Containing the attacker in today's persistent threat environment

This is the second installment in an occasional series on security's new reality.

Any Defense contractor -- and now, a few security vendors -- can tell you that even the best security technology and expertise can't stop a well-funded and determined attacker.

That new reality, which has been building for several years starting in the military sector, has shifted the focus from trying to stop attackers at the door to instead trying to lessen the impact of an inevitable hack. The aim is to try to detect an attack as early in its life cycle as possible and to quickly put a stop to any damage, such as extricating the attacker from your data server -- or merely stopping him from exfiltrating sensitive information.

It's more about containment now, security experts say. Relying solely on perimeter defenses is now passe -- and naively dangerous. "Organizations that are only now coming to the realization that their network perimeters have been compromised are late to the game. Malware ceased being obvious and destructive years ago," says Dave Piscitello, senior security technologist for ICANN. "The criminal application of collected/exfiltrated data is now such an enormous problem that it's impossible to avoid."

Attacks have become more sophisticated, and social engineering is a powerful, nearly sure-thing tool for attackers to schmooze their way into even the most security-conscious companies. "Security traditionally has been a preventative game, trying to prevent things from happening. What's been going on is people realizing you cannot do 100 percent prevention anymore," says Chenxi Wang, vice president and principal analyst for security and risk at Forrester Research. "So we figured out what we're going to do is limit the damage when prevention fails."

There are certain types of attackers you cannot prevent from getting in if they are determined to do so, says Richard Bejtlich, chief security officer at Mandiant Security. "They will get into your company, but that doesn't mean you should give up," he says.

For organizations like the military that are constantly under siege by cyberattackers, this is nothing new. "Twenty years ago, we thought we could keep these guys out," Bejtlich says. But the Air Force was the first to realize that was not the case after it began instrumenting its networks with custom sensors to detect the attackers, he says. The Air Force quickly realized it wasn't so much a matter of keeping them out, but finding them as quickly as possible and extricating them, he says.

"The military changed from [a strategy] of prevention to one of hunting," Bejtlich says. "This sort of idea has not been widespread."

[ Malware is just a small piece of the puzzle in advanced attacks, and traditional cybercriminals are also getting more 'persistent.' See APT-Type Attack A Moving Target. ]

There are telltale signs that some of the security vendor community is accepting and adapting to this new reality. Some vendors are advancing their tools to work more closely with SIEM products, and others, like FireEye, are expanding their technology. FireEye's new File Malware Protection System (MPS) roots out and kills off malware on an organization's file shares. Then there's the newly commercialized appliance sold by CounterTack that sits inside the organization -- behind the firewall and with the server -- and spies on attacks already in progress. Neal Creighton, chief executive officer at CounterTack, says the attackers are already in there, so you need to fight them in real time by remediating and locking down your assets on the fly.

Security experts say this mindset shift in security has been coming for some time, and has only recently become palpable in the way vendors are marketing their wares and in how enterprises are starting to rethink their traditional defenses.

"The first time I really saw it as a trend was at RSA this year," says Bruce Schneier, CTO at BT Counterpane. "Maybe it's just that all of the attacks in the news are making people realize that this is what's going on. It's not a new idea -- it's just a new trend in companies and in products."

Schneier says he's a "fan" of the trend. "It's reality. It's good to accept this," he says.

Meanwhile, ICANN's Piscitello notes that while the perimeter defense-only strategy is, indeed, dead, focusing solely on minimizing damage is not the answer, either.

"The notion that our only recourse is to focus on minimizing the damage, however, troubles me. It's a concession of defeat. I think this is wrong thinking," Piscitello says. "Would we respond to oil spills by 'only' focusing on minimizing the damage? I'd rather have us adopt a more aggressive strategy where we actively seek out, identify -- and where we discover -- and contain the threat, identify the root cause, and take measures to eliminate or mitigate the threat."

