Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:52 PM
Connect Directly

Damage Mitigation As The New Defense

Containing the attacker in today's persistent threat environment

This is the second installment in an occasional series on security's new reality.

Any Defense contractor -- and now, a few security vendors -- can tell you that even the best security technology and expertise can't stop a well-funded and determined attacker.

That new reality, which has been building for several years starting in the military sector, has shifted the focus from trying to stop attackers at the door to instead trying to lessen the impact of an inevitable hack. The aim is to try to detect an attack as early in its life cycle as possible and to quickly put a stop to any damage, such as extricating the attacker from your data server -- or merely stopping him from exfiltrating sensitive information.

Read the other articles in this series on security's new reality:

>> Part 1: Security's New Reality: Assume The Worst

>> Part 2: Damage Mitigation As The New Defense
>> Part 3: Advanced Attacks Call For New Defenses

It's more about containment now, security experts say. Relying solely on perimeter defenses is now passe -- and naively dangerous. "Organizations that are only now coming to the realization that their network perimeters have been compromised are late to the game. Malware ceased being obvious and destructive years ago," says Dave Piscitello, senior security technologist for ICANN. "The criminal application of collected/exfiltrated data is now such an enormous problem that it's impossible to avoid."

Attacks have become more sophisticated, and social engineering is a powerful, nearly sure-thing tool for attackers to schmooze their way into even the most security-conscious companies. "Security traditionally has been a preventative game, trying to prevent things from happening. What's been going on is people realizing you cannot do 100 percent prevention anymore," says Chenxi Wang, vice president and principal analyst for security and risk at Forrester Research. "So we figured out what we're going to do is limit the damage when prevention fails."

There are certain types of attackers you cannot prevent from getting in if they are determined to do so, says Richard Bejtlich, chief security officer at Mandiant Security. "They will get into your company, but that doesn't mean you should give up," he says.

For organizations like the military that are constantly under siege by cyberattackers, this is nothing new. "Twenty years ago, we thought we could keep these guys out," Bejtlich says. But the Air Force was the first to realize that was not the case after it began instrumenting its networks with custom sensors to detect the attackers, he says. The Air Force quickly realized it wasn't so much a matter of keeping them out, but finding them as quickly as possible and extricating them, he says.

"The military changed from [a strategy] of prevention to one of hunting," Bejtlich says. "This sort of idea has not been widespread."

[ Malware is just a small piece of the puzzle in advanced attacks, and traditional cybercriminals are also getting more 'persistent.' See APT-Type Attack A Moving Target. ]

There are telltale signs that some of the security vendor community is accepting and adapting to this new reality. Some vendors are advancing their tools to work more closely with SIEM products, and others, like FireEye, are expanding their technology. FireEye's new File Malware Protection System (MPS) roots out and kills off malware on an organization's file shares. Then there's the newly commercialized appliance sold by CounterTack that sits inside the organization -- behind the firewall and with the server -- and spies on attacks already in progress. Neal Creighton, chief executive officer at CounterTack, says the attackers are already in there, so you need to fight them in real time by remediating and locking down your assets on the fly.

Security experts say this mindset shift in security has been coming for some time, and has only recently become palpable in the way vendors are marketing their wares and in how enterprises are starting to rethink their traditional defenses.

"The first time I really saw it as a trend was at RSA this year," says Bruce Schneier, CTO at BT Counterpane. "Maybe it's just that all of the attacks in the news are making people realize that this is what's going on. It's not a new idea -- it's just a new trend in companies and in products."

Schneier says he's a "fan" of the trend. "It's reality. It's good to accept this," he says.

Meanwhile, ICANN's Piscitello notes that while the perimeter defense-only strategy is, indeed, dead, focusing solely on minimizing damage is not the answer, either.

"The notion that our only recourse is to focus on minimizing the damage, however, troubles me. It's a concession of defeat. I think this is wrong thinking," Piscitello says. "Would we respond to oil spills by 'only' focusing on minimizing the damage? I'd rather have us adopt a more aggressive strategy where we actively seek out, identify -- and where we discover -- and contain the threat, identify the root cause, and take measures to eliminate or mitigate the threat."

