Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/5/2012
04:52 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Damage Mitigation As The New Defense

Containing the attacker in today's persistent threat environment

This is the second installment in an occasional series on security's new reality.

Any Defense contractor -- and now, a few security vendors -- can tell you that even the best security technology and expertise can't stop a well-funded and determined attacker.

That new reality, which has been building for several years starting in the military sector, has shifted the focus from trying to stop attackers at the door to instead trying to lessen the impact of an inevitable hack. The aim is to try to detect an attack as early in its life cycle as possible and to quickly put a stop to any damage, such as extricating the attacker from your data server -- or merely stopping him from exfiltrating sensitive information.

Read the other articles in this series on security's new reality:

>> Part 1: Security's New Reality: Assume The Worst

>> Part 2: Damage Mitigation As The New Defense
>> Part 3: Advanced Attacks Call For New Defenses

It's more about containment now, security experts say. Relying solely on perimeter defenses is now passe -- and naively dangerous. "Organizations that are only now coming to the realization that their network perimeters have been compromised are late to the game. Malware ceased being obvious and destructive years ago," says Dave Piscitello, senior security technologist for ICANN. "The criminal application of collected/exfiltrated data is now such an enormous problem that it's impossible to avoid."

Attacks have become more sophisticated, and social engineering is a powerful, nearly sure-thing tool for attackers to schmooze their way into even the most security-conscious companies. "Security traditionally has been a preventative game, trying to prevent things from happening. What's been going on is people realizing you cannot do 100 percent prevention anymore," says Chenxi Wang, vice president and principal analyst for security and risk at Forrester Research. "So we figured out what we're going to do is limit the damage when prevention fails."

There are certain types of attackers you cannot prevent from getting in if they are determined to do so, says Richard Bejtlich, chief security officer at Mandiant Security. "They will get into your company, but that doesn't mean you should give up," he says.

For organizations like the military that are constantly under siege by cyberattackers, this is nothing new. "Twenty years ago, we thought we could keep these guys out," Bejtlich says. But the Air Force was the first to realize that was not the case after it began instrumenting its networks with custom sensors to detect the attackers, he says. The Air Force quickly realized it wasn't so much a matter of keeping them out, but finding them as quickly as possible and extricating them, he says.

"The military changed from [a strategy] of prevention to one of hunting," Bejtlich says. "This sort of idea has not been widespread."

[ Malware is just a small piece of the puzzle in advanced attacks, and traditional cybercriminals are also getting more 'persistent.' See APT-Type Attack A Moving Target. ]

There are telltale signs that some of the security vendor community is accepting and adapting to this new reality. Some vendors are advancing their tools to work more closely with SIEM products, and others, like FireEye, are expanding their technology. FireEye's new File Malware Protection System (MPS) roots out and kills off malware on an organization's file shares. Then there's the newly commercialized appliance sold by CounterTack that sits inside the organization -- behind the firewall and with the server -- and spies on attacks already in progress. Neal Creighton, chief executive officer at CounterTack, says the attackers are already in there, so you need to fight them in real time by remediating and locking down your assets on the fly.

Security experts say this mindset shift in security has been coming for some time, and has only recently become palpable in the way vendors are marketing their wares and in how enterprises are starting to rethink their traditional defenses.

"The first time I really saw it as a trend was at RSA this year," says Bruce Schneier, CTO at BT Counterpane. "Maybe it's just that all of the attacks in the news are making people realize that this is what's going on. It's not a new idea -- it's just a new trend in companies and in products."

Schneier says he's a "fan" of the trend. "It's reality. It's good to accept this," he says.

Meanwhile, ICANN's Piscitello notes that while the perimeter defense-only strategy is, indeed, dead, focusing solely on minimizing damage is not the answer, either.

"The notion that our only recourse is to focus on minimizing the damage, however, troubles me. It's a concession of defeat. I think this is wrong thinking," Piscitello says. "Would we respond to oil spills by 'only' focusing on minimizing the damage? I'd rather have us adopt a more aggressive strategy where we actively seek out, identify -- and where we discover -- and contain the threat, identify the root cause, and take measures to eliminate or mitigate the threat."

One startup is focusing on the attackers behind sophisticated, targeted attacks. CrowdStrike, which went public prior to the RSA Conference, also operates under the assumption that hackers will, or already have, gotten in. Georg Kurtz, former McAfee CTO and EVP, co-founded CrowdStrike -- which has not yet fully revealed its technology or offerings -- with former McAfee Dmitri Alperovitch, former vice president of threat research at McAfee and now CTO of CrowdStrike.

