[BreachExchange] What are you doing to spot a breach?

[Audrey McNeil]

http://www.theregister.co.uk/2016/03/08/spotting_modern_cyberthreats/

Technology moves quickly, not just in legitimate business, but in the
cybercriminal world too. Advanced attack tools are now available on the
black market, lowering the barrier to entry for the average online lowlife.
They are happy to target large and small organizations alike, and they only
have to be lucky once.

Security pros have been forced to prepare for a world of constant,
sustained attack by understanding the threats and choosing the right
measures to prepare for them. Companies are realising the extent of the
threat and gearing up for it, say experts.

“We have seen information security budgets increasing in the last 12 months
to address the challenges that cyber crime is bringing to the
organisation,” said Steve Durbin, managing director of the Information
Security Forum.

So what kinds of threats are they dealing with, and how can they prepare?

What are the threats and where are they coming from?

The cyberthreats facing modern companies fall into various categories, and
they’re loosely linked to the type of cybercriminal that you’re dealing
with and the kind of information that they’re after. Hacktivism has
traditionally been characterised by attacks with a relatively low barrier
to entry such as DDoS and web site defacements, for example.

While hackers’ motives are frequently political or ideological, financial
cybercriminals are interested purely in money, and are adept in their
pursuit of it. Some will attempt to transfer money out of an organization,
while others will focus on saleable information. Malware typically
underpins a financial cybercrime attack.

One notable recent example is Carbanak, an extensive attack on financial
institutions that netted $1bn in stolen assets. It was a devilish attack,
starting with a backdoor sent as an attachment that then moved through the
network until it found an administrative machine.

Then, the malware intercepted clerks’ computers, recording their sessions,
and subsequently used that information to transfer money fraudulently using
online banking sessions and to dispense money from ATMs.

Carbanak was a sophisticated attack that sought to directly manipulate
systems, but cybercriminals typically look to steal specific types of
information such as personally identifiable information (PII) when they
attack. Malware delivery via phishing and drive-by downloads is still a
highly effective tool to steal this data. Exploit kits designed to target
enterprise clients with malicious payloads are on the rise. In its 2015
Threat Report, Forcepoint found three times more exploit kits in
circulation than it had in 2013.

This information can be about your customers or your employees. The latter
can be just as damaging, because you’re likely to have financial and other
data about the people who work for you. One of the most egregious attacks
on employee data recently must be the Office of Personnel and Management
hack that compromised 5.6 million fingerprint records, and more than 21
million former and government employees, harvesting social security numbers
and addresses.

PII isn’t the only threat category, though. Intellectual property is
another rich seam for online criminals to mine. Often the subject of
targeted attacks, this information can take many forms, from email archives
through to launch plans for new products, or details of new products
currently under development.

“We see a lot of intellectual property theft out there, coming from assumed
nation states based on the IPs that they’re coming from, and from industry,
too,” said Eric Stevens, director of strategic security consulting services
at Forcepoint. “It’s a lot cheaper to steal development time than it is to
do that development yourself,” he pointed out.

While these different groups will typically seek different types of
information, there is also an increasing amount of overlap. Hacktivists
have begun targeting both customer data and intellectual property where it
suits their needs. Anonymous was behind the theft of ticketholder data for
the 2012 F1 Grand Prix in Montreal, which was posted online. Hacktivist
faction Lulzsec mined intellectual property from private security firm
Stratfor in 2011.

How do you live with attackers getting in, and continue to fight them?

Over the years, the focus on keeping attackers out at all costs has shifted
towards managing them when they break into an organization. Security
professionals seem to be tacitly admitting that network intrusion is a
question of ‘when’, rather than ‘if’.

“15 years ago, the focus was keeping them out. Today, organizations are
starting to realize they have to deal with a certain degree of compromise,”
explained Stephen Northcutt, director of academic advising for the SANS
Technology Institute.

This is something that at least one of the three-letter agencies has
understood for years. In 2010, Deborah Plunkett, then-head of the
Information Assurance Directorate at the NSA, said that the agency assumed
that there were already intruders inside its network. Considering itself
already compromised forced it to protect critical data inside the network,
rather than relying on a single ring of iron.

The Open Group’s Jericho Forum focused on containing rather than preventing
threats with its de-perimeterization principle, first espoused in the
mid-2000s, which stated that the traditional trusted network boundary had
eroded. One of the group’s commandments to survive in a de-perimeterized
future was the assumption that your network was untrusted.

Clearly, the NSA didn’t protect its resources especially well, though. Ed
Snowden, working for third party contractor Booz-Allen Hamilton, happily
vacuumed up gigabytes of sensitive data for a sustained trickle-feed
campaign to the media.

No matter what side of the Snowden debate you’re on, for CISOs his case
highlights the need for controls to stop the theft of information through
authorized accounts.

“Over the next few years, you will see a lot of growth in privilege and
identity management,” said Northcutt. “At the network level you are going
to see more segmentation and isolation.”

To fully protect themselves with these techniques, though, organizations
need a deep understanding of the data that they have and how it is used in
their business, said Stevens. There are many roles and sets of
responsibilities in an organisation. Some of them may even transcend
internal employees altogether.

“You have to understand what your business processes are surrounding that
data,” he said. It’s necessary to understand what a normal process looks
like. A hospital may send data to a third party company that produces its
invoices for it. How can you distinguish between a legitimate business
process like that, and an illegitimate one that is sending sensitive data
to bad people?

How do you distinguish between normal behaviour/threats

Distinguishing between these different modes of behaviour is an important
skillset for IT departments trying to spot attackers inside their network,
but it’s doable with the right tools, say experts. It’s all a question of
mathematics, said Northcutt.

“Twenty years ago the US Navy spent about a million dollars for a bunch of
PhD statisticians to determine that like groups of people using like
systems have a very similar network traffic footprint,” he said, adding
that we have been using statistical techniques to baseline normal behaviour
for years now.

One form of attack involves malware that enters a network and then moves
laterally, trying to find any data it can, and then exfiltrating it.
Software designed to baseline regular employee behaviour and then spot
anything that deviates from the norm may be able to spot the unusual
patterns that this malware may generate.

Is a user account sending large amounts of data from an account that
normally doesn’t? Is it encrypting that data, when it is normally sent over
the internal company network in plain text? Why is it sending it at 2am
when all employees are normally long gone? All of these things can raise
flags in a suitably-equipped system.

Where do you start when choosing tools

Training people to be security aware is an important part of stopping
breaches, but CISOs will never eradicate those problems entirely. A
technology layer provides a vital layer of protection. Don’t be distracted
by emotions or industry buzzwords when choosing these tools, said Stevens.

He recommends first identifying what data you want to protect (adding that
this is more difficult than you’d imagine for many companies). Talk to
compliance managers and line of business owners to identify this
information, and then work out what category of tool would best block the
egress of that data.

Companies can hone their priorities by focusing on a security framework
like NIST’s, using it to establish areas where they need to improve. “Then
it’s about ensuring that those purchases are improving your security
posture as well as catering to compliance requirements that you may have,”
he said.

At the very least, though, he recommends a web and email security gateway,
along with a data leak prevention (DLP) tool to monitor and prevent things
from leaving.

“Essentials are always going to be network monitoring tools,” said the
ISF’s Durbin, adding that companies can build out their tool sets as they
become more sophisticated. “The more advanced will focus on big data and
trying to anticipate breaches and identify weaknesses in the security
perimeter.

Best of breed vs holistic approach

Should companies buy a single security platform offering a holistic
approach, or focus on point solutions instead?

“I would always vote on holistic, mainly because we aren’t seeing point
channel solutions that are very effective,” said Stevens. The main problem
with best of breed solutions is visibility, he argued. If you’re purchasing
point solutions from multiple vendors, then integrating them to create a
coherent view of your organizations’ security incidents can be challenging.

Your view of security needs to be watertight, not least because incidents
in one domain that seem incongruous might suddenly gain more significance
if you’re able to correlate them with other incidents happening elsewhere.

A single pane of glass can help to ensure a consistent view of everything
that’s happening across the various aspects of your infrastructure, from
email scanning through to web gateways.

The good news is that while many of the threats facing companies are
sophisticated, many of them rely on the least amount of effort to
infiltrate a company. Attackers will go for unpatched, out of date software
versions and misconfigured machines if they can, to avoid giving away their
zero-day secrets. Using tools to keep a watchful eye on your network,
endpoints and data is one part of the solution. Good threat intelligence is
another. Just as important, though, are proper conversations with business
counterparts to understand what data you should be trying to protect in the
first place.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160308/e06e94bf/attachment-0001.html>