David Ratner, HYAS: “an average intrusion remains undetected in an enterprise network for 99 days”
Nowadays, threat actors develop malicious programs that are not only capable of effective infiltration but also remaining undetected for weeks, months, or in some cases, even years.
According to David Ratner, the CEO at HYAS, despite how strong the security solutions monitoring real-time activity are, numbers show that an average intrusion can last for up to 99 days before even initial detection, much less remediation. During that time, cybercriminals collect enormous amounts of sensitive information and other business-related data, explore the organization, and prepare themselves for next steps (such as encryption).
So in order to improve the detection rates, businesses need to closely monitor their outbound communications. Today, we talked with Dr. Ratner about these advanced cyber threats and ways how enterprises can gain better control of the information exiting their networks.
HYAS has grown exponentially since its launch in 2015. What was your journey like?
HYAS had a forward-looking vision of fundamentally changing the game, approaching the problem of cybersecurity differently, and giving our customers the confidence to move forward in this ever-changing world with a proactive approach. Whenever driving change, there is always an educational period needed to explain the paradigm shift – not only prove that it is effective but also demonstrate that it is better than the past techniques. A large part of HYAS’ journey has been doing exactly that, and we’re incredibly proud of the validation that we’ve received in the market and the associated growth that has come with it.
In all my career, I honestly don't know any other startup companies that can claim the kind of Tier I Fortune 500 customers that HYAS has. As we’ve grown, it has allowed us to not only hire incredible talent and expand our customer base into all geographies but also continue to develop innovative solutions for our customers. I think that’s why so many large-scale and small-scale customers rely on HYAS today.
Can you tell us a little bit about what you do? What are the main challenges you help navigate?
Many cybersecurity companies focus on detecting malicious activity in real-time as it attempts to scale the perimeter and infiltrate the enterprise. However, it’s impossible to effectively protect all entry points with an ever-expanding threat landscape driven by hybrid work models, IoT, other new devices, and reliance on modern cloud architectures.
Rather than trying to strengthen the wall around the enterprise, HYAS realized that bad actors cannot complete their tasks and cause damage if they cannot communicate out from the enterprise network to their command-and-control (C2). Malware, ransomware, and supply-chain attacks all infiltrate the enterprise and then communicate with C2 for instructions, lateral movement, data exfiltration, and eventual ransom or damage. So, blocking their ability to communicate with C2 inhibits their ability to provide instructions, and thus stops the attack before it can even get started.
As the leading expert in adversary infrastructure and malicious actors’ communication with it, HYAS gives enterprises the visibility and control they need to understand who their enterprise is communicating with and why, across both production and corporate networks. By doing this we don't only stop attacks dead in their tracks, but our clients also gain valuable intel about their adversaries which helps them strengthen their environments for the future.
With all of this information, HYAS gives our clients the control – they can turn the information over to the authorities or simply get proactive against their attackers, and we have effectively flipped the power paradigm. Instead of bad actors gaining millions of dollars from our clients, they become exposed and their attacks rendered ineffective.
What technologies do you use to detect security risks before any attacks occur?
HYAS provides SaaS solutions that are all API-forward and API-first for easy deployment, quick integration into the rest of the security stack, and almost non-existent day-to-day maintenance and management requirements. A fully-automated backend incorporates new data from a variety of sources into our data lake in real time. Automated processes, such as the HYAS Watch Engine, maintain a watchful eye on customer outbound communication patterns and perform automated analysis for effective and efficient decision making. Customers can utilize the HYAS-provided GUI via any web browser, or utilize the APIs for enrichment, enforcement, extension, and integration into the third-party solution of their choosing. All of these solutions put our clients in a position to act instead of react. It’s all about realizing that attacks are rendered inert if they cannot communicate with their command-and-control for instructions and next steps.
According to Microsoft research, an average intrusion remains undetected in an enterprise network for 99 days, and recently we’ve even seen examples that stayed hidden for multiple years. During these months and years, the bad actors are stealing information and causing damage via communication between their malware and their C2.
Even though attackers employ clever mechanisms to keep their communication hidden, HYAS can identify even the most camouflaged undesired communication by understanding the reputation of the external communication endpoint, the pattern of communication to it, and the set of changes.
The visibility provided by HYAS enables an enterprise to control their risk, improve their hygiene, and stop the attack before it even gets started, regardless of how it ever got into the enterprise in the first place.
