Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/5/2014
12:06 PM
Martin Lee
Martin Lee
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Data Breach: ‘Persistence’ Gives Hackers the Upper Hand

Hackers are winning on speed and determination. But we can stack the odds in our favor by shifting the time frames of an attack. Here's how.

Over the past few years attackers have proved adept at compromising even the most secure organizations. A common theme in successful attacks is persistence. Given the complexity of modern software and network environments, if an attacker looks hard enough, or waits long enough, a weakness will become apparent that can allow the attacker to compromise the target. Consequently focusing solely on keeping attackers out of a network is no longer the best strategy to protect an organization from cyber security threats.

The numbers speak volumes: It only takes minutes from the initiation of an attack for an attacker to compromise a system. Once access has been achieved, data can be exfiltrated quickly. Within organizations, it takes in the order of months to discover the compromise, weeks for the breach to be resolved. Clearly attackers have the upper hand. The task of defending networks is becoming more difficult, rather than easier, as perimeters continue to expand through the use of external cloud systems, the phenomena of BYOD, and integrated services with external third parties.

The magnitude of the issue
(Image: 2012 Verizon Data Breach Investigations Report)

Unfortunately, we cannot turn back the clock and return to more innocent and less complex days. As attackers become more skilled and systems become more complex, it is next to impossible to keep systems completely free from compromise.

I’m not saying that we should give up. In fact, I strongly believe it is still possible to prevent most attacks and -- even when an attack is successful -- it is possible to identify and remediate the breach before harm is incurred. The key is to shift the time frames of an attack, so that the odds are stacked in the defender’s (not the attacker’s) favor.

Shifting the odds towards success
(Image: 2012 Verizon Data Breach Investigations Report)

Australia's Department of Defence found just four mitigation strategies to be successful in preventing 85% of targeted attacks: patching, application whitelisting, restricting administrative privileges, and creating defense-in-depth. These mitigations won’t stop all attacks. Notably, patching won’t help against zero day attacks. However, these strategies will frustrate attackers and force them to expend more time and effort to gain access.

It’s also important to understand that cybercrime is an economic crime. If an attacker finds that a target is too expensive in terms of time, effort, and resources to breach, the attacker will switch attention to an easier target that offers the same rewards at a lower cost. For example, segregating networks so that the attacker cannot easily gain access to confidential information means that attackers have to work harder before they can extract valuable data. The harder and longer attackerd have to work, the better the chances they will leave traces that can be identified.

Network vigilance is another factor that can reduce the time frame from compromise to detection. It is during this period that attackers are able to explore networks and steal resources without hindrance. By identifying abnormal network activity and distinguishing it from normal day-to-day activity, incursions can be detected before they cause harm. Modern SIEM systems allow logging data from IPS systems, firewalls, file servers, and domain servers to be aggregated and analyzed. Not every attacker will generate alerts from the IPS system, but alerts such as users attempting to access files outside of their job role, or at odd times of the day, should prompt security teams to investigate further.

Prioritizing network security alerts requires procedures and practice. Minor alerts should be ignored so that response teams can focus on important issues. Despite the headlines, major breaches are rare events. Security teams may only be faced with such an incident once a decade. However, when an organization is faced with such a scenario, security teams need to be able to respond quickly, effectively, and confidently. This can only happen if people are trained and practiced in responding to such incidents. Working through theoretical exercises to decide how to respond, and practicing response to simulated attacks, should be standard practice in incident planning. By reviewing the results of such practices, improvements can be implemented so that when a major incident does happen, teams know exactly how to respond and react.

In the real world we have to face the fact that, despite our best efforts, we are not going to be able to defend against every attack all of the time. This does not mean that information security is ineffective. On the contrary, security managers are on the front line fighting against the world’s most sophisticated adversaries. But to succeed we need to stack the odds in our favor through better planning; defense strategies that frustrate attackers; and faster spotting, response, and recovery efforts.

As Technical Lead within Cisco's TRAC team, Martin Lee researches the latest developments in cybersecurity and delivers expert opinion on how to mitigate emerging threats and related risks. A Certified Information Systems Security Professional (CISSP) and a chartered ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MartinL923
50%
50%
MartinL923,
User Rank: Apprentice
3/7/2014 | 5:40:14 AM
Re: The Economics of Cybercrime
As Stephen Colbert pointed out at RSA, the NSA showed how an organisation with an unlimited budget can get pwned by a 29 year old with a thumb drive.

Too often security spending seems to be about justifying budgets rather than considering how we can slow down and frustrate attackers, while speeding up detection and remediation. Organisations need to think where their valuable data is located, how it is accessed, and how they would know if someone accessed it improperly.
Gary Scott
50%
50%
Gary Scott,
User Rank: Strategist
3/6/2014 | 1:39:33 PM
The Economics of Cybercrime
Cybercrime is a function of economics.  If the potential for reward is greater than the sum of time, cost and risk of an attack, you will see cybercrime continue.  The same economics are true on the company's part.  Companies spend millions of dollars building walls but freely allow digital data - usually hard drives – be removed by anyone with an "electronic recycling" t-shirt.

When performing an IT refresh or decommissioning equipment, focus on data destruction first and recycling second.  It could save your company from what Target is going through. 
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3349
PUBLISHED: 2019-11-19
lightdm before 0.9.6 writes in .dmrc and Xauthority files using root permissions while the files are in user controlled folders. A local user can overwrite root-owned files via a symlink, which can allow possible privilege escalation.
CVE-2019-10080
PUBLISHED: 2019-11-19
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI ...
CVE-2019-10083
PUBLISHED: 2019-11-19
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.
CVE-2019-12421
PUBLISHED: 2019-11-19
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to m...
CVE-2019-19126
PUBLISHED: 2019-11-19
On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR ...