Symantec’s security researchers uncovered last year’s Dragonfly 2.0 attacks targeting energy companies and the power grid as well as Lazarus hackers’ links to the WannaCry attack in May 2017.
Now the company is making its internal threat detection tools available to businesses with its Targeted Attack Analytics (TAA). The technology comes built in to Symantec’s Advanced Threat Protection (ATP) product; existing ATP customers will automatically get Targeted Attack Analytics in their next product upgrade.
TAA uses machine learning to automate the discovery of targeted attacks — these are the most dangerous threats to corporate networks. They are highly sophisticated attacks and difficult to discover, which means they sometimes aren’t found for several months. This gives the attackers plenty of time to gain access to systems, seize data, and cause massive amounts of damage.
Targeted attacks are often hidden from companies beneath a glut of alerts generated by security systems. Symantec’s new product eliminates false positives, identifies real targeted activity, and prioritizes it via an incident report.
Targeted Attacks Increasing
The number of targeted attack groups is growing, with Symantec’s attack investigation team now following 140 of these organized groups, many of whom are state-sponsored actors.
“We’ve taken the knowledge that our advanced attack investigation team has, and we’ve codified that knowledge by pairing that team up with advanced machine learning and artificial intelligence (AI) experts,” said Alejandro Borgia, vice president of product management at Symantec. “These are attacks that often are only discovered after the damage is done. We’ve enabled companies to find these attacks before they inflict damage, to find them automatically, and extract them.”
The company has been using this technology internally since last year. Since then, TAA detected about 1,400 of these targeted attacks, at a rate of about 10 per week, Borgia said, adding that by comparison Symantec blocks billions of attacks on an annual basis.
“With targeted attacks of this nature, finding the initial seed can take months or years, and running the investigation often takes three months or more of manual work,” Borgia said. “We’ve codified that work and automated it so we can do so much more. We would never have been able to scale up and find 10 attacks per week if it wasn’t for this technology.”
Automated Detection and Response
The technology uses machine learning to analyze data including knowledge from the company’s internal investigation team as well as system and network telemetry fed by Symantec’s global customer base. It runs analytics in the cloud, which enables frequent re-training and updating to adapt to new attack methods without customer impact or the need for product updates. It then connects to ATP, where a targeted attack alert appears.
The APT product then automates threat response and remediation.
“It has the capability to remediate any endpoint involved in that targeted attack,” said Adam Bromwich, senior vice president of engineering at Symantec. “It connects directly to the endpoint products and can take action on those endpoints as needed.”
And while companies will initially access the new threat-detection technology via the ATP product, Symantec built it as a backend capability for its integrated cyber defense platform that connects all of the company’s security products. “The technology was architected such that we can connect it through many other products in our portfolio, and we’ll do that over time,” Bromwich said.