One startup is focusing on the attackers behind sophisticated, targeted attacks. CrowdStrike, which went public prior to the RSA Conference, also operates under the assumption that hackers will, or already have, gotten in. Georg Kurtz, former McAfee CTO and EVP, co-founded CrowdStrike -- which has not yet fully revealed its technology or offerings -- with former McAfee Dmitri Alperovitch, former vice president of threat research at McAfee and now CTO of CrowdStrike.

"The possibility of the bad guys getting in is extremely high," Kurtz says. "When they are in, you have to identify them and minimize the damage ... it's not just determining that someone got in and that there's malware in the environment. It's understanding the adversary's intent; what they are focused on; what they are trying to get to; in some cases, who they are; and more thoughtful defense."

Kurtz's company will employ "big data" to help understand tactics and methods used by the attackers, and gathering that intelligence to help the larger community. "You can convert that electronically into something that will help people protect them against" the attackers, he says.

Big data is one of the main tools security experts point to for helping support a threat/attack containment strategy.

Tim Rains, director of Microsoft Trustworthy Computing, says it's all about being prepared for an attack, and big data holds promise as a tool to face this new world of threats. "Once upon a time I was tech lead of incident response at Microsoft and did a lot of response investigations for customers. In the IR world, you think you've been compromised, you go back and look at all of the audit logs and try to figure out when and where a compromise happened, and build a timeline based on it," Rains says. "Then you can come in and figure out what happened."

Big data would accelerate the detection and offer near-real-time intelligence in an attack, he says. "Instead of artifacts, big data captures and correlates all audit events, looking for anomalies in real time. It's not just a buzzword," he says. He expects the technology to do this to become available in the next three to five years.

Next Page: ABCs of 'containment' Containing or corralling the attacker to thwart his efforts takes the IR and recovery concept to the next level. "This concept of containment will bring to a more holistic security strategy a way to help buy more time for detection and response and the ability to mitigate attacks," Rains says.

Among the technologies that fall under this category today are sandboxing, Microsoft's Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and AppBlocker, for example. "DEP and ASLR have been useful in mitigating the big worm attacks we saw the in the past" and some of the recent advanced persistent-threat (APT)-style attacks, Rains says.

"Attackers would love to send you an attachment and compromise your system. Those [technologies] like DEP and ASLR make that a lot harder," Rains says. Whitelisting and other techniques like AppBlocker can help organizations specify which applications can run, he says.

Organizations need to better understand what data specifically needs advanced protections, and to deploy access control so that users are given access only to apps they need for their jobs, and the least privileges as possible to avoid attackers abusing that, according to Rains.

But the full-blown tools for building a containment strategy are really not there yet, experts say. "One of the biggest challenges is that customers really don't have the ability to protect themselves or contain a threat," says Oliver Friedrichs, senior vice president of Sourcefire's cloud technology group. "That's very serious today. Most threats have a half-life of a day or less, and so much of the data has already been exfiltrated" by then, he says.

Containment is basically an old military concept that has permeated the business world. It has two basic elements, says Eddie Schwartz, CSO at RSA, the security division of EMC. "Get visibility into [at-risk data] faster, and shut down the attackers before they get access to the most valuable [assets]," he says. "And containment puts the more valuable things in spaces that are more protected."

Schwartz says virtualization is a key tool for containment. RSA has deployed this technology in-house, including in its mobile systems, he notes. "[You build] a virtual container where you don't allow the cool stuff on BYOD [bring your own device] to pollute the environment ... carefully crafted" for security, he says.

Bottom line: The layered approach to security is still very much in fashion. "Security is about the layered approach. That means several technical layers and user education," says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "[And] a mitigation strategy is really something you should always have."

And 2011, which has been coined "the year of the hack" due to the high-profile breaches of HBGary Federal, RSA Security, Sony, and others, was a wake-up call for many large organizations.

"Last year was a watershed event for us and for our industry," RSA's Schwartz says. "It was a game changer ... The industry is realizing we [all] need to change what we're doing, not just in security products, but in what organizations and governments are doing" to protect themselves, Schwartz says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights