Cybersecurity Overview for the Oil and Gas Industry

The Result of Not Addressing Increasing Cybersecurity Risk

The increased potential of blurring boundaries between Information Technology (IT) networks and Operational Technology (OT), for example Industrial Control Systems (ICS), poses a huge risk to the oil and gas industry. As the industry increases its efficiency with automation, companies are significantly increasing their cyber attack surface. Internally, changes due to human error, misconfiguration, insider threat, or supply supply chain can change one part of the business indirectly and have major consquences. These changes need to be considered when mitigating cybersecurity risks.

The oil and gas industry has been at risk of losing competitive advantage in several areas, including exploration information or bidding information, by way of intellectual property theft at the hands of a cyber threat adversary. The most significant wake up call occurred in 2012 with the Shamoon attack on Saudi Aramco that was destructive in nature as over 30,000 Windows-based machines began to be overwritten. A significant problem for the company which provides 10% of the globe's oil supply and caused impacts to their IT systems.

What’s more alarming is that 2017 saw the unauthorized release of sophisticated national state cyber tools to the masses, which were then weaponized for multiple destructive campaigns, including WannaCry and NotPetya, which impacted 100s of thousands of computer systems globally.

With a heightened awareness of cyber breachs and their impacts, it’s still alarming that many IT teams are taking a reactive approach to cybersecurity. Meeting regulation or compliance requirements that don’t evolve rapidly enough to keep pace with adaptive cyber threat adversaries, is no longer an option. There is too much political and financial gain to be had by threats and cyber is becoming their choice avenue of attack because in many cases it is the easiest path and cheapest way to achieve success.

Organizations, especially in the oil and gas industry, are huge targets with very signifant consequences that could include destruction of plants or pipelines, loss of life, oil spills and financial loss.  Proactive attention is needed by organizations to prevent these tragic scenarios from becoming a reality.

What can the Oil and Gas Industry do?

Technological advancements and cloud adoption don’t eliminate cyber risk, they only change the roles and responsibilities for mitigating cyber risk. That change, especially in large enterprise environments, can unknowingly open opportunities for an adversary to gain access to an organization’s assets. They also increase the stakes when organizations go through IT consolidation. The consolidation of an organization’s information and business critical data offers many advantages, but it can also consolidate the time and effort used by a threat advesary if a breach were to occur.

While there is no standard set of cybersecurity rules for the oil and gas industry, organizations should start by with a set of requirements for narrowing the risk of breaches and restriciting access to parts of the organization that, formerly, were not connected:

  • Isolate (or "air gap") OT/ICS systems from IT systems (especially web-facing systems)
  • Implement emerging security technologies to better keep pace with adversarial innovation
  • Ensure a level a higher level of security on backups, where they’re located and how often they’re accessed
  • Establish and enforce a "least privilege" culture across your IT systems
  • Limit the avenues of attack to your key data(from production to exploration to sales, each group’s data should be treated as high value)
  • Enact a specialized and focused security monitoring program on the critical systems/network segments
  • Test your network and its protection and reactive measures vigorously

Mitigating Destructive Malware

One approach for the IT team is to treat each group’s access and behaviors differently. While the establishment of a company-wide security plan can look good to the CTO, clearly defining each group’s security thresholds with its leadership or IT leads can greatly reduce risk and assist in the establishment of testing and monitoring each group’s risk. So while legal

By identifying that risk, IT teams can use that data to help drive where resources should be allocated for the reduction of risk.

One growing area is the sophisitication of these attacks. Attackers are no longer trying to break in, they’re designing their attacks to take down the systems that are used for IT recovery. In the past, backup systems have been a vital and necessary tool for bring back a company after a malicious attack. Now, ransomware such as Locky and WannaCry actually look for remote shares and backup stores.

Proper cyber hygiene is always important (and yes, very difficult to achieve 95%+ in organizations), staying current with patches and increased communication with a security vendor’s content can aid greatly in repeat attacks where files are reused by the adversary. This is where defense in depth comes into play and incorporate other security best practices to limit the adversary’s ability to maneuver and move laterally across your organization.

Segmenting this key data on the network and focusing your security operations teams to prioritize its monitoring will greatly improve your chances of thwarting a destructive malware attack. Lastly, leveraging non-signature based detection technologies, e.g. Artificial Intelligence/Machine Learning (AI/ML), can rapidly analyze unknown content and identify threats rapidly to enable detection and response in order to miminize impact.

The key aspect in a destructive attack is to prevent via good hygiene. If the adversary leverages a zero-day exploit or finds a crack in your organization’s security armor, then speed of detection and containment is crucial.

Technological Advancements to Deal With This Problem

Cyber adversaries have been very successful at staying one step ahead. Constantly changing their tools and techniques continue to aid in their success. There are even service offerings on the black market, for example "ransomware as a service," that can enable less sophisticated actors. The increased financial and political gain by cyber breaches have caused a rapid increase in the number and sophistication of threat actors. Organizations in the oil and gas industry, in conjunction with a strong cyber hygiene program and proper network segementation, should explore security solutions that can help detect and identify unknown threats that routinely evade signature/threat intelligence-based cybersecurity prodcuts. For example, real-time threat detection using AI/ML is focused on malicious content (file-based or fileless attacks) without the use of signatures or behavior detection engines.

With the rapid increase in ransomware and other destructive malware, which are capable of impacting an organization immediately upon payload delivery, organizations should shift their focus to leveraging artificial intelligence at the point of entry into their network to better deliver rapid and scalable detection along with increased analyst efficiency.


Proactive cyber defense must be the new normal. The luxury of being able to wait for an attack to react is over. Do not expect others to solve or stop cybersecurity problems for your organization. Cyber risks pose physical and potentially catastrophic risks to many industry verticals, including the oil and gas industry. Over reliance on reactive security and check box compliance are proven recipes for failures in mitigating cyber risks, as routinely seen in the news. The oil and gas industry has taken major steps at reducing cyber risk over the last several years, but in security, the job is never done as long as there are capable adversaries wanting access.

First Published in American Public Gas Association's (APGA) quarterly publication: The Source

Meltdown and Spectre: Bracing for Impact

By: Travis Rosiek, Chief Technology and Strategy Officer, BluVector

In the second post in our series, Meltdown and Spectre: How They Could Be Targeted, we discussed ways in which cyber adversaries could leverage the Meltdown and Spectre vulnerabilities. Now we will switch focus on addressing what organizations and security operations teams should be doing to help mitigate the risks associated with these vulnerabilities.

There are two first steps an organization should take to assess the potential impact of the vulnerability. Organizations should gain a full understanding of what types of systems are impacted by the vulnerabilities: i.e. Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715). Then determine which systems in your network are susceptible to the vulnerabilities. In this case, the scale and scope of impacted systems is much larger than typical vulnerability advisories. These vulnerabilities affect CPUs within systems that were built over the last 20 years and may include mobile devices, servers, desktops, laptops, cloud services and network devices. It’s important to research or keep current on advisories from your vendors and service providers to rapidly deploy patches as they become available. Then deploy (or test and deploy depending on your organizational processes) these patches as fast as your organization can. During your mitigation plan, consider that there is the potential for performance impacts once the patch has been applied.

Next, you need to identify where sensitive customer or business information resides across your enterprise (on/off-premises) and validate or implement a strong level of isolation and a physical separation of critical data and systems from the more public facing systems (e.g. also includes client systems which are used for web/email) that aren’t business critical. If business critical information is found on systems where they shouldn’t be, deleting the information and then rebooting the system to clear out system memory is the best strategy for limiting any potential vulnerability.

Lastly, enhanced monitoring by security teams on the various avenues of attack that we previously discussed. These are a few examples, but each requires prioritization of focus areas in your organization:

A New Breach – Spear phishing and web-based attacks that leverage fileless or polymorphic malware are the key ways an adversary can gain access to systems and begin to leverage these vulnerabilities to gain access to sensitive data, credentials, etc. Heightened awareness and monitoring of malicious content entering your enterprise are critical as this will likely be the initial vector in exploiting the vulnerabilities. Organizations should explore technologies that are designed to rapidly detect unknown malicious content (fileless and file-based). Being able to detect various stages of a new breach greatly increases your ability to respond quickly and limit impact. Leveraging technologies, like BluVector, that can detect unknown threats (file and fileless) is key to mitigating threat attacks that target unpatched systems or where a hardware refresh doesn’t mitigate the vulnerability.

