It has been my privilege to spend a week at Black Hat USA 2017 and keep you all up to date on the NOC and conference news. With Gigamon and Scrutinizer combined, the NOC team was able to baseline and detect unwanted behaviors. I was also fortunate to analyze flow data with the Palo Alto next-generation firewall that allowed us to identify the applications generating excessive traffic on the network. As I am about to pack my bags and say goodbye to the Entertainment Capital of the World, I would like to take a few minutes to go over the lessons we learned from one of the biggest information security communities.
Will your network withstand an attack?
Dark Reading’s 2017 Strategic Security Survey provided us with the statistics on the attacks and breaches over the past year. Here are some of the findings:
- One in four organizations experienced direct financial losses due to an attack or breach.
- 20% of organizations became victims of intellectual property theft or compromise of information confidentiality.
- 65% of organizations were affected by malware-related breaches, with 55% of them being phishing-initiated.
- 23% of organizations were hit by ransomware attacks; 9% of them conceded to paying the ransom.
- 20% of those struck by directly targeted breaches footed the bill of $1 million
As you can see, the results show that the incidents of compromise continue to rise and no network is truly invulnerable to zero-day exploits and directly targeted attacks.
Are we as a community ready for IoT exploits?
As Billy Rios proved to us yesterday, the answer is no. Security monitoring needs to take a preemptive stance and apply better monitoring practices. The current risk scoring systems leave much to be desired. There is no doubt that exploitation of a system that is solely relying on software to implement mechanical safety can eventually result in a loss of life. It should be considered a higher risk than a possibility of stealing supplies from a cabinet.
“In the future I anticipate more IoT physical risks, especially as the result in the growth of robotics and artificial intelligence. And these threats are likely to emerge much quicker than we would like, and in ways we don’t expect, anticipate, nor understand very well. As has been said before, the Internet of Things (IoT) is also referred to as the Internet of Threats. It is and will be a target-rich environment for the darker…cyber angels of our nature.” — Billy Rios
Zero-Days, Your Sleepless Nights
Zero-day exploits—software vulnerabilities for which no patch or fix has been publicly released—have been one of the most popular topics here at Black Hat USA 2017. In her presentation yesterday, Lillian Ablon provided us with insights into the zero-day vulnerability research and exploit development industry. She shared statistics on what percentage of zero-day vulnerabilities are alive (publicly unknown), dead (publicly known), or somewhere in between. Ablon created baseline metrics for the average lifespan of zero-day vulnerabilities (longevity), the likelihood of another party discovering a vulnerability within a given time period (collision rate), as well as the costs involved in developing an exploit.
“Exploits have an average life expectancy of 6.9 years after initial discovery, but roughly 25 percent of exploits will not survive for more than a year and a half, and another 25 percent will survive more than 9.5 years. For a given stockpile of zero-day vulnerabilities, after a year, approximately 5.7 percent have been discovered by an outside entity.” — Lilian Ablon
Learning from mistakes (hopefully, somebody else’s)
Despite constant warnings from security experts, organizations continue to leave their systems and data unnecessarily vulnerable. Security breaches result in the loss of reputation, enterprise value, and jobs, as well as regulatory fines and civil litigation. Due to the sophistication of attacks and the growing number of threat surfaces, breaches are inevitable. When a breach occurs, you need access to contextual forensic data to support a fast and efficient incident response and recovery.
Data context improves situational awareness and enables faster and more accurate incident response. Gathering NetFlow, IPFIX, and metadata from routers, switches, servers, and probes will provide you with the answers to the questions: who, where, when, what, which, and how.
If you would like to see how Scrutinizer can deliver insight into your own network and improve incident response, you can download a free trial here.