One thing that the depressing string of data breaches this year shows is that cyber attackers have become skilled at staging long-lasting data exfiltration campaigns.
Security experts aren't clear whether this is a new trend or something that companies are finally waking up to only now. Either way, the attacks represent a real problem for companies that are still stuck with perimeter-centric defense strategies that are focused purely on keeping intruders out of the enterprise network.
The attacks on companies like Sony, Home Depot, and Target over the past year show that many hackers have eschewed smash-and-grab attacks for campaigns that are highly targeted and explicitly designed to extract huge amounts of data over a period of time.
In many of the attacks, hackers used convincing spear-phishing campaigns to drop malware on targeted systems and gain an initial foothold on a corporate network. In other attacks, like the ones at Target and Home Depot, hackers used login credentials stolen from third parties to gain access to their victims' networks.
Both tactics allowed attackers to relatively easily bypass whatever perimeter security controls the companies might have stuck at the edge of their network. And once inside, they leveraged a combination of custom malware tools and regular IT tools to make their way around the network and extract data almost at will without being detected.
The success of these attacks points to a troubling lack of security controls for monitoring anomalous behavior on the internal network and for spotting data being exfiltrated from within it. They also highlight the enormous challenges that large companies face in trying to prevent data from leaking out through myriad nodes and exit points scattered across the enterprise.
"We are beginning to realize in some cases that the situation is far worse than we realized," says Stephen Hultquist, chief evangelist at RedSeal Networks. "In some cases attackers have been inside networks for months and even years without being discovered," he says, pointing to the recently disclosed Regin APT threat as an extreme example.
Often the attacks are carried out by well-funded, highly organized groups that are willing to invest the resources and the time needed for a long-drawn out data extraction campaign. "When you are able to sit inside the network for months and years, your ability to gather information of high value becomes very high," he says. Even companies with tools for monitoring suspicious activity can sometime miss what's going on because the data theft is usually carried in a totally innocuous manner over an extended period of time.
Dealing with such threats requires companies to have controls for spotting the unexpected on the network in terms of who is accessing data, from where the access is being made, and why. "A lot of organizations have opened up their networks to a broader set of sources," and have little idea how, where, and when, data is being accessed, he says. Some companies are so focused on preventing threats from coming inside the network that they pay little attention to data flowing out of it.
Many breaches go undetected for a long time at least partially because companies are not actively looking for one, says Barry Shtelman, director of security strategy at Imperva. "Companies are only seeking a smoking gun once they know there is one," he says.
"We believe that the best way to actually build your security strategy, assuming that there are malicious or compromised insiders and machines in your organization, is to focus on protecting the data rather than looking for the light switch," after a breach.
One mistake companies can make is to assume that the defense in depth model works for these kinds of attacks, adds Rick Howard, chief security officer at Palo Alto Networks. Unless organizations have specifically put in place mechanisms for monitoring data exfiltration, it is almost impossible to know when data is being siphoned out of a network, he says.
"Advanced organizations have adopted the Kill Chain model," Howard says. "It is similar to Defense in Depth in that defenders install multiple security controls into the enterprise but the types of controls and where the defenders place them are informed by cyber security intelligence." The key to such a defense model is that it is not static. Rather, it is focused on deploying defenses that are tuned to address the specific methods and tools employed by an adversary, he says.