Expanding a Breach – This scenario is more problematic because it means that an adversary already has access to your enterprise, but until the announcement of these vulnerabilities, hasn’t been able to expand their reach/visibility. By adding code that utilizes the vulnerabilities, the adversary could significantly increase their access. An example for focused monitoring is to look for updates to the Remote Access Toolkits (RATs) by an adversary to enable them to leverage Meltdown and Spectre vulnerabilities. This is just one example of where enhanced monitoring can aid in detecting and mitigating these risks.

Credential Monitoring – As these vulnerabilities greatly impact the confidentiality of systems, and thus increases the likelihood of credentials theft. If the Spectre vulnerability was exploited in your cloud provider’s environment, then your information may be susceptible and the attack would never touch your network. In this case, credential and user behavior monitoring would be the only way to detect.

Consumers - The Meltdown and Spectre vulnerabilities also impact the consumer market and require vigilance of patching one’s personal devices. It’s imperative that you (and your household) apply patches and follow sound web surfing and email principles in your routine activities.

The nature of vulnerabilities associated with the complexity of hardware, operating systems, applications and the cloud requires a comprehensive approach to confirm and mitigate today’s vulnerabilities. The emerging threat landscape is ever evolving and there is a real fear of the unknown. BluVector’s technology was purpose-built to address the fear of the unknown to help organizations defend against cyber threats that haven’t yet been seen in the wild.

Meltdown and Spectre: How They Could Be Targeted

By: Travis Rosiek, Chief Technology and Strategy Officer, BluVector

In yesterday’s post, Meltdown and Spectre: The Threats in Your Machine, we discussed the significance and some of the technical details of the Meltdown and Spectre vulnerabilities. Today, let’s talk about how a cyber adversary could leverage these vulnerabilities to target your organization or your personal systems.

To prepare for potential attacks that might use the vulnerabilities, it’s important to understand various theoretical scenarios of how an attack could unfold:

New Breach – As with most attacks, the attacker will need to gain access or execute code on the target’s system. These vulnerabilities could be exploited by the very common attacks used today including drive by downloads, watering hole or spear phished emails, which leverage malicious files (e.g. weaponized PDFs, office documents, etc.) or fileless attacks (e.g. JavaScript embedded in PDFs files or in HTML code). Solely relying on signatures and other legacy detection and protection solutions will not provide an organization much protection as knowledgeable attackers craft their attacks to evade most mandated and compliance-based technologies.

Expanding the Breach – These vulnerabilities could provide value to a cyber adversary who already has breached your network and has been unable to gain further access to sensitive information in your environment. For example, the adversary has breached a virtual machine in the network or cloud instance, but has been unable to gain further access. Leveraging Meltdown or Spectre, an attack could allow the adversary to gain access to other systems’ memory spaces. While these spaces might typically be secure and inaccessible, an attack using the vulnerabilities may allow the attacker to begin expanding their access by obtaining sensitive data such as passwords and encryption keys. This is very concerning if organizations rely solely on logical segmentation for security and destructive malware exploits these vulnerabilities to wreak more havoc. This should be a major area of concern.

Avenues of Attack – What SOCs should be watching for (generally, as no samples have yet been found in the wild). The scale and scope of these vulnerabilities are significant and pose various risks to consumers and organizations. First, let’s look at some of the various ways an adversary could leverage these vulnerabilities.

