Data Breach: ‘Persistence’ Gives Hackers the Upper Hand

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/attacks-and-breaches/data-breach-persistence-gives-hackers-the-upper-hand-/d/d-id/1114124

Over the past few years attackers have proved adept at compromising even
the most secure organizations. A common theme in successful attacks is
persistence. Given the complexity of modern software and network
environments, if an attacker looks hard enough, or waits long enough, a
weakness will become apparent that can allow the attacker to compromise the
target. Consequently focusing solely on keeping attackers out of a network
is no longer the best strategy to protect an organization from cyber
security threats.

The numbers speak volumes: It only takes minutes from the initiation of an
attack for an attacker to compromise a system. Once access has been
achieved, data can be exfiltrated quickly. Within organizations, it takes
in the order of months to discover the compromise, weeks for the breach to
be resolved. Clearly attackers have the upper hand. The task of defending
networks is becoming more difficult, rather than easier, as perimeters
continue to expand through the use of external cloud systems, the phenomena
of BYOD, and integrated services with external third parties.

Unfortunately, we cannot turn back the clock and return to more innocent
and less complex days. As attackers become more skilled and systems become
more complex, it is next to impossible to keep systems completely free from
compromise.

I’m not saying that we should give up. In fact, I strongly believe it is
still possible to prevent most attacks and -- even when an attack is
successful -- it is possible to identify and remediate the breach before
harm is incurred. The key is to shift the time frames of an attack, so that
the odds are stacked in the defender’s (not the attacker’s) favor.

Australia's Department of Defence found just four mitigation strategies to
be successful in preventing 85% of targeted attacks: patching, application
whitelisting, restricting administrative privileges, and creating
defense-in-depth. These mitigations won’t stop all attacks. Notably,
patching won’t help against zero day attacks. However, these strategies
will frustrate attackers and force them to expend more time and effort to
gain access.

It’s also important to understand that cybercrime is an economic crime. If
an attacker finds that a target is too expensive in terms of time, effort,
and resources to breach, the attacker will switch attention to an easier
target that offers the same rewards at a lower cost. For example,
segregating networks so that the attacker cannot easily gain access to
confidential information means that attackers have to work harder before
they can extract valuable data. The harder and longer attackerd have to
work, the better the chances they will leave traces that can be identified.

Network vigilance is another factor that can reduce the time frame from
compromise to detection. It is during this period that attackers are able
to explore networks and steal resources without hindrance. By identifying
abnormal network activity and distinguishing it from normal day-to-day
activity, incursions can be detected before they cause harm. Modern SIEM
systems allow logging data from IPS systems, firewalls, file servers, and
domain servers to be aggregated and analyzed. Not every attacker will
generate alerts from the IPS system, but alerts such as users attempting to
access files outside of their job role, or at odd times of the day, should
prompt security teams to investigate further.

Prioritizing network security alerts requires procedures and practice.
Minor alerts should be ignored so that response teams can focus on
important issues. Despite the headlines, major breaches are rare events.
Security teams may only be faced with such an incident once a decade.
However, when an organization is faced with such a scenario, security teams
need to be able to respond quickly, effectively, and confidently. This can
only happen if people are trained and practiced in responding to such
incidents. Working through theoretical exercises to decide how to respond,
and practicing response to simulated attacks, should be standard practice
in incident planning. By reviewing the results of such practices,
improvements can be implemented so that when a major incident does happen,
teams know exactly how to respond and react.

In the real world we have to face the fact that, despite our best efforts,
we are not going to be able to defend against every attack all of the time.
This does not mean that information security is ineffective. On the
contrary, security managers are on the front line fighting against the
world’s most sophisticated adversaries. But to succeed we need to stack the
odds in our favor through better planning; defense strategies that
frustrate attackers; and faster spotting, response, and recovery efforts.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!