Attacks/Breaches
3/5/2014
12:06 PM
Martin Lee
Martin Lee
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Data Breach: Persistence Gives Hackers the Upper Hand

Hackers are winning on speed and determination. But we can stack the odds in our favor by shifting the time frames of an attack. Here's how.

Over the past few years attackers have proved adept at compromising even the most secure organizations. A common theme in successful attacks is persistence. Given the complexity of modern software and network environments, if an attacker looks hard enough, or waits long enough, a weakness will become apparent that can allow the attacker to compromise the target. Consequently focusing solely on keeping attackers out of a network is no longer the best strategy to protect an organization from cyber security threats.

The numbers speak volumes: It only takes minutes from the initiation of an attack for an attacker to compromise a system. Once access has been achieved, data can be exfiltrated quickly. Within organizations, it takes in the order of months to discover the compromise, weeks for the breach to be resolved. Clearly attackers have the upper hand. The task of defending networks is becoming more difficult, rather than easier, as perimeters continue to expand through the use of external cloud systems, the phenomena of BYOD, and integrated services with external third parties.

The magnitude of the issue
(Image: 2012 Verizon Data Breach Investigations Report)

Unfortunately, we cannot turn back the clock and return to more innocent and less complex days. As attackers become more skilled and systems become more complex, it is next to impossible to keep systems completely free from compromise.

I’m not saying that we should give up. In fact, I strongly believe it is still possible to prevent most attacks and -- even when an attack is successful -- it is possible to identify and remediate the breach before harm is incurred. The key is to shift the time frames of an attack, so that the odds are stacked in the defender’s (not the attacker’s) favor.

Shifting the odds towards success
(Image: 2012 Verizon Data Breach Investigations Report)

Australia's Department of Defence found just four mitigation strategies to be successful in preventing 85% of targeted attacks: patching, application whitelisting, restricting administrative privileges, and creating defense-in-depth. These mitigations won’t stop all attacks. Notably, patching won’t help against zero day attacks. However, these strategies will frustrate attackers and force them to expend more time and effort to gain access.

It’s also important to understand that cybercrime is an economic crime. If an attacker finds that a target is too expensive in terms of time, effort, and resources to breach, the attacker will switch attention to an easier target that offers the same rewards at a lower cost. For example, segregating networks so that the attacker cannot easily gain access to confidential information means that attackers have to work harder before they can extract valuable data. The harder and longer attackerd have to work, the better the chances they will leave traces that can be identified.

Network vigilance is another factor that can reduce the time frame from compromise to detection. It is during this period that attackers are able to explore networks and steal resources without hindrance. By identifying abnormal network activity and distinguishing it from normal day-to-day activity, incursions can be detected before they cause harm. Modern SIEM systems allow logging data from IPS systems, firewalls, file servers, and domain servers to be aggregated and analyzed. Not every attacker will generate alerts from the IPS system, but alerts such as users attempting to access files outside of their job role, or at odd times of the day, should prompt security teams to investigate further.

Prioritizing network security alerts requires procedures and practice. Minor alerts should be ignored so that response teams can focus on important issues. Despite the headlines, major breaches are rare events. Security teams may only be faced with such an incident once a decade. However, when an organization is faced with such a scenario, security teams need to be able to respond quickly, effectively, and confidently. This can only happen if people are trained and practiced in responding to such incidents. Working through theoretical exercises to decide how to respond, and practicing response to simulated attacks, should be standard practice in incident planning. By reviewing the results of such practices, improvements can be implemented so that when a major incident does happen, teams know exactly how to respond and react.

In the real world we have to face the fact that, despite our best efforts, we are not going to be able to defend against every attack all of the time. This does not mean that information security is ineffective. On the contrary, security managers are on the front line fighting against the world’s most sophisticated adversaries. But to succeed we need to stack the odds in our favor through better planning; defense strategies that frustrate attackers; and faster spotting, response, and recovery efforts.

As Technical Lead within Cisco's TRAC team, Martin Lee researches the latest developments in cybersecurity and delivers expert opinion on how to mitigate emerging threats and related risks. A Certified Information Systems Security Professional (CISSP) and a chartered ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Gary Scott
50%
50%
Gary Scott,
User Rank: Strategist
3/6/2014 | 1:39:33 PM
The Economics of Cybercrime
Cybercrime is a function of economics.  If the potential for reward is greater than the sum of time, cost and risk of an attack, you will see cybercrime continue.  The same economics are true on the company's part.  Companies spend millions of dollars building walls but freely allow digital data - usually hard drives – be removed by anyone with an "electronic recycling" t-shirt.

When performing an IT refresh or decommissioning equipment, focus on data destruction first and recycling second.  It could save your company from what Target is going through. 
MartinL923
50%
50%
MartinL923,
User Rank: Apprentice
3/7/2014 | 5:40:14 AM
Re: The Economics of Cybercrime
As Stephen Colbert pointed out at RSA, the NSA showed how an organisation with an unlimited budget can get pwned by a 29 year old with a thumb drive.

Too often security spending seems to be about justifying budgets rather than considering how we can slow down and frustrate attackers, while speeding up detection and remediation. Organisations need to think where their valuable data is located, how it is accessed, and how they would know if someone accessed it improperly.
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.