This year’s Verizon Data Breach Investigations Report includes many statistics that would alarm even the most laid back CISO. But the one that shocked me the most was that 69 per cent of breaches were spotted by an external party – 9 per cent of these were found by customers of the organisation that had been breached. Awkward, to say the least. The Verizon report shows what anyone working with critical infrastructure knows already – that this strategy of defending the endpoint alone is not working. While there is a lot of low sophistication attacks happening every day – 78 per cent classed as low difficulty by Verizon – that means that almost a quarter must be sophisticated and targeted.
Traditional security policy has failed to keep up with today’s determined attackers as it is focused on the endpoint and stopping the threat coming in to the organisation in the first place. Today’s CISO must assume the stance of when his organisation will be subjected to a cyber-attack – not if. Today’s cyber landscape is about preparing for the worst and mitigating the risk to protect critical data and infrastructures. To truly protect ourselves, organisations have to accept the nature of modern networked environments and devices and start defending them by thinking like an attacker. Companies need to change their security models to be threat-centric; to address the extended network and the full attack continuum – before, during and after an attack. The attackers have this perspective; organisations need to have it as well.
To understand today’s array of threats and effectively defend against them, IT security professionals need to switch their thinking from a defensive position to an attack stance. With a deeper understanding of the way attackers think, organisations can identify their weaknesses and strengthen defenses. Here’s the chain of attack that an attacker would deploy. We call this the “cyber kill chain”. Let’s take a look at how this plays out:
Survey: Attackers first enter your infrastructure and deploy surveillance malware to look at the full picture of your environment – network, endpoint, mobile and virtual - to understand what attack vectors are available, what security tools are deployed and what accounts they may be able to capture and use for elevated permissions. This malware uses common channels to communicate and goes unnoticed as it conducts reconnaissance.
Write: Now they know what they’re up again, attackers then create targeted, context-aware malware. Examples we’ve seen include malware that detects if it is in a sandbox and acts differently than on a user system, malware that checks for language pack installation (as in the case of Flame) before execution and malware that takes different actions if it is on a corporate versus a home network. Attackers will extend surveillance activities to capture important details about where the assets are and how to get to them. They target your specific organisation, applications, users, partners, processes and procedures.
Test: Then they make sure the malware works. Malware writers have deep pockets and well-developed information-sharing networks. They recreate your environment and test the malware against your technology and security tools to make sure it gets through defenses undetected - in effect following software development processes like QA testing or bench testing. This approach is so foolproof malware writers are now offering guarantees that their malware will go undetected for six or even nine months.
Execute: Attackers navigate through the extended network, environmentally aware, evading detection and moving laterally until reaching the target.
Mission accomplished: Sometimes the end game is to gather data; in other cases it is simply to disrupt or destroy. Whatever it is, they have more information and a targeted plan of attack to maximise success of their mission. Once the mission is complete they will remove evidence but maintain a beachhead for future attacks.
Strengthen your defences
So, how do we raise our game to defeat this new class of attackers? It’s no longer enough to focus solely on detection and blocking. Today’s hackers have created a fast, effective and efficient sector profiting from attacks to our IT infrastructure. When an attack does happen we need to be prepared to marginalise the impact of an attack and stop reinfection. This requires expanding our vigilance with an approach that enables visibility and control across the enterprise and along the full attack continuum. Below are five steps to consider as you look to strengthen your security defences:
Detect and block at the perimeter and inside the network: It’s good practice to handle threats as close to the perimeter as possible to prevent malware from entering the network and potentially infecting endpoint devices. Consider a network-based malware detection appliance that can identify and protect against malware without sacrificing performance. However, even the best detection and blocking only goes so far. Once advanced malware enters your network, assume it will attempt to infect other systems until reaching the ultimate target. It’s wise to also look for malware and other attacks on protected network segments housing sensitive technology assets.
Assess and protect endpoints. A layered defence is your best strategy; endpoints aren’t always connected to a corporate network and thus need protection too. Identify endpoint protection solutions that are lightweight and don’t hinder device performance to ensure user experience isn’t impacted.
Analyse threats through context: Not all threats are created equal. Technologies that see and correlate extensive amounts of event data can use this context to pinpoint compromised devices based on behavioural characteristics. By maintaining visibility of all file activity happening within the organisation and tracking outbound traffic, you can watch for exfiltration of critical data and communication with malicious sites to identify targeted systems that might have gone unnoticed.
Eradicate malware and prevent reinfection: Upon finding a malware infection, simply quarantining the device and cleaning it isn’t enough. To eliminate the malware and prevent reinfection consider technologies that can track every file on every device so that you can identify ‘Patient Zero’ (the first malware victim), the malware trajectory and all instances throughout the enterprise.
Remediate attacks with retrospective security: Advanced malware protection should also alert about files subsequently identified as malware for retrospective remediation. Blocking or continuing to track and analyse suspicious files against real-time threat intelligence is particularly important in this latest threat wave with attacks that can constantly change once they’ve entered the network. In a world in which attackers seem to be gaining an advantage, defenders need to fight fire with fire. The smart organisations are those that seek to deploy security technologies that enable visibility, automation and intelligence can help break the attack chain and foil attacks.