Attacks/Breaches

1/2/2015
09:05 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Long-Running Cyberattacks Become The Norm

Many companies are so focused on the perimeter that they have little idea what's going on inside the network.

One thing that the depressing string of data breaches this year shows is that cyber attackers have become skilled at staging long-lasting data exfiltration campaigns.

Security experts aren't clear whether this is a new trend or something that companies are finally waking up to only now. Either way, the attacks represent a real problem for companies that are still stuck with perimeter-centric defense strategies that are focused purely on keeping intruders out of the enterprise network.

The attacks on companies like Sony, Home Depot, and Target over the past year show that many hackers have eschewed smash-and-grab attacks for campaigns that are highly targeted and explicitly designed to extract huge amounts of data over a period of time.

In many of the attacks, hackers used convincing spear-phishing campaigns to drop malware on targeted systems and gain an initial foothold on a corporate network. In other attacks, like the ones at Target and Home Depot, hackers used login credentials stolen from third parties to gain access to their victims' networks.

Both tactics allowed attackers to relatively easily bypass whatever perimeter security controls the companies might have stuck at the edge of their network. And once inside, they leveraged a combination of custom malware tools and regular IT tools to make their way around the network and extract data almost at will without being detected.

The success of these attacks points to a troubling lack of security controls for monitoring anomalous behavior on the internal network and for spotting data being exfiltrated from within it.  They also highlight the enormous challenges that large companies face in trying to prevent data from leaking out through myriad nodes and exit points scattered across the enterprise.

"We are beginning to realize in some cases that the situation is far worse than we realized," says Stephen Hultquist, chief evangelist at RedSeal Networks. "In some cases attackers have been inside networks for months and even years without being discovered," he says, pointing to the recently disclosed Regin APT threat as an extreme example.

Often the attacks are carried out by well-funded, highly organized groups that are willing to invest the resources and the time needed for a long-drawn out data extraction campaign. "When you are able to sit inside the network for months and years, your ability to gather information of high value becomes very high," he says. Even companies with tools for monitoring suspicious activity can sometime miss what's going on because the data theft is usually carried in a totally innocuous manner over an extended period of time.

Dealing with such threats requires companies to have controls for spotting the unexpected on the network in terms of who is accessing data, from where the access is being made, and why. "A lot of organizations have opened up their networks to a broader set of sources," and have little idea how, where, and when, data is being accessed, he says. Some companies are so focused on preventing threats from coming inside the network that they pay little attention to data flowing out of it.

Many breaches go undetected for a long time at least partially because companies are not actively looking for one, says Barry Shtelman, director of security strategy at Imperva. "Companies are only seeking a smoking gun once they know there is one," he says.

"We believe that the best way to actually build your security strategy, assuming that there are malicious or compromised insiders and machines in your organization, is to focus on protecting the data rather than looking for the light switch," after a breach.

One mistake companies can make is to assume that the defense in depth model works for these kinds of attacks, adds Rick Howard, chief security officer at Palo Alto Networks.  Unless organizations have specifically put in place mechanisms for monitoring data exfiltration, it is almost impossible to know when data is being siphoned out of a network, he says.

"Advanced organizations have adopted the Kill Chain model," Howard says. "It is similar to Defense in Depth in that defenders install multiple security controls into the enterprise but the types of controls and where the defenders place them are informed by cyber security intelligence." The key to such a defense model is that it is not static. Rather, it is focused on deploying defenses that are tuned to address the specific methods and tools employed by an adversary, he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Trails
50%
50%
Trails,
User Rank: Apprentice
1/9/2015 | 12:00:31 PM
Re: HIDS
RyanSepe - I've used them as a part of an overall strategy in a few different environments, but this was a few years ago now.  I found that in closed environments with multiple security domains they were most useful because we COULD be more limiting without having to deal with noise from some execs demanding that they not be lumped with the rest of the commoners...  But in other environments, it may not be completely realistic depending on size of the company vs. size of the IT and security teams simply due to the onslaught of events and any investigations.  Not all have time, energy and most importantly, the highest levels of support from the top floors.

Good as a part of overall strategy if you have staff that can effect real digging for tuning needed to make them effective. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/5/2015 | 3:12:37 PM
Re: This article is the beginning of a vital strategic discussion
"Most network security articles just tell you that "yeah, they got a ton of sensitive information" and "they got in using this method", but what we all need to know is what new security defense products would have worked to either keep "them" out or detect suspicious activities early."


You raise an interesting point @lancop, but I wonder what format you have in mind that kind of critical information? Are you thinking about user-generated product reviews? feature comparisons, crowd-sourcing security dfense products and strategies? 
lancop
50%
50%
lancop,
User Rank: Apprentice
1/5/2015 | 12:02:33 PM
This article is the beginning of a vital strategic discussion
Most network security articles just tell you that "yeah, they got a ton of sensitive information" and "they got in using this method", but what we all need to know is what new security defense products would have worked to either keep "them" out or detect suspicious activities early. Since most vendor advertising is hyperbolically hyped up, network security & admin types have to dig constantly to find out what new tools might help them in mounting a credible defense. When readers ask specific questions about what might work, it seems that reporters & bloggers go out of their way not to give any specific answers - with the probable range of explanations extending from legal liabilities to offending other advertisers. Other readers may not chime in because endorsing a particular "solution" is giving the enemy intelligence on what security products their company has deployed internally. So, at the moment, interesting reportage is just more "blah, blah, blah" about non-actionable generalities, and tomorrow will simply be another day of successful breaches and more missed opportunities to really inform or engage. Yet another modern paradigm going nowhere fast & furious...
Eric Kruse
50%
50%
Eric Kruse,
User Rank: Apprentice
1/4/2015 | 12:59:58 PM
Re: HIDS
Hi Ryan,

 

You do make a interesting point and one that is commonly overlooked.  As the article pointed out typical defense in depth from the network intrustion side (not the end-point) is failing organizations.  From a detection mechanism on the endpoint various manufactors make solutions to identify, report, and block malicious activity before it happens.  This can be signature, or behavioral based in my experience.  There is no magic bullet product that can save the I.T. world from all of the dangers out there but from a cyber-intelligence perspective (kill chain) understanding / reporting at the endpoint level is critical.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
1/2/2015 | 10:49:41 AM
HIDS
This article denotes that perimeter defenses are circumvented easily due to the methodology of infiltration but what about HIDS? I am not familiar with organizations that employ this type of intrusion detection and am curious if a HIDS Solution would have been able to discern an event.

To clarify I am familiar with HIDS from a theoretical perspective but if it applies to this article can someone explain how this works from an application standpoint in regards to infiltration and launch of malware kits? Thanks,
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-8298
PUBLISHED: 2018-09-24
Multiple SQL injection vulnerabilities in the login page in RXTEC RXAdmin UPDATE 06 / 2012 allow remote attackers to execute arbitrary SQL commands via the (1) loginpassword, (2) loginusername, (3) zusatzlicher, or (4) groupid parameter to index.htm, or the (5) rxtec cookie to index.htm.
CVE-2018-14825
PUBLISHED: 2018-09-24
A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges. This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable...
CVE-2018-17437
PUBLISHED: 2018-09-24
Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file.
CVE-2018-17438
PUBLISHED: 2018-09-24
A SIGFPE signal is raised in the function H5D__select_io() of H5Dselect.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack.
CVE-2018-17439
PUBLISHED: 2018-09-24
An issue was discovered in the HDF HDF5 1.10.3 library. There is a stack-based buffer overflow in the function H5S_extent_get_dims() in H5S.c. Specifically, this issue occurs while converting an HDF5 file to a GIF file.