For years, we’ve heard the mantra ‘it’s not if, but when’ a breach will occur. But what if the worst has already happened? What if defenses have been breached and data and resources are at risk? Assuming a posture of compromise is fast becoming accepted wisdom.
For too long organizations have focused on defense. But with the invaders already inside the walls this strategy is now fast becoming obsolete. Traditional technical defenses cannot keep pace, even when well-configured and aligned with good practice. Efforts need to focus on active monitoring and establishing a state of preparedness that facilitates rapid response and recovery.
Security strategy needs to change and recognize the realization of the threat, rather than pretending it will never and has never happened. Do you know what is happening on your systems? Can you be sure only authorized devices running authorized software are in your business? Do you know what communications come in and out of your business? If you did find something troubling, what do you do next?
The chances are that something has happened and may still be happening on your systems because looking and seeing are not the same thing.
Part of the problem is diagnosis. It can be difficult to determine if a breach has occurred, particularly if a cyber-criminal has directly targeted your organization. Targeted attacks will use advanced evasive actions, as the attacker wishes to operate discreetly to extract data or to utilize the connection to carry out further crimes.
Sensitive data will often be siphoned out of organizations in amongst the noise of daily network business activities. Advanced malware writers and cyber-criminals may even adopt the behavior patterns of employees. By the time suspicions are raised, the damage may well have been done, with those responsible long gone.
Organizations are often ignorant of these cyber-squatters, with the Verizon Data Breach Investigations Report (DBIR) finding 66% of surveyed organizations didn’t discover security breaches until several months had passed. Worse still, the 2014 DBIR states the attackers were often able to complete their objectives unchallenged with less than 25% of the surveyed compromises detected within days.
The recent attack carried out by Carbunak/Anunak on the banking industry illustrates the problem of how damaging the slow-burn attack can be. The heist saw a spear-phishing attack used to introduce malware onto the system that was able to monitor keystrokes with screenshots captured every 20 seconds to build-up a reliable picture of working practices.
“Attacks will infiltrate the business. Accepting that as a fact may sound daunting but it can also be empowering”
They then went after the internal funding mechanisms to make transactions before hijacking ATM systems and ordering these to pay out wads of cash. The attackers were able to silently monitor and exploit business processes. They avoided the heavily protected data, such as customer accounts, instead observing and going after systems that had little protection.
We need to recognize that the game has changed: the organization is now not defending against but playing host to the hacker. Attacks will infiltrate the business. Accepting that as a fact may sound daunting but it can also be empowering, provided you know where to focus your efforts.
Assuming a state of compromise involves looking far more aggressively at internal process and procedures. Take it as a given that attempts will be made to access valuable IP and sensitive data, profile that data, and assess its value along with the potential fall out of it being breached.
Map business processes to develop an understanding of what ‘good’ should look like and compare that with the reality. Deploy detective measures to enable you to see what is happening on your systems. Get ready to respond. Planning what actions to take in the event of a suspected incident will help improve decision-making and speed response times. Ultimately, having visibility and control over what is happening is what will help you mitigate these attacks.
As well as heightened vigilance, living with a breach also requires a far more elaborate and robust security architecture that seeks to segregate and isolate risk. The idea is to minimize the threat posed by the attacker on the network by protecting the crown jewels, so assign access to information on a need-to-know basis.
Of course, forensics is still valid and it’s important that we continue to police systems and conduct investigations to mitigate the effects of a breach. But assuming a posture of compromise is the only way forward.
There’s no getting away from the fact that we’re going to have to get used to having unwanted guests. They may have entered by the back door; perhaps you don’t even know they’re in residence, save for a few crumbs of evidence. You may not know how long they’ve been there, but you can make it difficult for them to enjoy their stay.
About the Author
James Henry is consulting practice manager at Auriga, the data security consultancy, where he oversees the successful delivery of cybersecurity and business change programs. He has worked on numerous information security projects on behalf of private sector clients and national government departments. James specializes in cybersecurity issues and ITIL service management and has been a qualified security practitioner for ten years.