Attacks/Breaches
3/5/2014
12:06 PM
Martin Lee
Martin Lee
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Data Breach: ‘Persistence’ Gives Hackers the Upper Hand

Hackers are winning on speed and determination. But we can stack the odds in our favor by shifting the time frames of an attack. Here's how.

Over the past few years attackers have proved adept at compromising even the most secure organizations. A common theme in successful attacks is persistence. Given the complexity of modern software and network environments, if an attacker looks hard enough, or waits long enough, a weakness will become apparent that can allow the attacker to compromise the target. Consequently focusing solely on keeping attackers out of a network is no longer the best strategy to protect an organization from cyber security threats.

The numbers speak volumes: It only takes minutes from the initiation of an attack for an attacker to compromise a system. Once access has been achieved, data can be exfiltrated quickly. Within organizations, it takes in the order of months to discover the compromise, weeks for the breach to be resolved. Clearly attackers have the upper hand. The task of defending networks is becoming more difficult, rather than easier, as perimeters continue to expand through the use of external cloud systems, the phenomena of BYOD, and integrated services with external third parties.

The magnitude of the issue
(Image: 2012 Verizon Data Breach Investigations Report)

Unfortunately, we cannot turn back the clock and return to more innocent and less complex days. As attackers become more skilled and systems become more complex, it is next to impossible to keep systems completely free from compromise.

I’m not saying that we should give up. In fact, I strongly believe it is still possible to prevent most attacks and -- even when an attack is successful -- it is possible to identify and remediate the breach before harm is incurred. The key is to shift the time frames of an attack, so that the odds are stacked in the defender’s (not the attacker’s) favor.

Shifting the odds towards success
(Image: 2012 Verizon Data Breach Investigations Report)

Australia's Department of Defence found just four mitigation strategies to be successful in preventing 85% of targeted attacks: patching, application whitelisting, restricting administrative privileges, and creating defense-in-depth. These mitigations won’t stop all attacks. Notably, patching won’t help against zero day attacks. However, these strategies will frustrate attackers and force them to expend more time and effort to gain access.

It’s also important to understand that cybercrime is an economic crime. If an attacker finds that a target is too expensive in terms of time, effort, and resources to breach, the attacker will switch attention to an easier target that offers the same rewards at a lower cost. For example, segregating networks so that the attacker cannot easily gain access to confidential information means that attackers have to work harder before they can extract valuable data. The harder and longer attackerd have to work, the better the chances they will leave traces that can be identified.

Network vigilance is another factor that can reduce the time frame from compromise to detection. It is during this period that attackers are able to explore networks and steal resources without hindrance. By identifying abnormal network activity and distinguishing it from normal day-to-day activity, incursions can be detected before they cause harm. Modern SIEM systems allow logging data from IPS systems, firewalls, file servers, and domain servers to be aggregated and analyzed. Not every attacker will generate alerts from the IPS system, but alerts such as users attempting to access files outside of their job role, or at odd times of the day, should prompt security teams to investigate further.

Prioritizing network security alerts requires procedures and practice. Minor alerts should be ignored so that response teams can focus on important issues. Despite the headlines, major breaches are rare events. Security teams may only be faced with such an incident once a decade. However, when an organization is faced with such a scenario, security teams need to be able to respond quickly, effectively, and confidently. This can only happen if people are trained and practiced in responding to such incidents. Working through theoretical exercises to decide how to respond, and practicing response to simulated attacks, should be standard practice in incident planning. By reviewing the results of such practices, improvements can be implemented so that when a major incident does happen, teams know exactly how to respond and react.

In the real world we have to face the fact that, despite our best efforts, we are not going to be able to defend against every attack all of the time. This does not mean that information security is ineffective. On the contrary, security managers are on the front line fighting against the world’s most sophisticated adversaries. But to succeed we need to stack the odds in our favor through better planning; defense strategies that frustrate attackers; and faster spotting, response, and recovery efforts.

As Technical Lead within Cisco's TRAC team, Martin Lee researches the latest developments in cybersecurity and delivers expert opinion on how to mitigate emerging threats and related risks. A Certified Information Systems Security Professional (CISSP) and a chartered ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Gary Scott
50%
50%
Gary Scott,
User Rank: Apprentice
3/6/2014 | 1:39:33 PM
The Economics of Cybercrime
Cybercrime is a function of economics.  If the potential for reward is greater than the sum of time, cost and risk of an attack, you will see cybercrime continue.  The same economics are true on the company's part.  Companies spend millions of dollars building walls but freely allow digital data - usually hard drives – be removed by anyone with an "electronic recycling" t-shirt.

When performing an IT refresh or decommissioning equipment, focus on data destruction first and recycling second.  It could save your company from what Target is going through. 
MartinL923
50%
50%
MartinL923,
User Rank: Apprentice
3/7/2014 | 5:40:14 AM
Re: The Economics of Cybercrime
As Stephen Colbert pointed out at RSA, the NSA showed how an organisation with an unlimited budget can get pwned by a 29 year old with a thumb drive.

Too often security spending seems to be about justifying budgets rather than considering how we can slow down and frustrate attackers, while speeding up detection and remediation. Organisations need to think where their valuable data is located, how it is accessed, and how they would know if someone accessed it improperly.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2382
Published: 2014-11-20
The DfDiskLo.sys driver in Faronics Deep Freeze Standard and Enterprise 8.10 and earlier allows local administrators to cause a denial of service (crash) and execute arbitrary code via a crafted IOCTL request that writes to arbitrary memory locations, related to the IofCallDriver function.

CVE-2014-3625
Published: 2014-11-20
Directory traversal vulnerability in Pivitol Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

CVE-2014-8387
Published: 2014-11-20
cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point allows remote authenticated users to execute arbitrary commands via shell metacharacters in the pinghost parameter to ping.cgi.

CVE-2014-8493
Published: 2014-11-20
ZTE ZXHN H108L with firmware 4.0.0d_ZRQ_GR4 allows remote attackers to modify the CWMP configuration via a crafted request to Forms/access_cwmp_1.

CVE-2014-8767
Published: 2014-11-20
Integer underflow in the olsr_print function in tcpdump 3.9.6 through 4.6.2, when in verbose mode, allows remote attackers to cause a denial of service (crash) via a crafted length value in an OLSR frame.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?