Hacking the hackers with big data

When researchers uncovered cyber attacks on a range of US-based think-tanks earlier this year, they didn’t rely on typical detection techniques. If they had, they might have let the perpetrators slip away, as the attackers weren’t using typical hacker tools that traditional anti-virus protection would detect.

Instead, security firm CrowdStrike correlated data from tiny computer programs, or sensors, installed on servers and PCs used by the organisations. By collecting the right kinds of information and using analysis tools to find patterns across the different attacks, CrowdStrike was able to spot identical tactics in each case and determine it was the same group of hackers, who the researchers claimed were backed by the Chinese government.

Dmitri Alperovitch, chief technology officer and co-founder of CrowdStrike, says this was his company following the advice of ancient Chinese military strategist Sun Tzu: know your enemy. This is the vendor’s idea of using “big data to hunt for big game”. Outside the hyperbole, its methods show what can be achieved by layering analytics on top of live streams of data and on information hidden away in storage systems.

To adapt to this new way of thinking, businesses will have to change how they collect that data. Their traditional security technologies, from anti-virus to firewalls to intrusion detection systems, weren’t built to collect this information, says Mr Alperovitch. Companies need to be far more proactive in hoovering up data across the network using bespoke security tools.

“It’s akin to having a security guard in your building; sure, they can sit in their booths all day long and just wait for an alarm to go off or they can actually proactively go out with a flashlight in every office and every corner of the building. The second way is much more likely to get you the result you want.

“It’s not just about the volume…the key thing is coverage. If your security guard is very thorough, but only searches one part of the building, then that’s no good because the adversary can hide in the other rooms,” says Mr Alperovitch.



This kind of approach has been adopted by King, creator of the popular Candy Crush Saga mobile game. Chief information security officer at King, Jacques Erasmus, says the company is using CrowdStrike kit, but has also built its own big data framework to look into strange behaviour on its machines.

Companies need to be far more proactive in hoovering up data across the network using bespoke security tools

Using the Hadoop tool, which can be programmed to draw together different pieces of information, and placing sensors on the gateway to the network, Mr Erasmus and his team have created a system that will collect and log all data entering and exiting the business. This will then pick up on odd activity that other detection tools wouldn’t, such as when an infected PC or server starts communicating with hackers at strange times.

It goes deeper. As attackers often create new websites to launch attacks, so that when a visitor arrives malware is thrust at their PC, Mr Erasmus decided to have his software issue warnings when workers went on to these web domains. The newer the website, the more urgent the alert. This helps King avoid many of the latest threats, he says.

Though the software side of such big data security can be cheap, especially where open source tools are used, the hardware cost can escalate quickly where significant processing power is required. “Depending on how much data you have, it can get very expensive,” Mr Erasmus concedes. “It could cost a hell of a lot of money, millions to tens of millions.

“You have to look at your threat matrix to see what is your actual exposure if you did get breached. If you don’t have any super-secret intellectual property or user data or money, you could probably get away with less [investment]. It really depends what you’re trying to defend against.”


Regardless of cost, businesses need to think about the end-users too. As much as the right algorithms are vital in helping uncover an attacker on the network, as they will automate the investigation by picking up on patterns that would suggest malicious activity, it’s also key to enable human beings to look at the data. Visualisations in 3D provide the most aesthetically pleasing options, but they have genuine value over their 2D equivalents, especially when talking about big data.

The OpenGraphiti tool, which was opened up for free to the world in August, is a prime example of this. An interactive 3D visualisation software, it is designed to help companies pick out anomalies on the network in the same way virologists use known patterns of diseases to recognise a virus. In this way, organisations can visualise the unknowns that could be threats.

OpenDNS, the creator of the software, used it last year to pick up on clusters of infected PCs running the infamous Cryptolocker malware, which locked people’s files up and demanded payment. “A lot of people are stuck using basic tools for visualisation. They have tremendous limitations for scale. But this is built to work with hundreds of thousands of nodes,” says Andrew Hay, senior security research lead and evangelist at OpenDNS.

Attackers have always had the upper-hand over cyber defenders. But using sensors to collect relevant data before layering analysis and visualisation tools over the top, it’s possible for businesses’ digital defenders to start taking the fight to malicious hackers.