Attacks/Breaches
4/5/2012
04:52 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Damage Mitigation As The New Defense

Containing the attacker in today's persistent threat environment

This is the second installment in an occasional series on security's new reality.

Any Defense contractor -- and now, a few security vendors -- can tell you that even the best security technology and expertise can't stop a well-funded and determined attacker.

That new reality, which has been building for several years starting in the military sector, has shifted the focus from trying to stop attackers at the door to instead trying to lessen the impact of an inevitable hack. The aim is to try to detect an attack as early in its life cycle as possible and to quickly put a stop to any damage, such as extricating the attacker from your data server -- or merely stopping him from exfiltrating sensitive information.

Read the other articles in this series on security's new reality:

>> Part 1: Security's New Reality: Assume The Worst

>> Part 2: Damage Mitigation As The New Defense
>> Part 3: Advanced Attacks Call For New Defenses

It's more about containment now, security experts say. Relying solely on perimeter defenses is now passe -- and naively dangerous. "Organizations that are only now coming to the realization that their network perimeters have been compromised are late to the game. Malware ceased being obvious and destructive years ago," says Dave Piscitello, senior security technologist for ICANN. "The criminal application of collected/exfiltrated data is now such an enormous problem that it's impossible to avoid."

Attacks have become more sophisticated, and social engineering is a powerful, nearly sure-thing tool for attackers to schmooze their way into even the most security-conscious companies. "Security traditionally has been a preventative game, trying to prevent things from happening. What's been going on is people realizing you cannot do 100 percent prevention anymore," says Chenxi Wang, vice president and principal analyst for security and risk at Forrester Research. "So we figured out what we're going to do is limit the damage when prevention fails."

There are certain types of attackers you cannot prevent from getting in if they are determined to do so, says Richard Bejtlich, chief security officer at Mandiant Security. "They will get into your company, but that doesn't mean you should give up," he says.

For organizations like the military that are constantly under siege by cyberattackers, this is nothing new. "Twenty years ago, we thought we could keep these guys out," Bejtlich says. But the Air Force was the first to realize that was not the case after it began instrumenting its networks with custom sensors to detect the attackers, he says. The Air Force quickly realized it wasn't so much a matter of keeping them out, but finding them as quickly as possible and extricating them, he says.

"The military changed from [a strategy] of prevention to one of hunting," Bejtlich says. "This sort of idea has not been widespread."

[ Malware is just a small piece of the puzzle in advanced attacks, and traditional cybercriminals are also getting more 'persistent.' See APT-Type Attack A Moving Target. ]

There are telltale signs that some of the security vendor community is accepting and adapting to this new reality. Some vendors are advancing their tools to work more closely with SIEM products, and others, like FireEye, are expanding their technology. FireEye's new File Malware Protection System (MPS) roots out and kills off malware on an organization's file shares. Then there's the newly commercialized appliance sold by CounterTack that sits inside the organization -- behind the firewall and with the server -- and spies on attacks already in progress. Neal Creighton, chief executive officer at CounterTack, says the attackers are already in there, so you need to fight them in real time by remediating and locking down your assets on the fly.

Security experts say this mindset shift in security has been coming for some time, and has only recently become palpable in the way vendors are marketing their wares and in how enterprises are starting to rethink their traditional defenses.

"The first time I really saw it as a trend was at RSA this year," says Bruce Schneier, CTO at BT Counterpane. "Maybe it's just that all of the attacks in the news are making people realize that this is what's going on. It's not a new idea -- it's just a new trend in companies and in products."

Schneier says he's a "fan" of the trend. "It's reality. It's good to accept this," he says.

Meanwhile, ICANN's Piscitello notes that while the perimeter defense-only strategy is, indeed, dead, focusing solely on minimizing damage is not the answer, either.

"The notion that our only recourse is to focus on minimizing the damage, however, troubles me. It's a concession of defeat. I think this is wrong thinking," Piscitello says. "Would we respond to oil spills by 'only' focusing on minimizing the damage? I'd rather have us adopt a more aggressive strategy where we actively seek out, identify -- and where we discover -- and contain the threat, identify the root cause, and take measures to eliminate or mitigate the threat."

