Citing research that shows 95% of persistent attacks are only spotted by accident, Steve Armstrong, a SANS Institute expert and trainer says that this even though evidence was within the IT logs for weeks and in some cases months.
According to Armstrong – who is a former head of the Royal Air Force pen testing team and is widely considered to be one of the UK's most experienced ITsec professionals – he and his team have been working with a number of organisations that simply don't realise that they have been the victim of a well orchestrated and persistent attack.
“We go in, look at the logs and can quickly see clear evidence of the problem but there has either been a failure to spot it or not enough resource assigned to look for the evidence”, he said, adding that, out of the last 20 incidents that Armstrong and his team have been called into investigate, he estimates 95% of them had clear evidence that had gone unnoticed.
“In many cases, it is often an admin who has a gut feeling that calls us in but when we start digging, the full extent of the breach is normally far worse than initially suspected”,” he explained.
Armstrong, who has been in the IT security arena more than 17 years, says he believes that the issue is down to sophistication on the part of the hacker and an over reliance on tools.
“The IT vendors keep on telling us how great the tools to spot problems are but they are certainly not fool proof. They can also be circumvented by criminals who know what they are doing”, he said,.
Armstrong agrees that there has been a surge in demand for IT security tools, penetration testing and training as a response to attacks by organisation such as Lulzsec and Anonymous. However, in some cases, he equates these antics to graffiti on a wall.
It might be newsworthy, but some would argue that it distracts attention away from more insidious and organised hacks against US defense contractors and security tools suppliers like RSA, he says, adding that a hacktivist hitting your site with a denial of service attack may well just be a distraction to get something more dangerous onto a critical server somewhere else.