Attacks/Breaches
1/2/2015
09:05 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Long-Running Cyberattacks Become The Norm

Many companies are so focused on the perimeter that they have little idea what's going on inside the network.

One thing that the depressing string of data breaches this year shows is that cyber attackers have become skilled at staging long-lasting data exfiltration campaigns.

Security experts aren't clear whether this is a new trend or something that companies are finally waking up to only now. Either way, the attacks represent a real problem for companies that are still stuck with perimeter-centric defense strategies that are focused purely on keeping intruders out of the enterprise network.

The attacks on companies like Sony, Home Depot, and Target over the past year show that many hackers have eschewed smash-and-grab attacks for campaigns that are highly targeted and explicitly designed to extract huge amounts of data over a period of time.

In many of the attacks, hackers used convincing spear-phishing campaigns to drop malware on targeted systems and gain an initial foothold on a corporate network. In other attacks, like the ones at Target and Home Depot, hackers used login credentials stolen from third parties to gain access to their victims' networks.

Both tactics allowed attackers to relatively easily bypass whatever perimeter security controls the companies might have stuck at the edge of their network. And once inside, they leveraged a combination of custom malware tools and regular IT tools to make their way around the network and extract data almost at will without being detected.

The success of these attacks points to a troubling lack of security controls for monitoring anomalous behavior on the internal network and for spotting data being exfiltrated from within it.  They also highlight the enormous challenges that large companies face in trying to prevent data from leaking out through myriad nodes and exit points scattered across the enterprise.

"We are beginning to realize in some cases that the situation is far worse than we realized," says Stephen Hultquist, chief evangelist at RedSeal Networks. "In some cases attackers have been inside networks for months and even years without being discovered," he says, pointing to the recently disclosed Regin APT threat as an extreme example.

Often the attacks are carried out by well-funded, highly organized groups that are willing to invest the resources and the time needed for a long-drawn out data extraction campaign. "When you are able to sit inside the network for months and years, your ability to gather information of high value becomes very high," he says. Even companies with tools for monitoring suspicious activity can sometime miss what's going on because the data theft is usually carried in a totally innocuous manner over an extended period of time.

Dealing with such threats requires companies to have controls for spotting the unexpected on the network in terms of who is accessing data, from where the access is being made, and why. "A lot of organizations have opened up their networks to a broader set of sources," and have little idea how, where, and when, data is being accessed, he says. Some companies are so focused on preventing threats from coming inside the network that they pay little attention to data flowing out of it.

Many breaches go undetected for a long time at least partially because companies are not actively looking for one, says Barry Shtelman, director of security strategy at Imperva. "Companies are only seeking a smoking gun once they know there is one," he says.

"We believe that the best way to actually build your security strategy, assuming that there are malicious or compromised insiders and machines in your organization, is to focus on protecting the data rather than looking for the light switch," after a breach.

One mistake companies can make is to assume that the defense in depth model works for these kinds of attacks, adds Rick Howard, chief security officer at Palo Alto Networks.  Unless organizations have specifically put in place mechanisms for monitoring data exfiltration, it is almost impossible to know when data is being siphoned out of a network, he says.

"Advanced organizations have adopted the Kill Chain model," Howard says. "It is similar to Defense in Depth in that defenders install multiple security controls into the enterprise but the types of controls and where the defenders place them are informed by cyber security intelligence." The key to such a defense model is that it is not static. Rather, it is focused on deploying defenses that are tuned to address the specific methods and tools employed by an adversary, he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Trails
50%
50%
Trails,
User Rank: Apprentice
1/9/2015 | 12:00:31 PM
Re: HIDS
RyanSepe - I've used them as a part of an overall strategy in a few different environments, but this was a few years ago now.  I found that in closed environments with multiple security domains they were most useful because we COULD be more limiting without having to deal with noise from some execs demanding that they not be lumped with the rest of the commoners...  But in other environments, it may not be completely realistic depending on size of the company vs. size of the IT and security teams simply due to the onslaught of events and any investigations.  Not all have time, energy and most importantly, the highest levels of support from the top floors.

Good as a part of overall strategy if you have staff that can effect real digging for tuning needed to make them effective. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/5/2015 | 3:12:37 PM
Re: This article is the beginning of a vital strategic discussion
"Most network security articles just tell you that "yeah, they got a ton of sensitive information" and "they got in using this method", but what we all need to know is what new security defense products would have worked to either keep "them" out or detect suspicious activities early."


You raise an interesting point @lancop, but I wonder what format you have in mind that kind of critical information? Are you thinking about user-generated product reviews? feature comparisons, crowd-sourcing security dfense products and strategies? 
lancop
50%
50%
lancop,
User Rank: Apprentice
1/5/2015 | 12:02:33 PM
This article is the beginning of a vital strategic discussion
Most network security articles just tell you that "yeah, they got a ton of sensitive information" and "they got in using this method", but what we all need to know is what new security defense products would have worked to either keep "them" out or detect suspicious activities early. Since most vendor advertising is hyperbolically hyped up, network security & admin types have to dig constantly to find out what new tools might help them in mounting a credible defense. When readers ask specific questions about what might work, it seems that reporters & bloggers go out of their way not to give any specific answers - with the probable range of explanations extending from legal liabilities to offending other advertisers. Other readers may not chime in because endorsing a particular "solution" is giving the enemy intelligence on what security products their company has deployed internally. So, at the moment, interesting reportage is just more "blah, blah, blah" about non-actionable generalities, and tomorrow will simply be another day of successful breaches and more missed opportunities to really inform or engage. Yet another modern paradigm going nowhere fast & furious...
Eric Kruse
50%
50%
Eric Kruse,
User Rank: Apprentice
1/4/2015 | 12:59:58 PM
Re: HIDS
Hi Ryan,

 

You do make a interesting point and one that is commonly overlooked.  As the article pointed out typical defense in depth from the network intrustion side (not the end-point) is failing organizations.  From a detection mechanism on the endpoint various manufactors make solutions to identify, report, and block malicious activity before it happens.  This can be signature, or behavioral based in my experience.  There is no magic bullet product that can save the I.T. world from all of the dangers out there but from a cyber-intelligence perspective (kill chain) understanding / reporting at the endpoint level is critical.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
1/2/2015 | 10:49:41 AM
HIDS
This article denotes that perimeter defenses are circumvented easily due to the methodology of infiltration but what about HIDS? I am not familiar with organizations that employ this type of intrusion detection and am curious if a HIDS Solution would have been able to discern an event.

To clarify I am familiar with HIDS from a theoretical perspective but if it applies to this article can someone explain how this works from an application standpoint in regards to infiltration and launch of malware kits? Thanks,
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: It's a tough joob but someone has to test the links.
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.