Have you noticed any new tactics cybercriminals started using during the pandemic?
Cybercriminals love to use recent events and news as content for attacks, and the pandemic has provided many opportunities here. Phishing attacks and other intrusions have tried to utilize everything – from government loan information to COVID-19 testing and changing regulations – to trick unsuspecting users. The pandemic fundamentally changed the notion of what it means to attack the enterprise, as breaking into a user’s home machine now provided an easy entry point into the enterprise that may not have existed pre-pandemic.
Additionally, the changing work models and use of the Cloud for a variety of services dramatically increased the overall attack surface, and in many cases decreased an enterprise’s visibility over that attack surface. Cybercriminals definitely took advantage of it, and it highlighted just how important overall visibility and control is to an enterprise.
What cybersecurity threats do you think can become prominent in 2022?
I believe we will see increased numbers of double-threat ransomware attacks that both exfiltrate data and encrypt enterprise operations, holding them hostage for ransom. I also believe we’ll see a dramatic increase in indirect attacks, whether that is by breaking into a library or file used by an enterprise’s service, an intricate supply-chain attack, or utilizing new IoT devices that users connect into their systems and create new exposure points. All of these examples share one common characteristic – the entry-point itself is incredibly difficult to monitor. That's why having visibility and control of what communication is exiting the enterprise is so vital and key to moving forward.
Insider risk is often named one of the biggest challenges in cybersecurity. What do these attacks usually look like?
We see insider risk take many forms, whether it is intentional or unintentional. Some employees or contractors steal data, purposely inject malware, use company resources for personal benefit, and open backdoors into organizations. Equally concerning are people who unknowingly reveal authentication information, accidentally engage in phishing schemes, or unwittingly insert infected devices into the network.
These attacks can take many forms, such as:
- Emailing data to a personal account
- Copying data to a personal storage device
- Picking up a USB stick in the parking lot and bringing it into the building
- Accidentally revealing a password
- Clicking on the wrong link in an email
What measures should organizations have in place to be able to mitigate this threat?
It’s critical to ensure that employees and contractors have appropriate training and that systems enact proper permissions and rules, controlling what data they can access and what actions they can take. This can be accomplished with clear assignment and control over roles, responsibilities, and permissions. But more broadly than that, organizations also need to ensure that they have both the visibility to understand “what’s changed” or “what’s new” and the controls in place to rapidly identify and rectify problems, issues, and potential vulnerabilities.
While historically most approaches have addressed cybersecurity as “protect the perimeter”, insider risk opens up the real possibility that the intrusion enters the enterprise through the backdoor, bypassing traditional perimeter security approaches. This is why it is critical for enterprises to monitor their outbound communication and have the visibility to understand who an enterprise is communicating with, why, and how often.
An insider who accidentally brings an infected USB stick into the building can be quickly detected by noticing a new connection exiting the enterprise to a domain, likely a command-and-control node, and getting instructions. Solutions like Protective DNS are a critical layer to provide this kind of visibility and control.
Share with us, what are the best cybersecurity tools do you think everyone should incorporate into their lifestyle?
Enterprises should deploy a layered approach to cyber security, as there isn't a universal solution that addresses everything. A key component of the foundational layer needs to be the Protective DNS. While blocking attacks at the perimeter is necessary, given the expanding attack surface and continual risk from insiders and social engineering, it’s vital to have the visibility and control of what communications are exiting the enterprise, where they are going, and why.
In fact, some threats, such as the recent log4j vulnerability, proved how complicated it is to detect threats via normal mechanisms given that the dropper domains could be hosted anywhere, leading to a daunting task of the massive log file analysis. However, real-time DNS monitoring could quickly and easily identify an active log4j exploitation.
Similarly, supply chain attacks and instructions such as SolarWinds, as well as attacks against vulnerable IoT devices, can be detected by an automated analysis of external communications. It is exactly why a Protective DNS solution is so critical for any security stack going forward.
And finally, what’s next for HYAS?
HYAS was created with the mission of giving enterprises the confidence to move forward, regardless of how the world changes, and that’s exactly what it's doing. As we drive forward in 2022 and beyond, HYAS will continue to provide the visibility and controls that enterprises fundamentally must employ today as part of their security stack. Enterprises need to improve security without slowing down the business and enacting barriers to business expansion and growth – that’s exactly what HYAS does and will continue to do. We’re on a mission to change the world and have no intentions of stopping.