This year many companies have come to the realization that somewhere on their network, possibly in a far off corner hidden behind a pile of who knows what is a computer or some type of appliance that is playing the role of host for a certain strain of malware.
It’s hanging out, in stealth mode. Occasionally beaconing over a secure 443 connection waiting for the C&C server to pass down the long awaited commands to launch a DoS attack against an Internet site, attempt to infect other machines or to carefully search its locally mapped drives for certain key words (e.g. pass, confidential, etc.). There it sits like a dirty ninja, waiting for some piece of confidential information to pass by its patient watch -where it is copied and uploaded to a web site hosted by a reputable service provider. It can sit there for months, even years as Nortel found out in fact, in January, Mandiant stated that the average infection stays resident for 416 days on average. Why so long? Well, the fact that 96 percent of data breaches are uncovered by third parties (i.e. not internal security teams) is one reason. That’s right, even those expensive next generation firewalls that are high and to the right in the Gartner Magic Quadrant are failing to catch these contagions.
What can we do to stop APTs?
It is a tough problem indeed that all of us are facing. How can we fortify our security measures to increase our defenses against these targeted attacks? Here is a list that many of us are familiar with. Lets review:
- Keep end systems and servers patched
- Block critical servers from connecting to Internet. Grant routine temporary access for updates only.
- Force password rotation and consider two factor authentication
- Invest in behavior monitoring systems that categorize suspicious behaviors over time
- Educate and re-educate employees on the dangers of email regarding phishing attacks and how to avoid the “costly click”
Prepare for the Discovery
Now that we are no longer in denial about being infected and have accepted that fact that we are already likely hosting malware somewhere on the network, lets make sure we are ready to roll-back the video footage to replay the steps of the infiltration.
We can often learn behaviors from this and play back the traffic to sleuth out the other machines still under the radar that are exhibiting some of the same behaviors.
Cyber Attack Incident Response
What do you need? Ideally, a system that surpasses industry compliance obligations by providing the necessary evidence for cyber attack incident response. Security breaches can be very costly and twice as embarrassing when it is discovered that government imposed compliance regulations aren’t being met. For example, the Global Payments breach in April 2012 cost $93.9 million, including $35.9 million in fines and other noncompliance charges.
Are you ready to get prepared? Contact our team to learn about our Incident Response System.