  • Mobile Devices – Malicious mobile applications are a prominent way to target mobile devices (tablets and smart phones). For example, a cybercriminal can spoof a legitimate mobile application and trick users into downloading and installing a version that looks very similar, but is malicious. These malicious mobile applications, have limitations based on the permissions granted, but could then exploit the Spectre vulnerability and gain access to memory of other mobile applications on the mobile device (tablet, smart phone, etc.). If a corporate enterprise allows Bring Your Own Device (BYOD), then an adversary could leverage Spectre to access to sensitive corporate data contained within another application’s memory space. Possible risks could include: personal email account passwords, corporate login credentials and corporate IP, credit card number, password reminder apps, or other PII/PHI information (disclaimer – each entity’s situation is unique and is very specific to what hardware and software they are running on their devices and requires investigation by your organization to determine
  • Cloud Infrastructure – As moving to the cloud consolidates computing resources for cost savings and efficiencies, the data processing and storage of multiple customers on the same piece of physical hardware can create risk. However, the vulnerabilities could now allow an adversary to expand their foothold and visibility into other logically separated computing environments which would otherwise seem secure.
  • Server/Laptop/Desktop Systems – These systems, even over 10-year-old devices (and especially under-monitored, but connected, ghost devices), are widely deployed and used to process and store sensitive data across all industry verticals. These end devices are subject to similar attacks as noted above (file-based and fileless attacks). Specifically, desktops and laptops are prime targets for cyber adversaries as they can leverage the Meltdown vulnerability to harvest valid network credentials that may be used to directly access other systems in the organization. End user’s stored personal credentials could also potentially be obtained, resulting in financial fraud and identity theft.

The Meltdown and Spectre vulnerabilities are the beginning of the latest wake up call for organizations to continuously question, enhance, test and secure their environments. While the attacks I’ve described have not yet been seen in wild, they do represent how attackers might be planning ways to capitalize on the vulnerabilities before adequate patches are deployed widely or hardware is refreshed.

Please come back for Monday’s blog as we discuss some mitigating best practices for Meltdown and Spectre as it relates to cyber hygiene, architectural security practices, and the ways that emerging technologies can provide additional defenses. Our BluVector solutions, which leverage Artificial Intelligence/Machine Learning and Speculative Code Execution capabilities, can help to detect unknown, zero-day attacks that threat actors will inevitably create and use to exploit these vulnerabilities.

Meltdown and Spectre: The Threats in Your Machine

By: Travis Rosiek, Chief Technology and Strategy Officer, BluVector

After responsibly disclosing the details to affected vendors, a collective of security researchers publicly announced details of two critical vulnerabilities they found in current CPUs from Intel, AMD and ARM.

Labeled as Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715), these vulnerabilities are distinct and have separate mitigations. However, in general terms, both will allow malicious programs to access areas of memory they should not be able to access. This memory may be system memory or memory allocated to other running programs. Thus, a malicious program may be able to access in-memory data such as stored passwords, personal files and business documents.

The basic difference between the two is Meltdown compromises the isolation between the operating system and programs executed by users. Spectre compromises the isolation between different running programs.

Since these vulnerabilities are made possible due to bugs in the physical CPU, these vulnerabilities affect personal computers, including Macs and those running Linux and mobile devices. These vulnerabilities are of potentially even greater concern for cloud providers, as depending on their implementation of hardware virtualization, it could be possible to access data from another customer utilizing the same physical hardware.

As of the time of writing, there is no evidence these vulnerabilities are being exploited in the wild maliciously. In addition to the publishing of the research into these vulnerabilities, there is proof-of-concept code available for both vulnerabilities - experience with countless other vulnerabilities tells us it is only a matter of time until Meltdown and Spectre malware is released. Attacks could also potentially come from malicious JavaScript utilized in a fileless malware scenario.

Meltdown has been confirmed on Intel CPUs since 1995, it is not currently confirmed to affect ARM and AMD processors. Spectre has been confirmed to affect Intel, ARM and AMD processors.

Patches have been released for Meltdown on Windows, macOS and Linux, though there are reports further patches are to be expected to ensure complete mitigation. Spectre is more difficult to mitigate and will likely require patches to software applications, rather than at the operating system level.

Stay tuned for tomorrow’s blog post:

It’s not currently known how, if at all, these vulnerabilities have been targeted in the wild, but it’s only a matter of when and not if these vulnerabilities will be targeted by cyber adversaries.  Stay tuned to our blog tomorrow as we discuss the various avenues of attack that could exist in your organization and what security teams can do to stay on guard for attacks against these vulnerabilities.  We’ll also discuss best practices and how BluVector’s technology was designed to address both file-based and fileless threats that haven’t been seen before in the wild and where signatures don’t yet exist to detect these types of threats.  Learn how the combination of BluVector’s machine learning and speculative code execution engines can significantly enhance malware detection at line speed.

