Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/22/2017
10:00 AM
Eric Thomas
Eric Thomas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

WannaCry? Youre Not Alone: The 5 Stages of Security Grief

As breach after breach hits the news, security professionals cope with the classic experiences of denial, anger, bargaining, depression, and acceptance.

When it comes to securing the enterprise, the attackers have the advantage. Defenders are required to protect against every conceivable threat while the attacker needs only a single attack vector to penetrate a network.

The universe of potential intrusion vectors is vast: faulty authentication mechanisms, gaps in the perimeter network, legacy applications, and, of course, human behavior are just a few examples. Unfortunately, enterprise security teams tend to focus on a handful of information security domains:

  • Authentication
  • Patch management and 0-day threats
  • Malware and endpoint protection
  • Network security

"Network security" has come to be synonymous with "perimeter security." Secure the perimeter, the thinking goes, and everything in the datacenter can operate in an environment of mutual trust. Combined with strong authentication mechanisms, this produces a comfortable, low-maintenance state of affairs. Securing only those systems that face the Internet is a whole lot easier than securing the thousands of servers in the datacenter.

Unfortunately the perimeter is but one attack vector of thousands. As breach after breach hits the news, security professionals have realized that securing the perimeter is not enough. And with that acknowledgment, they are now slowly proceeding through the five stages of security grief.

Denial. In this stage, you, the security pro, believe you can’t be breached. Your DMZ is locked down, your stakeholders comply with your policies, and you’ve bought an intrusion detection system (or three). Your job, then, is pretty easy: keep the firewalls up to date, scan the alerts every morning, quarantine the occasional malware infection, sleep well at night. Other organizations are getting breached. What’s wrong with their security people? They probably don’t have an IDS.

Anger. Slowly, an uncomfortable reality dawns: the average time-to-detection for an enterprise breach is somewhere around four months. New attack vectors emerge as headlines in the news. The perimeter is secure, but your contractors and business partners have access to your network, so you’re only as secure as they are. Your favorite restaurant/ department store /multinational bank gets hacked, and you spend an afternoon updating all your recurring payments with your new credit card number. Meanwhile, the number one malware delivery vector is phishing emails. Still.

Bargaining. In search of answers, you turn to the booming infosec industry. There are so many products. So many! You buy them all. The cost of a breach far outweighs your minimal savings in neglecting to buy the one product that would have prevented that breach. You switch on all the endpoint protection you can find. You log everything; your SIEM bursts with event data. You get thousands of alerts every day. After a while you stop reading them.

Depression. Another breach hits the news. One of your vendors proudly announces their product alerted on the breach, which went undetected for four months as attackers siphoned data out of the fortress. You think about the vendor, with whom you’ve spent ungodly sums. Will they detect your breach? You think about the company that got hacked. Are you better at your job than they are? Is it even possible to be good at this? Is it possible to be good at anything? You resolve to get drunk.

Acceptance. The next morning, your head is pounding. You sit down at your desk and unlock your computer. Suddenly, a thought: it’s no longer about whether you’ll get hacked, and it’s not even about when. You realize there might be attackers roaming your network right now and you wouldn’t know about it for months.

So what comes next?

The worst that can happen, you reason, is you get fired. But when the standard for breach discovery is so low, all you have to do is detect an intrusion faster than the other guy.

You study defense-in-depth. You deploy datacenter-level visibility. You monitor for DNS exfiltration, SSL exfiltration, HTTPS exfiltration. You deploy machine learning for anomaly detection. You audit your partners’ security practices and lock down the partner network. There’s no magic bullet. You ignore the alerts and start hunting for threats.

You haven’t been breached yet, but you find all sorts of problems. Adware is everywhere. Your network segments are too broad, allowing for plenty of lateral movement. Software developers are logging in to production databases using privileged credentials. Your internal firewalls are passing all sorts of traffic. Pretty much anybody can access the storage systems.

Finally, data you can use! One by one, you lock down internal attack vectors. You microsegment your applications and deploy next-generation firewalls within the datacenter. You implement two-factor authentication and continuously monitor compliance. You have three columns of Post-Its on your whiteboard: the security hygiene measures your organization needs, the ones it already has, and the ones you’re monitoring. Gradually, the Post-Its move to the right.