One startup is focusing on the attackers behind sophisticated, targeted attacks. CrowdStrike, which went public prior to the RSA Conference, also operates under the assumption that hackers will, or already have, gotten in. Georg Kurtz, former McAfee CTO and EVP, co-founded CrowdStrike -- which has not yet fully revealed its technology or offerings -- with former McAfee Dmitri Alperovitch, former vice president of threat research at McAfee and now CTO of CrowdStrike.

"The possibility of the bad guys getting in is extremely high," Kurtz says. "When they are in, you have to identify them and minimize the damage ... it's not just determining that someone got in and that there's malware in the environment. It's understanding the adversary's intent; what they are focused on; what they are trying to get to; in some cases, who they are; and more thoughtful defense."

Kurtz's company will employ "big data" to help understand tactics and methods used by the attackers, and gathering that intelligence to help the larger community. "You can convert that electronically into something that will help people protect them against" the attackers, he says.

Big data is one of the main tools security experts point to for helping support a threat/attack containment strategy.

Tim Rains, director of Microsoft Trustworthy Computing, says it's all about being prepared for an attack, and big data holds promise as a tool to face this new world of threats. "Once upon a time I was tech lead of incident response at Microsoft and did a lot of response investigations for customers. In the IR world, you think you've been compromised, you go back and look at all of the audit logs and try to figure out when and where a compromise happened, and build a timeline based on it," Rains says. "Then you can come in and figure out what happened."

Big data would accelerate the detection and offer near-real-time intelligence in an attack, he says. "Instead of artifacts, big data captures and correlates all audit events, looking for anomalies in real time. It's not just a buzzword," he says. He expects the technology to do this to become available in the next three to five years.

Next Page: ABCs of 'containment' Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Michael Schenck
50%
50%
Michael Schenck,
User Rank: Apprentice
5/3/2012 | 8:52:08 PM
re: Damage Mitigation As The New Defense
Best containment is to never put information on a computer, and provide the people who know the information with guns loaded with drangon's breathe rounds so their brains fry if they are captured... even then they need time and courage to pull the trigger and the gun needs to work.- Other than that, the gold standard remains cost vs reward.
Michael Schenck
50%
50%
Michael Schenck,
User Rank: Apprentice
5/3/2012 | 8:48:15 PM
re: Damage Mitigation As The New Defense
This is why systems like Cisco IPS 4000 systems and NSA's "Cauldron" project are/were so important.- Data mineing to a whole new level for security purposes.
Michael Schenck
50%
50%
Michael Schenck,
User Rank: Apprentice
5/3/2012 | 8:46:09 PM
re: Damage Mitigation As The New Defense
This is nothing new.- This has ALWAYS been the case.- The only thing new might be the mass acceptance of this truth... there is no way to provide perfect information security.- All we can do is make the difficulty to extract critical infomation so high people won't try and mitigate the damage.- The following equation has been in IT security books for years:- SLE X ARO + Security = Annual Cost- If SLE X ARO (before security implementatino) < Annual Costs, then you accept the risk or find a cheaper mitigation solution.- SLE never = 0.
JerryJohnson
50%
50%
JerryJohnson,
User Rank: Apprentice
4/6/2012 | 6:42:44 PM
re: Damage Mitigation As The New Defense
Best containment defense? Host-based firewalls -- only enable the bartest minimum of ports and get rid of workstation-based file and printer sharing; shut down all limit the paths for lateral movement to the greatest extent possible,

Biggest weakness inb containment? Pass-the-hash. When is Microsoft going to fix this fundamental flaw?

Best tool we used in our APT recovery last year? SQL queries against log data poured into a GreenPlum MPP database. I agree 100% with the "big data" comments.
Triumfant
50%
50%
Triumfant,
User Rank: Apprentice
4/6/2012 | 4:02:56 PM
re: Damage Mitigation As The New Defense
Certainly the world has changed and containment is now an important part of any security strategy. -However, I still see a gap in the initial detection of a breach. -Much press is being given to tools that do analysis and containment, but statistics show that breaches remain undiscovered on systems for far too long (weeks, months). -The starting point therefore must be tools that first detect breaches in real-time so that these containments tools and strategies can be enacted in a timely manner before sensitive information and intellectual property is lost.
Jim Ivers
www.triumfant.com
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.