[BreachExchange] The new measure of security: visibility

[Audrey McNeil]

http://www.scmagazineuk.com/the-new-measure-of-security-
visibility/article/571088/

Given the magnitude of the data breach problem and the escalating costs and
coming penalties, one value you must insist on from your security
infrastructure is visibility. In particular, it's critical to have an
ability to see an active attacker at work on your network.

Today, most organisations are blind to the operational activities of
internal or externally-based attackers. The industry average for dwell time
still centres around five months, giving attackers plenty of time to
accomplish their goals without fear of detection. It is a sobering
reflection of the failure of traditional security to find an attacker early
and curtail a data breach or something even worse.

Specifically, security professionals must be able to pinpoint the things
that an internal or external attacker must do to achieve their goal. This
is a type of visibility that starts once an attacker has gained a foothold
in the network and has actively begun a campaign. Primarily, these
activities will involve reconnaissance and lateral movement, as they tend
to produce the largest number of “signals” as an attacker surveys a
compromised network and attempts to gain control of valuable assets.

When you think about it, once an external attacker gains access to a
network—usually through a compromised user computer or account—they need to
accomplish two main things. They need to look around and understand the lay
of the land (or LAN as the case may be) to see where assets are located and
what infrastructure and vulnerabilities they can use to get to them. In
parallel, they need to expand their sphere of control, so they can have
access to assets to steal, modify or damage them. An insider typically
needs to follow these steps as well.

The steps an attacker uses generally involve common IT or networking tools
and procedures. This is one reason why it is so difficult to spot and so
easy to miss the signs of their work. What they do and what they use blend
in with normal network activity. Detecting it is best accomplished through
behavioural profiling, so that there is a baseline of known good for every
user and device on the network. From such a baseline, anomalies become
apparent, and then the trick is to determine which anomalies are likely to
be indicative of an active attack.

It's also important to note that rarely do these steps involve the use of
malware. Malware may be used in the initial intrusion to gain entry to the
network, but once an attacker is inside, it is rare to see the use of
malware. If you are primarily focused on detecting malware, you will surely
miss the activities of an internal or external attacker.

Having meaningful visibility primarily involves discernment of internal
traffic from users to and from data centres—whether they are on-premises or
cloud-based—and between user machines. Of course, visibility should also
involve looking at internet-bound traffic as well as return traffic from
the internet. If the goal is to uncover a targeted external attacker
working on a data breach or an insider that is intentionally or
unintentionally conducting malicious activity, the best signs to look for
are inside the network—tools and activities used or performed by a user or
device on the network that are anomalous and suspicious and likely part of
reconnaissance or lateral movement.

This “East-West” traffic can provide the greatest number of reliable
signals of an attack. “North-South” traffic—command and control and
exfiltration—is also important, but it is far less reliable since it is
easily obfuscated because an attacker generally controls both ends of
transmission. A good number of security solutions include some form of
North-South visibility, but East-West visibility tends to be rare. Without
it, you would be hard pressed to know if there might be an active attacker
on your network and what exactly is going on. This is precisely what
attackers are counting on to successfully complete their goals.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161128/3dd65fb6/attachment.html>