Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/2/2015
10:30 AM
Wendi Whitmore
Wendi Whitmore
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Into the Breach: Why ‘Self Detection’ Leads To Faster Recovery

When an organization can identify network and system intrusions in their early phases it takes the advantage away from its adversaries. Here's how.

In an age where information is the ultimate currency, traditional defense-in-depth focused on malware detection, perimeter protection, and patching of known vulnerabilities is largely ineffective -- unless organizations focus on strategic and proactive preparedness. But what steps does a company need to take in order to successfully craft a strategic approach to security?

To help answer this question, CrowdStrike Services recently compiled the Cyber Intrusion Services Casebook, which is an analysis of key data from hundreds of incident responses and proactive service investigations. The Casebook provides evidence of emerging trends observed in attack behavior, as well as a number of actionable takeaways so organizations can utilize lessons learned and best practices to improve their own defenses.

One particularly interesting finding was the marked increase in the number of organizations ‘self-detecting’ breaches -- far above what had been previously reported. All too often a company is alerted to the fact that they have been compromised from a third-party source. With self-detection, an organization is far more likely to identify breaches in their early phases, which typically leads to faster recovery and far less rapid data loss.

Our research showed that organizations that invest heavily in improving processes, educate their workforce, and acquire the latest technology to combat advanced threats, were more likely to self-detect breaches. This is mainly due to two factors:

Organizational maturity
According to the Project Management Institute, a high level of maturity is achieved when processes are optimized and projects are directly tied to pre-determined business strategies and needs. By having a clear picture about an organization and its goals, security teams can be integrated into every aspect of the business and make better decisions about cyber defense strategies. Mature security programs don’t utilize a generic plan, but consider the unique aspects of their specific threat landscape and adapt accordingly.

Improved endpoint and network detection capability
Comprehensive, next-generation endpoint detection, prevention, and response tools provide maximum visibility intro intrusion attempts. With a higher level of visibility, incidents can be contained quickly, and attackers thwarted before significant losses occur. Enterprises can invert the traditional reactive security model by actively hunting for indicators of attack within their environment.

To illustrate this trend, let’s take a look at a real-world example:

The organization — a leader within its industry — became increasingly aware and concerned about the threats posed by nation-state adversaries interested in stealing intellectual property for industrial espionage. In the aftermath of a data breach at another organization, this organization called in self-detection services to ensure its systems and networks were protected.

A compromise assessment (by Crowdstrike Services) on the organization’s network showed evidence of past compromise; endpoint monitoring sensors reported alerts indicating preliminary attacker activity. In response, we worked with the organization to design and implement a detailed remediation plan, which included updates to network architecture. This near real-time visibility via host and network sensors enabled rapid identification of where and how attackers were accessing the enterprise environment. For example, we identified multiple attempts to install back doors on employee laptops, which the security team could immediately block without losing track of additional and subsequent attacker activity.

The big payoff
Months later, the attackers attempted to return, exploiting a similar vector — a different web application — to access an Internet-facing system not protected by an endpoint sensor. This is a trend we see across almost all use cases; the attacker used credentials obtained from this system to attempt to move laterally and dump credentials on another system. But because the client now had experience detecting and responding to attacks following its detection assessment — and had developed a stronger response playbook that included detection and response as part of their daily procedures — the entire team moved with much greater agility to respond to the new intrusion.

The incident was quickly analyzed and mitigation actions taken to prevent the new tactics, techniques and procedures (TTPs) from being successful. As a result, the compromise was fully mitigated in less than one hour.

As the example shows, when it comes to security, preparation is key. By achieving a state of awareness through security assessments, organizational maturity and having the right technology in place, organizations can take the advantage away from the adversaries. With this groundwork in place, IT teams can self-detect system and network intrusions, evaluate weak points and implement tools to defend against emerging and enduring adversaries. As is the case in most competitive situations, battles can then be won and lost before adversaries make contact. 

Wendi Whitmore has over 10 years of experience in the computer security industry, including a career with the US military. As the vice president of services for CrowdStrike, Wendi is responsible for all professional services offered by the company. Along with her team, Wendi ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...