We’ve highlighted in numerous posts that studies of security incidents and publicly disclosed breaches reveal that it’s all too common for attacks to go unnoticed for days, weeks, months, and even years. And, nearly as troubling, it’s rarely the breached organization that discovers that it’s been compromised – rather it’s usually a customer, partner, supplier, or even law enforcement that eventually notices something is awry and brings it to victims’ attention.
All
of that was certainly true with the South Carolina Department of Revenue attack
that we covered here. In this incident,
the post-breach investigation found that the compromise occurred in
mid-September and wasn't detected until mid-October. And when it was detected,
it was done so by the United States Secret Service, which happened to be
conducting a sting against the group that was responsible for the attack.
So
what happened regarding this breach? As we learn more, it’s clear that time was
working against the South Carolina Department of Revenue. To be fair, this is
true for all targeted attacks. Take a look at the illustration below, from the 2012
Verizon data breach investigation report, which accurately demonstrates the
scope of this challenge. The data in the figure below are the result of
thousands of investigations that were conducted last year both by Verizon and a
number of government agencies from multiple countries, including the United
States Secret Service.
When looking at the various time spans between attack and response in all of those incident investigations, disturbing patterns emerge. Specifically, patterns appear when attack life cycles are segmented into four stages: the time between initial attack and compromise; the time between the initial compromise and data being stolen from the target; the time between that compromise and the point at which it was discovered; and finally the time between the discovery of that compromise and remediation.
The
data find that attackers can exfiltrate data at best in a matter of hours, or
days, and at worse in a span of only minutes. Once in, attackers have shown
again and again that they have the ability to begin exfiltrating data as soon
as they’ve compromised a system.
And
this isn’t just a handful of organizations; it is thousands. This proves that
the status quo provided by traditional security software simply isn’t good
enough. And the reality is that after attackers have had weeks, or months, to
rummage through a network, simply wiping servers and endpoints isn’t going to
rid the infection. The attacker has had too much time to plant backdoors and
create ways to burrow back in.
Identify
unknown, suspicious behaviors
What’s
needed are ways to identify unknown, suspicious behaviors on endpoints. This is
best achieved by performing periodic assessments designed to expose unknown
running applications that exist in temporary memory; instances of known threats
that morph (such as the Zeus banking Trojan); and the ability to conduct
ongoing scans for variants of such threats in order to fully understand and
address the scope of a successful attack against your infrastructure.
Additionally,
and in order to reduce your attack surface, you also need to be able to audit
endpoints for sensitive data, which in all likelihood, are the target of the
attackers’ activity. By limiting pools of sensitive and confidential data, you
can significantly reduce risk.
EnCase
Cybersecurity helps in many of these efforts. First, EnCase Cybersecurity
conducts network-wide system integrity assessments against a known good
baseline that has been established. Essentially, what you are doing is
performing regularly scheduled audits for anomalies across the range of
endpoints. And it works because, while you don’t know what the unknown looks
like, you do know what the baseline looks like. This allows you to look at
everything that doesn’t match that baseline, so you then can decide whether
it's something that's good (and should be added to a trusted profile), or if
you've been exposed to a malicious attack that needs to be remedied and added
to known bad profiles for future integrity audit scans.
How
does EnCase Cybersecurity achieve this? It does so by leveraging the concept of
entropy for similar file scans. Consider it a very fuzzy signature, but not an
exact match, that the system is assessing. It doesn’t matter what kind of files
are being evaluated – EnCase Cybersecurity will expose the files and processes
used by advanced attacks that are easily missed by traditional security
technologies, such as intrusion detection systems and anti-malware software.
We’ve
recently completed a webinar on this topic, Hunt
or be Hunted: Exposing Undetected Threats with EnCase Cybersecurity, that provides
much more detail about how EnCase Cybersecurity helps to defend against
advanced, clandestine attacks. I invite you to watch, and learn how your
organization can proactively ferret out any possible breaches before it’s too
late and attackers have had time to entrench themselves into your
infrastructure.
# # #
No comments :
Post a Comment