Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/5/2014
12:06 PM
Martin Lee
Martin Lee
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Data Breach: ‘Persistence’ Gives Hackers the Upper Hand

Hackers are winning on speed and determination. But we can stack the odds in our favor by shifting the time frames of an attack. Here's how.

Over the past few years attackers have proved adept at compromising even the most secure organizations. A common theme in successful attacks is persistence. Given the complexity of modern software and network environments, if an attacker looks hard enough, or waits long enough, a weakness will become apparent that can allow the attacker to compromise the target. Consequently focusing solely on keeping attackers out of a network is no longer the best strategy to protect an organization from cyber security threats.

The numbers speak volumes: It only takes minutes from the initiation of an attack for an attacker to compromise a system. Once access has been achieved, data can be exfiltrated quickly. Within organizations, it takes in the order of months to discover the compromise, weeks for the breach to be resolved. Clearly attackers have the upper hand. The task of defending networks is becoming more difficult, rather than easier, as perimeters continue to expand through the use of external cloud systems, the phenomena of BYOD, and integrated services with external third parties.

Unfortunately, we cannot turn back the clock and return to more innocent and less complex days. As attackers become more skilled and systems become more complex, it is next to impossible to keep systems completely free from compromise.

I’m not saying that we should give up. In fact, I strongly believe it is still possible to prevent most attacks and -- even when an attack is successful -- it is possible to identify and remediate the breach before harm is incurred. The key is to shift the time frames of an attack, so that the odds are stacked in the defender’s (not the attacker’s) favor.

Australia's Department of Defence found just four mitigation strategies to be successful in preventing 85% of targeted attacks: patching, application whitelisting, restricting administrative privileges, and creating defense-in-depth. These mitigations won’t stop all attacks. Notably, patching won’t help against zero day attacks. However, these strategies will frustrate attackers and force them to expend more time and effort to gain access.

It’s also important to understand that cybercrime is an economic crime. If an attacker finds that a target is too expensive in terms of time, effort, and resources to breach, the attacker will switch attention to an easier target that offers the same rewards at a lower cost. For example, segregating networks so that the attacker cannot easily gain access to confidential information means that attackers have to work harder before they can extract valuable data. The harder and longer attackerd have to work, the better the chances they will leave traces that can be identified.

Network vigilance is another factor that can reduce the time frame from compromise to detection. It is during this period that attackers are able to explore networks and steal resources without hindrance. By identifying abnormal network activity and distinguishing it from normal day-to-day activity, incursions can be detected before they cause harm. Modern SIEM systems allow logging data from IPS systems, firewalls, file servers, and domain servers to be aggregated and analyzed. Not every attacker will generate alerts from the IPS system, but alerts such as users attempting to access files outside of their job role, or at odd times of the day, should prompt security teams to investigate further.

Prioritizing network security alerts requires procedures and practice. Minor alerts should be ignored so that response teams can focus on important issues. Despite the headlines, major breaches are rare events. Security teams may only be faced with such an incident once a decade. However, when an organization is faced with such a scenario, security teams need to be able to respond quickly, effectively, and confidently. This can only happen if people are trained and practiced in responding to such incidents. Working through theoretical exercises to decide how to respond, and practicing response to simulated attacks, should be standard practice in incident planning. By reviewing the results of such practices, improvements can be implemented so that when a major incident does happen, teams know exactly how to respond and react.

In the real world we have to face the fact that, despite our best efforts, we are not going to be able to defend against every attack all of the time. This does not mean that information security is ineffective. On the contrary, security managers are on the front line fighting against the world’s most sophisticated adversaries. But to succeed we need to stack the odds in our favor through better planning; defense strategies that frustrate attackers; and faster spotting, response, and recovery efforts.

As Technical Lead within Cisco's TRAC team, Martin Lee researches the latest developments in cybersecurity and delivers expert opinion on how to mitigate emerging threats and related risks. A Certified Information Systems Security Professional (CISSP) and a chartered ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MartinL923
50%
50%
MartinL923,
User Rank: Apprentice
3/7/2014 | 5:40:14 AM
Re: The Economics of Cybercrime
As Stephen Colbert pointed out at RSA, the NSA showed how an organisation with an unlimited budget can get pwned by a 29 year old with a thumb drive.

Too often security spending seems to be about justifying budgets rather than considering how we can slow down and frustrate attackers, while speeding up detection and remediation. Organisations need to think where their valuable data is located, how it is accessed, and how they would know if someone accessed it improperly.
Gary Scott
50%
50%
Gary Scott,
User Rank: Strategist
3/6/2014 | 1:39:33 PM
The Economics of Cybercrime
Cybercrime is a function of economics.  If the potential for reward is greater than the sum of time, cost and risk of an attack, you will see cybercrime continue.  The same economics are true on the company's part.  Companies spend millions of dollars building walls but freely allow digital data - usually hard drives – be removed by anyone with an "electronic recycling" t-shirt.

When performing an IT refresh or decommissioning equipment, focus on data destruction first and recycling second.  It could save your company from what Target is going through. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Well I dont run on MacOS, so I need to take extra precautions"
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13759
PUBLISHED: 2020-06-02
rust-vmm vm-memory before 0.1.1 and 0.2.x before 0.2.1 allows attackers to cause a denial of service (loss of IP networking) because read_obj and write_obj do not properly access memory. This affects aarch64 (with musl or glibc) and x86_64 (with musl).
CVE-2020-7662
PUBLISHED: 2020-06-02
websocket-extensions npm module prior to 1.0.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other characte...
CVE-2020-7663
PUBLISHED: 2020-06-02
websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other charact...
CVE-2020-12017
PUBLISHED: 2020-06-02
GE Grid Solutions Reason RT Clocks, RT430, RT431, and RT434, all firmware versions prior to 08A05. The device’s vulnerability in the web application could allow multiple unauthenticated attacks that could cause serious impact. The vulnerability may allow an unauthenticated attacke...
CVE-2018-18623
PUBLISHED: 2020-06-02
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.