WannaCry, North Korea and the DHS SAFETY Act

By: Kris Lovejoy, CEO, BluVector

In the wake of the revelation that North Korea was behind the latest WannaCry ransomware attack, it has become apparent that companies of any size or industry can become targets (or merely unwitting victims) for acts of cyber warfare launched between governments. It is equally clear, with the "success" of the attack counted in dollars collected, victims impacted, and outages sustained, that we will see an increase in number of terrorist, extremist, and other hate actors using cyberattacks as the mechanism to enact social unrest and/or financial panic. Now the question remains – how does the average company protect themselves against what seems to be a potentially existential threat?

Thankfully, the U.S. Government, through the Department of Homeland Security (DHS), identified this type of destructive threat and took action to to prepare our Government, our businesses, and our people through the Support Anti-terrorism by Fostering Effective Technologies (SAFETY) Act of 2002 which was enacted to promote the development of technologies created by cyber threat hunters and responders.

After rigorous testing by DHS, products like BluVector can be awarded a SAFETY Act Designation, which allows the capability to be considered as a Qualified Anti-Terrorism Technology (QATT). In addition to the prestige such an accolade imbues, there are important real-world benefits to users of the technology, all of which become even more pertinent in our current climate where victims do not only have to address the immediate financial, reputational, and operational impacts – but are forced to spend time addressing lawsuits

By utilizing a QATT Technology, should a cyberattack occur that the Secretary of DHS determines to be an Act of Terrorism, you, the consumer, can rest a little easier, as DHS has mandated that consumers of the technology shall have no liability. Any claim that is filed must be directed at the seller of the technology (that’s us). This protection not only applies to you as a direct purchaser of QATT technology, but also to you as a reseller, partner, end user, or even sub-end user. So, with Safety Act designated technologies like BluVector, not only are you armed with the tools to identify, predict, and contain threats, but you have an added layer of protection after an event, for greater piece of mind.

So, ask yourself, after suffering an attack that can interrupt your operations, leak data, and cause huge financial setbacks, do you really want to spend time addressing lawsuits and other claims? Investing in technologies like BluVector may offer the best and easiest "insurance" against this risk.

What’s My IDS Missing?

By: Travis Rosiek, Chief Technology and Strategy Officer, BluVector

Today’s society is quick to adopt and leverage new features and technology without consideration for the security risks and possible consequences. Combined with a thirst for new web applications created with a multitude of easy to program scripting languages, these realities seed a growing attack surface that allows cyber adversaries more ways to conduct their attacks and stay ahead of most security products.

Attack Methodology

Cyber adversaries are constantly evolving their attack methodologies and tools to stay ahead of detection. Over the last couple of years, they have been effectively leveraging Operating Systems capabilities that lack the means to log activity -- making this tactic a powerful and lower risk resource for adversaries.

These attacks typically run in memory and operate in areas of the system that are ever changing (e.g. system memory, registry and system utilities which, in many cases, lack logging capabilities). Called "fileless malware," due to a lack of a file used to typically initialize an attack, fileless attack vectors can be leveraged in two common ways:

  • Conduct the entire attack using scripts and avoid writing to disk (but doesn’t persist through a system reboot) or;
  • Leverage a fileless approach as the initial attack vector in order to download and install a malicious backdoor (this maintains persistence). This allows threat actors to not worry as much about whether their backdoor will install properly and evade detection or generate large amounts of logs.

What is Speculative Code Execution?

Speculative Code Execution (SCE) is the exploration of multiple execution paths through machine code or scripts to identify the potential for malicious behavior. The technique does not require but may leverage a control flow graph to determine paths of interest.

How is Speculative Code Execution different than sandboxing for detection?

Sandboxing has been leveraged over the last several years as a means to automate malware analysis by executing a suspicious file in a detonation chamber and then monitor the file’s interaction with the virtual machine to determine if there are any nefarious interactions.

Applied as a secondary analysis capability for network traffic monitoring devices as well, this technology has shown to be effective in many use cases but offers some limitations. For instance, the speed of performing this analysis is measured in minutes, which limits the amount of traffic that can be analyzed at high network speeds. Another challenge is that adversaries are actively building attacks that can avoid detection by evading sandbox detection techniques.

