Return here often to view current news, insights and commentary.
Dodging the Wrong Bullet
It’s the call no executive wants to get from IT: “We’ve had a breach!” And then it’s the questions IT struggles to answer: “How did they get in? What did they access? Who attacked? Why us? Are you absolutely sure we’re not still compromised?” Sadly, conversations like this occur on a regular basis in small to mid-size businesses, most of which never appear in the headlines because, on a national scale, the impact is insignificant. But for the business that’s been breached, the impacts can range from nuisance to catastrophic. And more often than not, the difference between nuisance and catastrophic has more to do with “dodging a bullet” than being well prepared. Here’s why.
An employee returning to work after the weekend attempts to access a commonly used file, only to find the file no longer exists. Upon closer examination, the employee finds that the file does exist but the file name has been changed to an ominous title. A call to the IT department confirms the file name has indeed been changed and the file has been encrypted by RANSOMWARE, and it’s not the only one!
The IT staff immediately quarantines the infected system and begins the process of determining whether other systems have been compromised. Information is limited, though, because only some network activity has been capture in log files. No process activity or file system activity has been captured. After some tense moments with fingers crossed, it “appears” only one system has been compromised, and if backups are available, then there is no lasting damage. A bullet has been dodged! But the bullet that has been dodged is not the real threat. Look closer at this story.
First, the breach went undetected until an employee couldn’t access a file. That means the attack was only discovered because the attacker wanted it discovered. The attacker clearly had a limited motive: encrypt a few files and ask for a small ransom payment. Second, attackers use the resources of the information systems they’re attacking, and consequently, leave fingerprints. But unless relevant log data (e.g. process activity, file system changes) is being collected, those fingerprints evaporate and there’s almost no way to detect what really happened, or is still happening. That leaves few options to re-establish confidence in the integrity of the enterprise.
So here’s where most businesses misunderstand the nature of the threat and dodge the wrong bullet. Because the damage was limited, the business believes they have “dodged the bullet” associated with perimeter “protection.” Consequently, they begin looking for THE vulnerability that allowed the breach so they can fix THE problem, believing that if they close this vulnerability they’ll be secure. But there’s always another vulnerability. Or, they seek out the latest “next-gen” tool that will be smarter than the attacker and prevent future breaches. But the adversary always adapts.
In reality, the bullet that has been dodged, and the one that is the real threat, is a motivated attacker. While strong perimeter protection is desirable and worth a certain investment, “protection” shouldn’t be implemented to the exclusion of “detection.” A motivated attacker will eventually find a weakness (human or technical) that allows them to defeat perimeter protections. Therefore, businesses today must assume that at some point a breach is going to occur and, in preparation, deploy controls that ensure a breach can be detected and investigated.
Consider again the scenario above. What if a motivated attacker didn’t immediately alter the file system, but rather moved quietly through the network gaining access to operational systems, privacy data, proprietary information and intellectual property? Without real-time threat monitoring behind the firewall, that movement would not have been detected. What would have been the impact if thousands of customers and employees had to be notified, if essential systems went offline or if sensitive information was disclosed? The impacts could have been catastrophic. And since critical log data was not collected, how can the attacker’s actions be investigated? How can the business be confident that the attacker hasn’t installed a persistence mechanism? Without comprehensive data capture, there’s no way to be absolutely sure. So, without real-time threat monitoring behind the firewall and without comprehensive logs, the difference between nuisance impacts and catastrophic impacts is only the motivation of the attacker. That is the real bullet that was dodged!
This scenario is very real and represents a compilation of real incidents that Dynetics has investigated over the last several months. It’s also representative of many other stories reported in the news over the last couple of years. As this article was being written, the Equifax breach was announced. Equifax was not fortunate enough to dodge the motivated attacker bullet! Much will be written about the 143 million affected consumers and how the breach occurred. But the more important question should be “Why did it take Equifax 10 weeks to discover the breach?!”
The point of this article is not create fear – it’s to warn businesses that effective cybersecurity requires a change in approach. Effective cybersecurity must respond to attack methods being used today by skilled, motivated cyber criminals. Perimeter protection is still important. But without detection, perimeter protection is insufficient, and it’s only a matter of time before a business is no longer able to dodge the catastrophic bullet. Just ask Equifax. The good news, though, is most businesses have already invested in the tools and technology necessary for effective cybersecurity. It’s simply a matter of optimizing those investments to respond to today’s threats.
Cybersecurity – It’s Really Not That Complicated.
Effective cybersecurity is really not that complicated. I think that because so much technology is involved, most people assume the concepts are complicated; but they’re not. To illustrate this point, I’ll use home security as an analogy.
Most every homeowner uses basic security controls like locks on doors and windows. When you think about it, these basic security controls provide very little protection. They’re designed to discourage petty thieves from entering the home or cause them to make a little noise if they do decide to break in. But I don’t think anyone believes locks deter a motivated thief. Therefore, what happens next is a steady progression of a “cat and mouse” game where the homeowner enhances security based on what they know of criminal activity in their neighborhood.
