Despite the billions of dollars being invested in the cyber detection industry, if your company is connected to the Internet, there isn’t a security solution out there that can keep your business safe from all forms of malware. Your company can be and probably will be hacked. The questions are: When will it happen? What will they do? How will you investigate the event?
Google reported that “there was a 32 percent increase in the number of hacked sites in 2016 compared to 2015.”
Security investments in antivirus, access lists, dual authentication, DNS firewalls, intrusion detection systems, second generation firewalls, etc. all allow malware to pass undetected. It appears that when it comes to targeted attacks, nothing can stop all cyber villains. These miscreants are winning the war, but there is one battlefront that the bad guys appear to be losing: the ability to cover their tracks.
When will it happen?
Weaknesses in your cyber defenses will be discovered because most computer operating systems and networking protocols are inherently flawed. Despite patches and upgrades, zero day vulnerabilities will always exist. Being diligent with updates is always a good idea. Even though holes still exist, it doesn’t mean you will be compromised. Not everyone is the victim of a targeted attack; however, the spray and pray phishing attack approach taken by bad actors does have a decent success rate. Educating employees to be careful what they click on can give your company a big advantage over a company that might be an easier target. The security team can’t plan for the exact time the compromise will occur; however, they can prepare and be ready.
What will they do?
When miscreants get in and compromise internal systems, they often have a few objectives:
- Compromise the system in multiple ways (e.g. bot, key logger, Mirai, etc.)
- Look around and try to infect other systems
Once the malware is operational, the infection may trigger ransomware or very slowly export information about the local host and network drives. This is why it is very important to monitor for data exfiltration. Low and slow data thefts can’t be unearthed by monitoring a few minutes of data. Behaviors over extended periods of time (e.g. 24-48 hours) must be observed.
How will you investigate the event?
When infections are discovered, how will the security team investigate the event? Logs and flows (e.g. NetFlow and IPFIX) must be collected and saved in anticipation of a compromise. Flows and logs are the security cameras of networking. Network traffic analysis often skips over packet probes which can only save data for a few days. IPFIX and NetFlow collectors have the archive of historical traffic patterns needed to lay out the who, what, when, where and how. UDP forwarders are deployed which forward logs to multiple collection points. These appliances prevent infections from deleting their tracks.
Consider some of the top hacks of 2016:
- Olympics in Rio de Janeiro – data of athletes compromised
- SnapChat – 700 employees had private data stolen
- Verizon – 1.5 million user accounts
- Democratic Party – Hillary Clinton emails exposed
- Mark Zuckerberg’s – social media accounts hacked
- Oracle – 330,000 computer cash registers
- Cisco Systems
“Your business must be prepared – an intrusion is inevitable for many organizations and preventative security measures will eventually fail,” said Mr. McMillan. “The question you must accept isn’t whether security incidents will occur, but rather how quickly they can be identified and resolved.”
The message is clear. Get ready, collect flows and save them in multiple locations. Gartner says intrusion is inevitable. Investigation in many cases will be the only recourse your security team will have.