Dodging the Wrong Bullet
It’s the call no executive wants to get from IT: “We’ve had a breach!” And then it’s the questions IT struggles to answer: “How did they get in? What did they access? Who attacked? Why us? Are you absolutely sure we’re not still compromised?” Sadly, conversations like this occur on a regular basis in small to mid-size businesses, most of which never appear in the headlines because, on a national scale, the impact is insignificant. But for the business that’s been breached, the impacts can range from nuisance to catastrophic. And more often than not, the difference between nuisance and catastrophic has more to do with “dodging a bullet” than being well prepared. Here’s why.
An employee returning to work after the weekend attempts to access a commonly used file, only to find the file no longer exists. Upon closer examination, the employee finds that the file does exist but the file name has been changed to an ominous title. A call to the IT department confirms the file name has indeed been changed and the file has been encrypted by RANSOMWARE, and it’s not the only one!
The IT staff immediately quarantines the infected system and begins the process of determining whether other systems have been compromised. Information is limited, though, because only some network activity has been capture in log files. No process activity or file system activity has been captured. After some tense moments with fingers crossed, it “appears” only one system has been compromised, and if backups are available, then there is no lasting damage. A bullet has been dodged! But the bullet that has been dodged is not the real threat. Look closer at this story.
First, the breach went undetected until an employee couldn’t access a file. That means the attack was only discovered because the attacker wanted it discovered. The attacker clearly had a limited motive: encrypt a few files and ask for a small ransom payment. Second, attackers use the resources of the information systems they’re attacking, and consequently, leave fingerprints. But unless relevant log data (e.g. process activity, file system changes) is being collected, those fingerprints evaporate and there’s almost no way to detect what really happened, or is still happening. That leaves few options to re-establish confidence in the integrity of the enterprise.
So here’s where most businesses misunderstand the nature of the threat and dodge the wrong bullet. Because the damage was limited, the business believes they have “dodged the bullet” associated with perimeter “protection.” Consequently, they begin looking for THE vulnerability that allowed the breach so they can fix THE problem, believing that if they close this vulnerability they’ll be secure. But there’s always another vulnerability. Or, they seek out the latest “next-gen” tool that will be smarter than the attacker and prevent future breaches. But the adversary always adapts.
In reality, the bullet that has been dodged, and the one that is the real threat, is a motivated attacker. While strong perimeter protection is desirable and worth a certain investment, “protection” shouldn’t be implemented to the exclusion of “detection.” A motivated attacker will eventually find a weakness (human or technical) that allows them to defeat perimeter protections. Therefore, businesses today must assume that at some point a breach is going to occur and, in preparation, deploy controls that ensure a breach can be detected and investigated.
Consider again the scenario above. What if a motivated attacker didn’t immediately alter the file system, but rather moved quietly through the network gaining access to operational systems, privacy data, proprietary information and intellectual property? Without real-time threat monitoring behind the firewall, that movement would not have been detected. What would have been the impact if thousands of customers and employees had to be notified, if essential systems went offline or if sensitive information was disclosed? The impacts could have been catastrophic. And since critical log data was not collected, how can the attacker’s actions be investigated? How can the business be confident that the attacker hasn’t installed a persistence mechanism? Without comprehensive data capture, there’s no way to be absolutely sure. So, without real-time threat monitoring behind the firewall and without comprehensive logs, the difference between nuisance impacts and catastrophic impacts is only the motivation of the attacker. That is the real bullet that was dodged!
This scenario is very real and represents a compilation of real incidents that Dynetics has investigated over the last several months. It’s also representative of many other stories reported in the news over the last couple of years. As this article was being written, the Equifax breach was announced. Equifax was not fortunate enough to dodge the motivated attacker bullet! Much will be written about the 143 million affected consumers and how the breach occurred. But the more important question should be “Why did it take Equifax 10 weeks to discover the breach?!”
The point of this article is not create fear – it’s to warn businesses that effective cybersecurity requires a change in approach. Effective cybersecurity must respond to attack methods being used today by skilled, motivated cyber criminals. Perimeter protection is still important. But without detection, perimeter protection is insufficient, and it’s only a matter of time before a business is no longer able to dodge the catastrophic bullet. Just ask Equifax. The good news, though, is most businesses have already invested in the tools and technology necessary for effective cybersecurity. It’s simply a matter of optimizing those investments to respond to today’s threats.