If “smash and grab” thieves are kicking in doors or breaking windows, the homeowner may reinforce entry points with dead bolts, door stops or stronger windows. Reinforced entry points may slow down a thief or cause them to make more noise, but it won’t stop them; and there’s no guarantee the intrusion will be detected. Left undetected, thieves can remove a lot of value in a short amount of time. In response, the homeowner usually turns to a home security system that places intrusion detection sensors on entry points and sets off alarms. But what if no one is home to respond to the alarm? Smarter thieves do their homework and wait until they know the home is empty. So, better home security systems include a monitoring service that notifies the homeowner and law enforcement when the alarm has been triggered.
The “cat and mouse” game will continue as long as thieves are motivated. The homeowner must stay abreast of the latest tactics and techniques used by thieves if they want to keep the home secure. Motion sensors and cameras may be necessary in some situations. (I had a thief enter my home through the HVAC return!)
So how does this relate to cybersecurity?
Dynetics conducts “threat faithful” Adversarial Simulations to test organizations’ preparedness for real-world cyber criminals. In most cases, these organizations believe they are secure. To date, our Elite Ethical Hackers have never failed to breach a client’s network — usually within a few hours. After that, because organizations are not monitoring behind their perimeter defenses, it’s just a matter of time before we have access to all data, systems and functions — usually in less than two weeks! So while these organizations are successfully deterring nuisance hackers, they would not be successful stopping today’s motivated cyber criminals that have found ways around basic cybersecurity controls like firewalls, anti-virus, spam filters, etc. The proof of these statements in easily found in the steady stream of breach headlines.
I want you to stop and think for a second about the purpose of a monitored, home security system. It’s not to prevent an intrusion. Its purposes are to detect the intrusion as soon as possible, provide situational awareness, and disrupt the thief’s activities before valuables are found and removed. In essence, a home security system “assumes breach!”
But why do homeowners “assume breach?” Why don’t they just reinforce the perimeter security and make it impossible for thieves to break in? There are solutions available. You can put steel doors and shutters in place. You can put up a tall fence or wall with razor-wire. You can build a castle with a moat! Absurd I know, but you can make your home virtually impenetrable! So why not?!
The answers seem obvious, but sometimes the obvious answers cause us to overlook the underlying reasoning. In security circles, physical or cyber, you’ll hear the statement “When choosing among security, convenience and affordability, you can only have two!” While absolute home security may be achievable, it won’t be affordable and it won’t be convenient. Therefore, homeowners opt for the balance that meets their situation. And one more reason: you can’t enjoy your community if you isolate yourself. Interaction with others requires some amount of trust and risk that your trust will be abused. It’s no different in the digital world. To access the benefits of a digital economy, you must accept that at some point your trust will be abused and your network will be breached. You, too, must “assume breach!”
So, back to my opening point: “Effective cybersecurity is really not that complicated.” We simply need to apply the same reasoning that homeowners apply to home security. While homeowners may not go through a formal assessment process, they do consider two primary factors when selecting a security approach: value at risk and most likely threats. Then they determine the cost and inconvenience they’re willing to incur to achieve an acceptable level of risk. For cybersecurity, organizations should assess their value at risk (revenue generation, financial liability, mission, reputation, etc.) and their most likely threats (hackers, hacktivists, crime syndicates, nation states, etc.). Then they, too, can determine the cost and inconvenience to achieve an acceptable level of risk. And like homeowners, organizations must “assume breach” and add monitored detection capabilities to intrusion prevention systems. Only then can organizations ensure breaches are detected early enough to eradicate cyber criminals before valuable data is compromised. Finally, organizations must accept that cyber threats will continue to change in response to the latest security controls. Therefore, organizations must budget for a continuous cyber risk management program that includes assessments (value, threats and controls), implementation, operations and testing.
Cyber RiskScope® from Dynetics is a portfolio of cyber risk management solutions based on an adversarial perspective that ensures our clients are successfully defending against today’s motivated cyber threats. For information on how Dynetics can help your organization with strategic planning, assessments, implementation and operations, call 800.922.9261 ext. 5020 or email Sales@Dynetics.com
Today’s Cyber Risk Paradigm
Cybersecurity” in today’s world is a misnomer. Our government agencies, businesses, and personal lives are irreversibly connected to a worldwide web that provides enormous opportunity and convenience. However, success in this “connected” world requires organizations sacrifice absolute security — and therein lies the problem. Because being “connected” requires some amount of insecurity, the same worldwide web that creates opportunity and convenience, also gives rise to sophisticated, dynamic and growing cyber threats motivated by financial gain, activism and state-sponsored espionage. This new business paradigm is the “Digital Frontier.
In the Digital Frontier, traditional cybersecurity approaches focused on perimeter protection are no longer effective. Firewalls that block unauthorized connections, must also allow email communications. Anti-virus tools that detect known malware, overlook the new; and intrusion detection systems that examine network traffic are blind to encrypted communications. As we rush to market with new offerings, the underlying technology often creates new vulnerabilities that are exploited by cyber criminals. And when security measures are effective, cyber criminals simply find new attack vectors. It’s a continuous match of wits between cybersecurity professionals and cyber criminals. However, the very nature of a “connected” society demands we leave some openings in our security and, consequently, makes “cyberSECURITY” in today’s world a misnomer.