Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10/21/2014
03:31 PM
Partner Perspectives
Partner Perspectives
Partner Perspectives
50%
50%

Digital Security: Taking an Uncompromising Stand

How to improve digital immunity by sharing Indicators of Attack.

In my last post, I outlined the difference between relying on Indicators of Compromise versus Indicators of Attack for digital security. The emphasis here is not that these indicators are new, but that it is imperative to share this early information among all of the different security systems and programs. To be effective against the speed and adaptability of today's attacks, individual security components need to know what is happening across the system and network.

Now, there have been attempts to connect individual security sensors and controls together through proprietary APIs, but this does not scale with the wealth of components that are available. What we need here is an open messaging layer that we can publish and ascribe to a centralized repository that collects all of the info, as well as deep inspection capabilities hanging off the messaging layer that you can reach out to when something new comes along. In the financial industry, to use an outside example, there is a centralized organization, SWIFT, which provides a common infrastructure and messaging protocol for financial transactions among more than 10,000 organizations in 215 countries. SWIFT recently introduced sanctions screening, analogous to deep inspection capability, which checks transactions for compliance with criminal, terrorist, and political sanctions. 

In order to take an uncompromising stand, we needed to better understand how our adversaries work. We setup a “honey net,” a fake target, so that we could watch attacks from beginning to end, learn more about cybercrime tactics, and identify steps we could take to build more effective defenses. Within 12 hours of going live, we had our first Indicator of Attack – network vulnerability scanning of our systems. The IP addresses used to do these scans were not in our library of bad addresses, and they continued to be part of the attack as it evolved. But this information is typically discarded by the firewalls, leaving the other sensors and controls in the dark.

The next event was a brute force password attack on a component that we left intentionally exposed. Using a large botnet, our 20-character password was broken in no time at all. While most systems would be configured to defend against this, by letting it proceed we could reconstruct the user ID and password dictionaries that the attackers were trying.

Once they had a successful login, the attackers setup their own admin account, and even installed language-specific browsers to make their work easier! Here we learned the detailed characteristics of a hacked account. What is interesting to note is that the configuration changes, while anomalous, would not have fallen outside the rules of what most companies allow. Only by looking at the cumulative Indicators of Attack, from several sources, can we confidently declare this system compromised.

There are many other potential Indicators of Attack, many of which will be quickly and easily repelled by your existing defenses: phishing emails, social engineering attempts, repeated failed logins – the list is lengthy. Unfortunately, information on most of these indicators never gets past the initial point of contact. In fact, our attacker tried and failed more than 5,000 times before successfully compromising the system. Trial and error should be a dead giveaway.

Only with a truly connected security system can we develop a sustainable advantage over highly adaptive and evolving cybercriminals. It’s not easy operating in a world where we need to be right all the time and the attacker only needs to be right once. We need to move to a security posture where the criminals do not get thousands of free tries to break in, and if they do find a weakness, they do not get to wander around inside our systems with impunity, carefully evaluating what they want to steal.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MichaelFey
50%
50%
MichaelFey,
User Rank: Apprentice
10/24/2014 | 10:16:46 PM
Re: Intel sharing
As part of the US Government's push to improve cybersecurity (EO 13636), we are seeing much more investment in controlled sharing of threat intelligence within vertical groups. Recently, the DHS announced that 8 industries were working with them to gain access to threat intelligence. As the government is often the first to detect a breach or indicator of attack, and there are indicators and attack patterns that cross industries, we are supportive of this initiative. There are also efforts such as the FS-ISAC / DTCC Soltra (soltra(dot)com), but that is not quite the same as SWIFT. SWIFT is foundational automation for the business world, Soltra is a joint effort between DTCC and FS-ISAC. They seem to be aspiring to do some of the same things.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/22/2014 | 8:04:06 AM
Intel sharing
Interesting blog, Mike. curious to know if there are similar organizations to SWIFT  for intel sharing in other industries outside of financial? 
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.