You keep hunting the network for threats. Another breach hits the news: the attackers lurked in the network for three years. You think about the security teams at that company. Are you better at your job than they are?

You accept it: Of course you are.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content:

Eric Thomas serves as director of cloud for IT analytics company ExtraHop. Prior to taking this role, Eric led the ExtraHop professional services team, and draws on over 20 years of experience in IT operations.  Before joining ExtraHop, Eric performed a variety of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
cybersavior
100%
0%
cybersavior,
User Rank: Strategist
6/22/2017 | 12:26:50 PM
Do the best you can during the countdown to inevitability
CISO's know.  They don't call it "Carreer Is Soon Over" for nothing.  It's the hotseat and any ignorant user that gets phished can signal that your time is up.  As you say, there are companies that have been breached and those that will be breached.  Maybe the last stage is Resolve.
EricT981
50%
50%
EricT981,
User Rank: Author
6/22/2017 | 12:50:46 PM
Re: Do the best you can during the countdown to inevitability
I'd love to see the defenders get to Resolve... unfortunately, as you say, until we find a way to effectively detect / mitigate phishing it's gonna be a long road.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/26/2017 | 2:22:48 PM
Re: Do the best you can during the countdown to inevitability
"detect / mitigate phishing"

That makes sense, it is difficult since in involves the end users behavioral change. Something hard to do.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/26/2017 | 2:21:06 PM
Re: Do the best you can during the countdown to inevitability
"Career Is Soon Over"

I agree. However CISO keep telling the business that there is high risk, unfortunately they do not get enough attention.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/19/2017 | 3:50:18 PM
Re: Do the best you can during the countdown to inevitability
At Aon many years ago in Manhattan, a lawyer checked his wireless connects and saw one just across town - turned to the window and said " Wow - Citibank."  With no buildings inbetween, he could see it plain as day.  
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/26/2017 | 2:18:48 PM
Reality
Enjoyed reading the article. It reflects the reality on the ground. Most of us do not think we would get hit.
EricT981
50%
50%
EricT981,
User Rank: Author
6/26/2017 | 4:03:21 PM
Re: Reality
Thanks! Appreciate the feedback!
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/26/2017 | 2:25:22 PM
Anger
 

"Your favorite restaurant/ department store /multinational bank gets hacked"

This is where we get agree at our shopping store but never link it back to our own situation.
EricT981
50%
50%
EricT981,
User Rank: Author
6/26/2017 | 4:04:38 PM
Re: Anger
Totally agree. The JP Morgan Chase breach should have been a wake-up call. I'm sure their security budgets are enormous and I know they employ some very talented people.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/26/2017 | 2:26:58 PM
Yahoo case
"which went undetected for four months as attackers siphoned data out of the fortress."

Very important. In Yahoo case it was years, unbelievable.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
APT Groups Set Sights on Linux Targets: Inside the Trend
Kelly Sheridan, Staff Editor, Dark Reading,  9/11/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9739
PUBLISHED: 2020-09-18
Adobe Media Encoder version 14.3.2 (and earlier versions) has an out-of-bounds read vulnerability that could be exploited to read past the end of an allocated buffer, possibly resulting in a crash or disclosure of sensitive information from other memory locations. User interaction is required to exp...
CVE-2020-9744
PUBLISHED: 2020-09-18
Adobe Media Encoder version 14.3.2 (and earlier versions) has an out-of-bounds read vulnerability that could be exploited to read past the end of an allocated buffer, possibly resulting in a crash or disclosure of sensitive information from other memory locations. User interaction is required to exp...
CVE-2020-9745
PUBLISHED: 2020-09-18
Adobe Media Encoder version 14.3.2 (and earlier versions) has an out-of-bounds read vulnerability that could be exploited to read past the end of an allocated buffer, possibly resulting in a crash or disclosure of sensitive information from other memory locations. User interaction is required to exp...
CVE-2020-0089
PUBLISHED: 2020-09-18
In the audio server, there is a missing permission check. This could lead to local escalation of privilege regarding audio settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-137015603
CVE-2020-0262
PUBLISHED: 2020-09-18
In WiFi tethering, there is a possible attacker controlled intent due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-156353008