In response, Speculative Code Execution rapidly examines execution paths of machine code or scripts to identify malicious behavior. This requires much less overhead as compared to sandboxing technologies and can make determinations in milliseconds instead of minutes. This makes speculative code execution very capable of detecting fileless attacks at line rate speeds.

Another advantage of SCE is that it is less resistant to the evasion techniques that plague sandbox technologies. Many evasion techniques leverage artifacts of the sandbox environment to detect and ultimately evade sandbox analysis. Another difference is that SCE allows an analyst to follow and analyze possible execution paths during dynamic analysis, whereas a sandbox typically only sees the execution path that is observed in the sandbox detonation.

Applying SCE to Next Generation – Network Intrusion Detection

The inclusion of SCE within a Next Generation – Network Intrusion Detection (NG-NIDS) answers several challenges that organizations face in today's threat landscape: speed, volume and accuracy. In more practical terms, it's also an effective approach to applying an emergent detection capability to all network traffic at the point of entry into an enterprise’s network.

This completeness of coverage and ability to detect threats rapidly make it possible to analyze both web traffic and files that contain malicious code. This technological advance provides a robust approach for addressing a new class of attacks that have been a blind spot for many.

For instance, scripting languages are commonly embedded in files (e.g. a PDF with embedded JavaScript) or incorporated into web sites and served up via web surfing. Therefore, an NG-NIDS must be able to account for these attack vectors and analyze and detect these threats at network rate speeds. And they should be engineered to handle the complexity and high volume of content that poses a rapidly increasing risk to an organization.

Answering the Challenge

Fileless malware will become one of the biggest challenges for many organizations as they're designed to avoid detection, cause damage and leave no files for a post-breach investigation. What they can leave behind are damage to productivity and reputation.

If you're not sure if your current IDS is detecting fileless malware, the easy answer is that it isn't. With the new BluVector Advanced Threat Detection™ release, we are the first and only security vendor to offer fileless malware detection in real time on the network. Combined with our patented machine learning engine that runs in parallel with SCE, customers will significantly lower their threat risk while increasing their detection capabilities. Before your next breach, put us to the test to see how BluVector finds threats that others don't.

About Travis Rosiek
With nearly 20 years of experience in the security industry, Travis is a highly accomplished cyber defense leader having led several commercial and U.S. government programs. He is known for developing and executing strategic plans to build the technical capacity across product development, quality assurance, technical marketing, professional services and sales engineering. Prior to his role at BluVector, Travis held several leadership roles including CTO at Tychon and Federal CTO at FireEye as well as senior roles at CloudHASH Security, McAfee, and Defense Information Systems Agency (DISA).

Understanding the Technology in Next Generation Network Intrusion Detection Systems

As described in earlier posts, a Next Generation Network Intrusion Detection System (NG-NIDS) is a software- or appliance-based solution that monitors network traffic for indications of cyber-attacks or intrusions that have evaded the firewall or endpoint controls. Once identified, high priority attacks can be contained by the NG-NIDS via integration with existing infrastructure or by forwarding contextualized alerts to an SOC team for forensic analysis.

What makes NG-NIDS successful is the integration of machine learning-based technology to power core detection capabilities. Machine learning is an algorithmic method by which an application automatically learns from input and uses feedback to improve performance.

One of the original and more commonly marketed methods of machine learning as applied to cybersecurity is based upon the Bayesian network model. Bayesian network is a model that identifies a probabilistic relationship between variables based on profiling over time. This model has been prototypically used for detection of anomalous behaviors, such as DDoS attacks or data exfiltration in a post-breach scenario.

While these technologies can be extremely effective in meeting these use cases, application of this technology to a broad range of network malware-based threats is limited. The volume and changeability of network traffic makes it difficult to understand what activity is normal. This gives threat actors opportunities to "hide in plain sight" or fool the system that their activity is normal.

The next evolution of this behavioral-based approach, applied specifically to fileless and file-based malware attacks, can be found in speculative code execution (SCE), also known as "network emulation." This application of machine learning operates on any network stream and emulates how malware will behave when it is executed. Operating at line speeds, SCE determines what an input can do if executed and to what extent these behaviors might initiate a security breach. By covering all potential execution chains and focusing on malicious capacity rather than malicious behavior, this analytic technology vastly reduces the number of execution environments and the quantity of analytic results -- often to just two or three -- that must be investigated.