One startup is focusing on the attackers behind sophisticated, targeted attacks. CrowdStrike, which went public prior to the RSA Conference, also operates under the assumption that hackers will, or already have, gotten in. Georg Kurtz, former McAfee CTO and EVP, co-founded CrowdStrike -- which has not yet fully revealed its technology or offerings -- with former McAfee Dmitri Alperovitch, former vice president of threat research at McAfee and now CTO of CrowdStrike.

"The possibility of the bad guys getting in is extremely high," Kurtz says. "When they are in, you have to identify them and minimize the damage ... it's not just determining that someone got in and that there's malware in the environment. It's understanding the adversary's intent; what they are focused on; what they are trying to get to; in some cases, who they are; and more thoughtful defense."

Kurtz's company will employ "big data" to help understand tactics and methods used by the attackers, and gathering that intelligence to help the larger community. "You can convert that electronically into something that will help people protect them against" the attackers, he says.

Big data is one of the main tools security experts point to for helping support a threat/attack containment strategy.

Tim Rains, director of Microsoft Trustworthy Computing, says it's all about being prepared for an attack, and big data holds promise as a tool to face this new world of threats. "Once upon a time I was tech lead of incident response at Microsoft and did a lot of response investigations for customers. In the IR world, you think you've been compromised, you go back and look at all of the audit logs and try to figure out when and where a compromise happened, and build a timeline based on it," Rains says. "Then you can come in and figure out what happened."

Big data would accelerate the detection and offer near-real-time intelligence in an attack, he says. "Instead of artifacts, big data captures and correlates all audit events, looking for anomalies in real time. It's not just a buzzword," he says. He expects the technology to do this to become available in the next three to five years.

Next Page: ABCs of 'containment' Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Michael J Schenck
Michael J Schenck,
User Rank: Apprentice
5/3/2012 | 8:52:08 PM
re: Damage Mitigation As The New Defense
Best containment is to never put information on a computer, and provide the people who know the information with guns loaded with drangon's breathe rounds so their brains fry if they are captured... even then they need time and courage to pull the trigger and the gun needs to work.- Other than that, the gold standard remains cost vs reward.
Michael J Schenck
Michael J Schenck,
User Rank: Apprentice
5/3/2012 | 8:48:15 PM
re: Damage Mitigation As The New Defense
This is why systems like Cisco IPS 4000 systems and NSA's "Cauldron" project are/were so important.- Data mineing to a whole new level for security purposes.
Michael J Schenck
Michael J Schenck,
User Rank: Apprentice
5/3/2012 | 8:46:09 PM
re: Damage Mitigation As The New Defense
This is nothing new.- This has ALWAYS been the case.- The only thing new might be the mass acceptance of this truth... there is no way to provide perfect information security.- All we can do is make the difficulty to extract critical infomation so high people won't try and mitigate the damage.- The following equation has been in IT security books for years:- SLE X ARO + Security = Annual Cost- If SLE X ARO (before security implementatino) < Annual Costs, then you accept the risk or find a cheaper mitigation solution.- SLE never = 0.
User Rank: Apprentice
4/6/2012 | 6:42:44 PM
re: Damage Mitigation As The New Defense
Best containment defense? Host-based firewalls -- only enable the bartest minimum of ports and get rid of workstation-based file and printer sharing; shut down all limit the paths for lateral movement to the greatest extent possible,

Biggest weakness inb containment? Pass-the-hash. When is Microsoft going to fix this fundamental flaw?

Best tool we used in our APT recovery last year? SQL queries against log data poured into a GreenPlum MPP database. I agree 100% with the "big data" comments.
User Rank: Apprentice
4/6/2012 | 4:02:56 PM
re: Damage Mitigation As The New Defense
Certainly the world has changed and containment is now an important part of any security strategy. -However, I still see a gap in the initial detection of a breach. -Much press is being given to tools that do analysis and containment, but statistics show that breaches remain undiscovered on systems for far too long (weeks, months). -The starting point therefore must be tools that first detect breaches in real-time so that these containments tools and strategies can be enacted in a timely manner before sensitive information and intellectual property is lost.
Jim Ivers
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome on Windows prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.