Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:05 AM
Connect Directly

Long-Running Cyberattacks Become The Norm

Many companies are so focused on the perimeter that they have little idea what's going on inside the network.

One thing that the depressing string of data breaches this year shows is that cyber attackers have become skilled at staging long-lasting data exfiltration campaigns.

Security experts aren't clear whether this is a new trend or something that companies are finally waking up to only now. Either way, the attacks represent a real problem for companies that are still stuck with perimeter-centric defense strategies that are focused purely on keeping intruders out of the enterprise network.

The attacks on companies like Sony, Home Depot, and Target over the past year show that many hackers have eschewed smash-and-grab attacks for campaigns that are highly targeted and explicitly designed to extract huge amounts of data over a period of time.

In many of the attacks, hackers used convincing spear-phishing campaigns to drop malware on targeted systems and gain an initial foothold on a corporate network. In other attacks, like the ones at Target and Home Depot, hackers used login credentials stolen from third parties to gain access to their victims' networks.

Both tactics allowed attackers to relatively easily bypass whatever perimeter security controls the companies might have stuck at the edge of their network. And once inside, they leveraged a combination of custom malware tools and regular IT tools to make their way around the network and extract data almost at will without being detected.

The success of these attacks points to a troubling lack of security controls for monitoring anomalous behavior on the internal network and for spotting data being exfiltrated from within it.  They also highlight the enormous challenges that large companies face in trying to prevent data from leaking out through myriad nodes and exit points scattered across the enterprise.

"We are beginning to realize in some cases that the situation is far worse than we realized," says Stephen Hultquist, chief evangelist at RedSeal Networks. "In some cases attackers have been inside networks for months and even years without being discovered," he says, pointing to the recently disclosed Regin APT threat as an extreme example.

Often the attacks are carried out by well-funded, highly organized groups that are willing to invest the resources and the time needed for a long-drawn out data extraction campaign. "When you are able to sit inside the network for months and years, your ability to gather information of high value becomes very high," he says. Even companies with tools for monitoring suspicious activity can sometime miss what's going on because the data theft is usually carried in a totally innocuous manner over an extended period of time.

Dealing with such threats requires companies to have controls for spotting the unexpected on the network in terms of who is accessing data, from where the access is being made, and why. "A lot of organizations have opened up their networks to a broader set of sources," and have little idea how, where, and when, data is being accessed, he says. Some companies are so focused on preventing threats from coming inside the network that they pay little attention to data flowing out of it.

Many breaches go undetected for a long time at least partially because companies are not actively looking for one, says Barry Shtelman, director of security strategy at Imperva. "Companies are only seeking a smoking gun once they know there is one," he says.

"We believe that the best way to actually build your security strategy, assuming that there are malicious or compromised insiders and machines in your organization, is to focus on protecting the data rather than looking for the light switch," after a breach.

One mistake companies can make is to assume that the defense in depth model works for these kinds of attacks, adds Rick Howard, chief security officer at Palo Alto Networks.  Unless organizations have specifically put in place mechanisms for monitoring data exfiltration, it is almost impossible to know when data is being siphoned out of a network, he says.

"Advanced organizations have adopted the Kill Chain model," Howard says. "It is similar to Defense in Depth in that defenders install multiple security controls into the enterprise but the types of controls and where the defenders place them are informed by cyber security intelligence." The key to such a defense model is that it is not static. Rather, it is focused on deploying defenses that are tuned to address the specific methods and tools employed by an adversary, he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
1/2/2015 | 10:49:41 AM
This article denotes that perimeter defenses are circumvented easily due to the methodology of infiltration but what about HIDS? I am not familiar with organizations that employ this type of intrusion detection and am curious if a HIDS Solution would have been able to discern an event.

To clarify I am familiar with HIDS from a theoretical perspective but if it applies to this article can someone explain how this works from an application standpoint in regards to infiltration and launch of malware kits? Thanks,
Eric Kruse
Eric Kruse,
User Rank: Apprentice
1/4/2015 | 12:59:58 PM
Hi Ryan,


You do make a interesting point and one that is commonly overlooked.  As the article pointed out typical defense in depth from the network intrustion side (not the end-point) is failing organizations.  From a detection mechanism on the endpoint various manufactors make solutions to identify, report, and block malicious activity before it happens.  This can be signature, or behavioral based in my experience.  There is no magic bullet product that can save the I.T. world from all of the dangers out there but from a cyber-intelligence perspective (kill chain) understanding / reporting at the endpoint level is critical.
User Rank: Apprentice
1/9/2015 | 12:00:31 PM
RyanSepe - I've used them as a part of an overall strategy in a few different environments, but this was a few years ago now.  I found that in closed environments with multiple security domains they were most useful because we COULD be more limiting without having to deal with noise from some execs demanding that they not be lumped with the rest of the commoners...  But in other environments, it may not be completely realistic depending on size of the company vs. size of the IT and security teams simply due to the onslaught of events and any investigations.  Not all have time, energy and most importantly, the highest levels of support from the top floors.

Good as a part of overall strategy if you have staff that can effect real digging for tuning needed to make them effective. 
User Rank: Moderator
1/5/2015 | 12:02:33 PM
This article is the beginning of a vital strategic discussion
Most network security articles just tell you that "yeah, they got a ton of sensitive information" and "they got in using this method", but what we all need to know is what new security defense products would have worked to either keep "them" out or detect suspicious activities early. Since most vendor advertising is hyperbolically hyped up, network security & admin types have to dig constantly to find out what new tools might help them in mounting a credible defense. When readers ask specific questions about what might work, it seems that reporters & bloggers go out of their way not to give any specific answers - with the probable range of explanations extending from legal liabilities to offending other advertisers. Other readers may not chime in because endorsing a particular "solution" is giving the enemy intelligence on what security products their company has deployed internally. So, at the moment, interesting reportage is just more "blah, blah, blah" about non-actionable generalities, and tomorrow will simply be another day of successful breaches and more missed opportunities to really inform or engage. Yet another modern paradigm going nowhere fast & furious...
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/5/2015 | 3:12:37 PM
Re: This article is the beginning of a vital strategic discussion
"Most network security articles just tell you that "yeah, they got a ton of sensitive information" and "they got in using this method", but what we all need to know is what new security defense products would have worked to either keep "them" out or detect suspicious activities early."

You raise an interesting point @lancop, but I wonder what format you have in mind that kind of critical information? Are you thinking about user-generated product reviews? feature comparisons, crowd-sourcing security dfense products and strategies? 
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors.
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors.
PUBLISHED: 2021-06-18
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-18
Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors.