT engineer had connected an unauthorised device on to the corporate network. This device had a number of unauthorised applications running which increased the risk to the network. Perception reported a number of behaviours highlighting evidence of gaming applications, peer-to-peer sharing applications and unauthorised AV software running. On this occasion, the device was unknown, was not running the necessary endpoint applications monitored by the IT team, and no logging was available to raise awareness. This device increased the attack surface of the network and highlighted a weakness in the physical security around connecting unauthorised devices to the network.
VULNERABLE INTERNET OF THINGS (IOT) DEVICES
A poorly configured new IoT CCTV camera was installed on a site. This configuration allows for remote access to view the video stream through a website. The device had been configured to store data locally so data was not being sent to the cloud service, however the camera was still internet accessible. Perception reported beaconing activities as the CCTV camera connected to the external IPs to allow for remote access on a consistent basis. The events were reported with high confidence due to the frequency and consistency of the connections. The IP had no reputational concerns and there were no policies in place on this site to restrict this traffic. Having this ‘remote access’ feature enabled increased the risk profile of the site and was in breach of privacy legislation.
REDUCING ANALYST TIME BURDEN FOR INCIDENT INVESTIGATION
Due to the proliferation of more advanced malware and undesirable user behaviour, a business set up an in-house SOC and tooled it with a broad range of technologies. After running this SOC for a year, the business struggled to justify the immense cost of the large number of tools and analysts, most of whom spent all their time sifting through big data to find actionable intelligence.
Once Perception was installed on the network, analysts became far more efficient. The time previously spent querying a bloated dataset was now performed automatically by ForensicAI, meaning the analysts were spending their time investigating reliable sources of vulnerabilities, weaknesses, and threats. This change in activity meant the analysts were far more effective at proactively cleaning up their network, and the business’s assets were garnering a far greater return on investment. This efficiency improvement was further enhanced by Perception’s APIs that were utilised to allow the business’s existing tools to ask questions of Perception and get answers in a targeted way.
NETWORK MONITORING IN AN AIR-GAPPED ENVIRONMENT
A highly secure organisation understood that to get a full picture of the vulnerabilities of their network it was not enough just to be able to collect NetFlow and perform Pen testing periodically. To be able to truly understand if they had vulnerabilities that can be exploited they needed to be able to understand how their network changes over time, what devices were active and most importantly find the behaviours of any devices that might be indicative of a vulnerability.
Due to the nature of this organisation’s work, they had a requirement that no data was sent out of the network by the security tools they used. When searching for new tools to provide the required capability with this caveat, the organisation could not find anything suitable. They eventually found Perception, and deployed both the sensors and the CCS on internal networks. Since Perception can operate without any external connections, it performed just as well as it would have done on any other network.
ANALYSIS OF SPECIFIC, POTENTIALLY HIGH-RISK USERS
A major law firm that used Perception was planning a complete restructure that involved the closure of some offices. As part of this restructure, some staff took voluntary redundancy. As part of their obligations under GDPR, the firm needed to ensure the staff that were leaving were not retaining any contact details of clients. They also wanted to monitor the activity of those that were leaving a little closer in order to make sure they were not letting security measures slip in their last months at the firm.
Using the KnowledgeBase feature of Perception, automated daily reports on the users in question were run. Full details of all of those users network activity, including internet activity, what files they’d accessed, and their conformity to security protocols were included in the report sent to the network security personnel. In a small number of cases, staff had accessed contact details of clients in order to bring them to their new firms, and this was identified immediately by Perception.
PROTECTION OF BUSINESS CRITICAL IP
A Perception user’s entire business revolved around the innovative and protected intellectual property they had developed for dedicated chips for consumer electronics. If this intellectual property was to fall into the hands of a competitor, their entire business would be at risk.
As well as protecting their network, Perception was configured to run reports on any user accessing data on file servers that pertained to the protected IP. Since the access to this information is restricted, and the frequency of it’s access is low, Perception easily identified any user requesting access to this data and reported the occurrence to the network security team immediately.