Skip Links

In security response, practice makes perfect

By Sean Martin, a CISSP and the founder of imsmartin, special to Network World
October 02, 2012 02:36 PM ET

Network World - We've heard it many times in many forms -- expect to be breached, expect that you've been breached, expect that you are being breached.

The unfortunate reality is that most organizations don't even know that they've been compromised and therefore don't do anything to block spreading of the malware, control the damage, prevent loss of information, or even recover from the technical problems associated with the compromise.

IN PICTURES: The worst data breach incidents of 2012 -- so far

Shawn Henry, former executive assistant director (EAD) of the FBI and now president of CrowdStrike Services, told the 6,500-plus attendees of the recent Black Hat conference that the FBI has knocked on the doors of numerous companies to let them know their data had been discovered on the Internet (usually discovered in unrelated investigations). "Months, or even years later -- with unfettered access, and unbeknownst to the people that own the networks -- organizations are being alerted to being compromised and their data being stolen," said Henry. This is both shocking and unacceptable.

When people think FBI they often think about national security and nation-state adversaries. And there's no lack of speculation about these nation-states being the most threatening sources of these corporate attacks. This assessment doesn't come without cause. According to Henry, "dozens of our adversaries are extracting information from the U.S. every day, stealing corporate strategies, grabbing intellectual property, and looking for any competitive advantages they can find." [Also see: "Advanced persistent threats force IT to rethink security priorities"]

Henry also noted the threat implications where the U.S. critical infrastructure is concerned. "We're seeing an uptick in threats against industrial control systems (ICS), the devices that control the nation's critical infrastructure," Henry said.

The increase in attacks against ICS points to increased sophistication of the attackers. "Attacking a GE control system device is very different from attacking a website," said Francis Cianfrocca, CEO of Bayshore Networks. "It is easy to find a lot of effective material in the public domain to attack websites and enterprise apps, but the knowledge to attack ICS typically has been far less developed."

Critical infrastructure systems are generally much more open in design, and therefore, are much more vulnerable to attack than commercial/enterprise systems. Some might even say that ICS are wide open to attack because of their design and implementation. "Even though they are vulnerable, if you are going to attack ICS, you will require a lot of specialized knowledge as the devices and systems are often highly customized," Cianfrocca said. "All critical systems are different and use different protocols; vendors violate the protocols in different ways, essentially minimizing the hactivists and increasing the focus on nation states."

However, enterprises don't have the luxury of focusing solely on the nation-state adversaries as there are many more threats and adversaries they need to consider. Henry noted that organized crime is not too far behind the nation-state adversaries both in terms of skill and capability. And, once organized crime attackers get a few successes under their belts, funding is often not a problem either. "Businesses have formed that are offering 'hacking as a service,' and there are plenty of insiders and lone wolves taking legitimate jobs with a direct aim to extract sensitive information from the private sector," said Henry. [Also see: "EPA data breach highlights worrying trend"]

It's difficult for companies to protect themselves given the level of sophistication of many adversaries. "With the most sophisticated attacker at the threat controls, organizations won't stand a chance," said Phil Lieberman, president of Lieberman Software. "They would need to have NSA-like teams on staff -- or NSA-like partners -- if they are to prevent targeted attacks," Lieberman said. Henry shared a similar view, noting that a sophisticated adversary can and will easily jump over the fence -- hopping over or around the firewall with ease.

They're inside, now what?

Assuming the adversary makes it in, the question remains: How long after a breach occurs can the organization remediate and prevent further damage? This is where security response becomes critical. And whether it's done properly can make or break the bank. The response process can be broken down into four components:

- Know you've been compromised

- Get back online quick

- Stop the spread

- Detect the adversary (required) and track them down (optional)

* Identify the compromise: This could prove to be the most challenging of the steps as there is a small window of opportunity to spot the behaviors of an attacker between the point when the infection is first established and the point when the attacker finds its "hiding spots" within the network. As with most things, if you can detect the adversary's analysis of the network before the real damage is done, you are ahead of the game. The challenge: spotting it in time, if you can even spot it at all.

Security information and event management (SIEM) systems play an important role in this process, but historically haven't collected enough data in terms of both depth and speed in order to see these latent, stealthy attackers in the environment. While the SIEM system may bring in a better view of what may be happening on the network, the only real chance a company has for getting the data required is to leverage big data systems, processes and, of course ... big data feeds.

"Most organizations watch their network traffic for call-outs being made to the malware's command-and-control-center (CNC)," Cianfrocca said. "The problem with this method of detection is that the attackers space their communications out over time, making them nearly impossible to spot in the midst of other mounds of data."

So, if this method doesn't work well, what other options do we have? The answer may lie in the apps, more so than in the network.

Most of the nastiest and stealthiest malware will try to covertly figure out which app servers are vulnerable -- this is the activity organizations should be monitoring. The challenge here, of course, is that the attackers will instruct their code to use patterns of access crafted to look like normal activity of authorized users -- but the attackers are actually accessing these applications in subtly different ways.

"It's possible for organizations to monitor the application traffic, looking for certain combinations of error responses, anomalies in time patterns, variations in the spacing of access, etc.," Cianfrocca said. "This may be easier said than done though, as an organization will need to look for patterns of application access which are out of character for the app, which will require statistical modeling of how the app is supposed to perform."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News