The last and rarest machine learning technique leverages supervised machine learning. With this technique, the algorithms are exposed to data, called training instances, which are labeled to produce highly accurate models. While the concept of training and labelling may seem trivial, it is a difficult, expensive and time-consuming process to attain enough training instances of each label to produce models with low false positive/negative rates. In fact, within the network attack detection context, subject matter experts must be used to manually look at every training instance to determine its label, with the number of training instances required in the trillions. The resultant algorithms can be applied to detect aberrations at a binary level, enabling the detection engine to statically identify malware attacks via the presence or absence of particular code features.


Use of machine learning – particularly speculative execution and supervised machine learning - as the technological core of a NG-NIDS makes it possible to once again fulfill the promise that the traditional NIDS was intended to deliver – to identify network attacks with low rates of false positives and negatives.  A word of warning, however: Machine learning has become a "buzzword." For those interested in a machine learning powered NG-NIDS, it is critical to "try before buying." Only then can you truly evaluate whether the technology meets your use case.

What is a Next Generation Network Intrusion Detection System?

Intrusion detection was first introduced to the commercial market two decades ago as SNORT and quickly became a key cybersecurity control. Deployed behind a firewall at strategic points within the network, a Network Intrusion Detection System (NIDS) monitors traffic to and from all devices on the network for the purposes of identifying attacks (intrusions) that passed through the network firewall. In its first incarnation, NIDS used misuse-based (rules and signatures) or anomaly-based (patterns) detection engines to analyze passing traffic and match the traffic to the library of known attacks. Once the attack was identified, an alert was sent to the security operations team.

While the technology continues to play a key role in the majority of enterprises, the Network Intrusion Detection System has fallen out of favor for two key reasons:

  1. The rules-based engines used for detection were subsumed into the Next Generation Firewall (NG-FW), making it more cost effective for some organizations to deploy a unified capability;
  2. Threat actors are adept at executing attacks that evade the signatures/rules/patterns used by both the traditional Network Intrusion Detection System as well as the unified NG-FW.

Machine Learning and the Rise of Next Generation Network Intrusion Detection Systems

Like a traditional NIDS, the function of a Next Generation IDS/IPS is to detect a wide variety of network-based attacks perpetrated by threat actors and contain these attacks, where feasible, using appropriate controls. Unlike a traditional NIDS, this technology leverages machine learning powered analytics engines that are capable of identifying attacks that evade traditional misuse-based and anomaly-based engines.

Network attack types that should be addressed by an NG-NIDS include:

Malware Attacks:
Malware is malicious software created to "infect" or harm a target system for any number of reasons. These reasons span simple credential access and data theft to data or system disruption or destruction. Today, an estimated 30% of malware in the wild is capable of evading traditional signature-based technologies. Most organizations addressed this through the deployment of endpoint detection and response (EDR) technologies. In relatively homogenous environments with firm control over the endpoint, endpoint controls may be adequate. For organizations with an array of client and server technologies, limitations over patch and update frequencies, IoT devices, or endusers over whom there is limited control, a strategically deployed NG-NIDS acts as a primary defense against "unknown" malware.

Below are common use cases wherein a Next Generation Network Intrusion Detection System can play a protective role:

  • Malicious websites - These attacks generally start at legitimate websites that have been breached and infected with malware. When visitors access the sites via web browser, the infected site delivers malware to the endpoint. Alternatively, doppelganger sites can be used to disguise malware as legitimate downloads.
  • Phishing/Spearphishing emails - Threat actors trick endusers into downloading attachments that turn out to be malware. Alternatively, threat actors trick users to click on a seemingly legitimate link to visit a website, from which malware is delivered.
  • Malvertising - In this case, threat actors use advertising networks to distribute malware. When clicked, ads redirect users to a malware-hosting website.

In each of these cases, the NG-NIDS sits between an internal user and external site and is capable of detecting malware and issuing a block request to a firewall or endpoint manager to contain the threat. In situations where the enterprise uses a split tunnel architecture or allows mobile workers to access the Internet without restriction, the NG-NIDS will see suspicious activity emanating from an infected device once reconnected to the corporate network. NOTE: While a NG-NIDS can be highly effective and easier to deploy than endpoint technologies, it is highly recommended that organizations use both. It is certainly the most effective means of protecting an organization with a mobile workforce.