"The possibility of the bad guys getting in is extremely high," Kurtz says. "When they are in, you have to identify them and minimize the damage ... it's not just determining that someone got in and that there's malware in the environment. It's understanding the adversary's intent; what they are focused on; what they are trying to get to; in some cases, who they are; and more thoughtful defense."

Kurtz's company will employ "big data" to help understand tactics and methods used by the attackers, and gathering that intelligence to help the larger community. "You can convert that electronically into something that will help people protect them against" the attackers, he says.

Big data is one of the main tools security experts point to for helping support a threat/attack containment strategy.

Tim Rains, director of Microsoft Trustworthy Computing, says it's all about being prepared for an attack, and big data holds promise as a tool to face this new world of threats. "Once upon a time I was tech lead of incident response at Microsoft and did a lot of response investigations for customers. In the IR world, you think you've been compromised, you go back and look at all of the audit logs and try to figure out when and where a compromise happened, and build a timeline based on it," Rains says. "Then you can come in and figure out what happened."

Big data would accelerate the detection and offer near-real-time intelligence in an attack, he says. "Instead of artifacts, big data captures and correlates all audit events, looking for anomalies in real time. It's not just a buzzword," he says. He expects the technology to do this to become available in the next three to five years.

Next Page: ABCs of 'containment' Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Michael Schenck
50%
50%
Michael Schenck,
User Rank: Apprentice
5/3/2012 | 8:52:08 PM
re: Damage Mitigation As The New Defense
Best containment is to never put information on a computer, and provide the people who know the information with guns loaded with drangon's breathe rounds so their brains fry if they are captured... even then they need time and courage to pull the trigger and the gun needs to work.- Other than that, the gold standard remains cost vs reward.
Michael Schenck
50%
50%
Michael Schenck,
User Rank: Apprentice
5/3/2012 | 8:48:15 PM
re: Damage Mitigation As The New Defense
This is why systems like Cisco IPS 4000 systems and NSA's "Cauldron" project are/were so important.- Data mineing to a whole new level for security purposes.
Michael Schenck
50%
50%
Michael Schenck,
User Rank: Apprentice
5/3/2012 | 8:46:09 PM
re: Damage Mitigation As The New Defense
This is nothing new.- This has ALWAYS been the case.- The only thing new might be the mass acceptance of this truth... there is no way to provide perfect information security.- All we can do is make the difficulty to extract critical infomation so high people won't try and mitigate the damage.- The following equation has been in IT security books for years:- SLE X ARO + Security = Annual Cost- If SLE X ARO (before security implementatino) < Annual Costs, then you accept the risk or find a cheaper mitigation solution.- SLE never = 0.
JerryJohnson
50%
50%
JerryJohnson,
User Rank: Apprentice
4/6/2012 | 6:42:44 PM
re: Damage Mitigation As The New Defense
Best containment defense? Host-based firewalls -- only enable the bartest minimum of ports and get rid of workstation-based file and printer sharing; shut down all limit the paths for lateral movement to the greatest extent possible,

Biggest weakness inb containment? Pass-the-hash. When is Microsoft going to fix this fundamental flaw?

Best tool we used in our APT recovery last year? SQL queries against log data poured into a GreenPlum MPP database. I agree 100% with the "big data" comments.
Triumfant
50%
50%
Triumfant,
User Rank: Apprentice
4/6/2012 | 4:02:56 PM
re: Damage Mitigation As The New Defense
Certainly the world has changed and containment is now an important part of any security strategy. -However, I still see a gap in the initial detection of a breach. -Much press is being given to tools that do analysis and containment, but statistics show that breaches remain undiscovered on systems for far too long (weeks, months). -The starting point therefore must be tools that first detect breaches in real-time so that these containments tools and strategies can be enacted in a timely manner before sensitive information and intellectual property is lost.
Jim Ivers
www.triumfant.com
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17667
PUBLISHED: 2019-10-17
Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HTML injection via the Site Name (aka SiteName) field.
CVE-2019-17666
PUBLISHED: 2019-10-17
rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.
CVE-2019-17607
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php servername parameter.
CVE-2019-17608
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbname parameter.
CVE-2019-17609
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter.