Monitoring solutions have never been as important as they are today. In both Web2 and Web3, security teams see a barrage of threats never seen before. In Web3, some of the biggest heists ever undertaken are occurring with disturbing frequency and transparency. The history of monitoring spans a surprisingly long period, dating back to the early days of the internet. This blog explores how we got to the monitoring paradigm in which Forta sits and what the road ahead looks like for protecting end users and protocols.
Digital monitoring dates back to the early days of the Internet. Bro (or Zeek) is a network intrusion system that was first introduced in 1995. The concept of intrusion detection systems was expanded to host based intrusion detection systems. That said, these systems didn’t gain broad adoption as they were noisy and difficult to maintain.
Up until 2011, the tech industry primarily focused on prevention, investing in firewalls and anti-virus software to secure enterprises. With the adoption of the cloud, it all changed. This allowed security businesses to collect and process data centrally to derive threat intelligence and create higher quality alerts. Crowdstrike was the first major company that offered a cloud based endpoint detection and response (EDR) service. Major security companies either followed, or became irrelevant.
The first EDR services were primarily heuristic based. Heuristics, created by security researchers, allow for precise alerts with little to no data requirements (like labeled data) but suffer from low recall and generalizability. As customers onboarded and more real world data became available, these companies heavily invested into data science, in particular supervised machine learning models (labels are required for this approach). They also invested heavily in anomaly detection which is more suitable for scenarios without labels, like rare targeted attacks.
Overall, the EDR solutions provide great coverage for attacks. They are layered assessing data on the network, endpoint, and cloud level. As such, when an attacker enters a network through a phishing attack, they can be traced and the attack effectively mitigated further down the kill chain.
EDR solutions, however, quickly ran into issues around noise, high volume, explainability, and ability to respond to attacks. These challenges are often rooted in scaling issues where incident response teams are small, hard to grow due to lack of security personnel, and lack true security expertise.
The world of Web3 is quite different from that of Web2. Web2 attacks are overall slower and the impact of a successful attack is much harder to measure and quantify. Web2 also only deals with data that is being collected. In Web3, data is generally available (ZK and Dapp data being the notable exception) and almost exclusively deals with user funds.
A large portion of attacks in Web3 are fast, too fast for manual investigations. In this space, highly precise alerts need to be emitted prior to funds being exploited, such that automated incident response can take mitigative actions. Machine learning approaches are proving to be an effective approach to create such alerts. Although automated incident response scenarios are possible through the integration of smart contract operational services like Chainlink Keepers and OZ’s Defender, these applications have not been widely adopted for such a use case.
Some attacks, however, do span hours if not days (e.g. Nomad bridge or BadgerDAO). In these cases, monitoring and manual analysis by experts is required. Similar to Web2, investments would need to be made to reduce the burden on the incident responders/ security operations center, such as ranking, clustering, explainability, investigative tooling, etc.
End user protection, similar to enterprise monitoring, relies on large amounts of data and cloud capabilities. At its core, the protection scenario requires a layered detection approach that consists of:
1. Fast heuristics and indicators that are curated by an expert team. This team also deals with ongoing attacks to establish detection coverage.
2. Machine learning that continuously trains on data and labels to generalize beyond the specific attack.
This approach is effective. However, in an adversarial environment and with financial motivation, attackers continuously try to get around these defenses and succeed to the extent that maintains their business model.
Concepts of zero trust (positive reputation) where protections are flipped towards disallowing everything and only allowing a subset (e.g. disallowing all emails, but allowing emails from providers with DMARC/DKIM/SPF) have been proposed, but not successfully implemented due to the concerns of user friction it may create that stem from false positives.
End user protection falls into two categories for Web3: negative and positive reputation services. A negative reputation would protect patient X whereas a positive reputation service would protect patient 0.
A negative reputation service could be established by identifying malicious EOAs, contracts, and compromised contacts. Forta’s intelligence already produces these negative reputation signals that are consumed by wallets providers like ZenGo. However, speed is still of utmost importance. Web2 companies augment automated threat intelligence generation with manual threat intelligence generation by threat experts. Similarly, Web3 likely will require this expert knowledge and incentive structures would need to be created to encourage providing such intelligence.
A positive reputation system would operate differently. It would deem everything as malicious and only allow EOAs/smart contract interactions with known good entities. Detection bots would need to be created to establish said positive reputation (e.g. through heuristics and ML models). Note that a positive reputation system will be less precise and therefore could create user friction. Dependent on the security posture of the protocol, this may be an acceptable trade off.
A path towards a monitoring solution that holistically secures Web3 could take the form of the following three areas.
(1.) The establishment and standardization of actionable negative signals through heuristics (where Forta is today). This allows for the protection of patient X in the end user scenarios and in slow moving attacks by having protocols monitor and initiate manual incident response processes to mitigate attacks. For the potential of negative signals to be realized, the issue of alert fatigue needs to be addressed by alert clustering, ranking, and investments to increase precision through data science and advanced machine learning models.
(2.) The investment and creation of what will become automated incident response for protocols. Of the three areas, the most work is needed here. Precision of alerts needs to be increased if protocols are to rely on automated emergency response systems that may shut off some function to their systems. Smart contract libraries and operational systems need to team up with monitoring protocols to enable automated incident response by defining the automated incident response action as well as operational structures. Cross-chain intelligence is needed to empower protocols to incorporate automated incident response on-chain. Finally, a positive reputation system is needed for both end users as well as on-chain protocols.
(3.) The safeguarding of users via wallet providers. For most, your funds are only as safe as your wallet providers’ protections. While most wallets do not and could not have major security breaches exposing private keys, they lack the safety features that successfully navigate users away from malicious actors. If DeFi is to proliferate to the point where the average person is frequently interacting with smart contracts, they should not be at risk of falling victim to the phishing scams currently running rampant in Web3. Like in Web2, firewalls need to be instituted blocking the user from accessing content deemed malicious unless otherwise instructed. Some wallets, like ZenGo, have taken steps toward what a wallet of the future might look like by adding scam warning prompts powered by Forta monitoring and other security features. The bottom line is that wallets providers need to assume responsibility for the safety of their users, full stop.
Monitoring has taken time to evolve to this point and will no doubt evolve further into what is described above or another permutation. Regardless of where the space goes, Forta is positioned to protect end users and protocols from attacks, now and in the future.