Attacks that "Live off the Land":
One of the more frightening and rapidly emerging categories of attack is known as a "living off the land", fileless malware, or "in-memory" attack. These attacks are specifically created to start or complete an action that is untraceable by today's security tools. Rather than downloading a file to a host's computing device, the attack occurs in the host's memory (RAM), leaving no artifact on disk. Powering down or rebooting an infected system removes all artifacts of the attack; only logs of legitimate processes running remain, thereby defeating forensic analysis.

How is this attack accomplished? The attacker injects malware code directly into a host’s memory by exploiting vulnerabilities in unpatched operating systems, browsers and associated programs (like Java, JavaScript, Flash and PDF readers). Often triggered by a phishing attack, the victim clicks on an attachment or a link to a malware-infected website or a compromised advertisement on a reputable site.

Once the malware is in memory, attackers can steal administrative credentials, attack network assets, or establish backdoor connections to remote command and control (C2) servers. Fileless attacks can also turn into more traditional file-based attacks by downloading and installing malicious programs directly to computer memory or to hidden directories on the host machine. The threat actor can also employ a variety of tactics to remain in control of the system after a shutdown or reboot.

The role of the NG-NIDS is to intercept suspicious machine code (usually in the form of obfuscated JavaScript, Powershell, or VB Script) and emulates how malware will behave when executed. Operating at line speeds, the NG-IDS determines what an input can do if executed and to what extent these behaviors might initiate a security breach. By covering all potential execution chains and focusing on malicious capacity rather than malicious behavior, the NG-NIDS vastly reduces the number of execution environments and the quantity of analytic results, thereby reducing the number of alerts that must be investigated.


Worms are a form of self-propagating malware that does not require user interaction. WannaCry, for example, targeted a widespread Windows vulnerability to infect a machine. Once infected, the malware moved laterally, infecting other vulnerable hosts. Once the target is infected, any number of actions can be taken, such as holding the device for ransom, wiping user files or the OS, stealing credentials, or scanning the network for vulnerabilities.

A strategically deployed NG-NIDS, sitting in an internal network, is capable of detecting lateral spread of the worm and issuing a block request to a firewall or endpoint manager to contain the threat.

Web attacks:

In a web attack, public facing services – like web servers and database servers – are directly targeted for a variety of reasons: to deface the web server, to steal or otherwise manipulate data, or to create a launching pad for additional attacks. The most common means of attack in this category include:

  • Cross-Site Scripting (XSS) - An attacker injects malicious code into the web server which, in turn, is executed on an enduser's browser as the page is loaded.
  • SQL Injection (SQLi) - An attacker enters SQL statements to trick the application into revealing, manipulating, or deleting its data.
  • Path Traversal - Here, threat actors custom craft HTTP requests that can circumvent existing access controls, thus allowing them to navigate to other files and directories.

An NG-NIDS, sitting behind the firewall and in front of a Web or database server is capable of detecting these attacks and issuing block requests to an application firewall.

Scan Attacks:

Scans are generally used as a means to gather reconnaissance. In this case, threat actors use a variety of tools to probe systems to better understand targets available and exploitable vulnerabilities.

An NG-NIDS, sitting behind the network firewall, is capable of detecting these probes and issuing block requests to the network firewall.

Brute force attacks: 

The threat actor attempts to uncover the password for a system or service through trial and error. Because this form or attack takes time to execute, threat actors often use software to automate the password cracking attempts. These passwords can be used for any number of purposes, including modification of systems settings, data theft, financial crime, etc.

An NG-NIDS, sitting behind the network firewall and/or at strategic points within the network is capable of detecting brute force attacks and issuing block requests the network firewall.

Denial-of-service attacks:

Also known as distributed denial-of-service attacks (DDoS), DDoS attacks try to overwhelm their target – typically a website or DNS servers – with a flood of traffic. In this case, the goal is to slow or crash the system.

An NG-NIDS, sitting behind the network firewall, is capable of detecting DDoS attacks and issuing block requests to the network firewall.