At InfoSecurity Europe in June, I will be showing a demonstration of what we call: “Attacker vs. Victim”, which uses real zero days, malware and tools to compromise a fictitious company and steal data. The purpose of this demo is to show executives, media and security practitioners what an actual breach looks like, and how dangerous they can be. As an industry, we talk about cyber attacks and cyber defense on a daily basis, but it is surprising how many people haven’t actually seen an attack from beginning to end.
There are no air raid sirens for cyber attacks. So when an attack occurs, victims rarely have any idea what is happening. My demo simulates exactly what happens following actual incidents that we, as a company, work on a daily basis. A seemingly innocent FedEx email states “click here to re-route your package.” It could fool even the wariest user. After clicking on this link, nothing happens at least from the user perspective, yet the attacker has already established a foothold in your network.
A foothold. It seems so tenuous, temporary or benign, but that’s all that is needed these days. One endpoint, somewhere on the inside and the attacker(s) can now launch additional attacks or exploits against the enterprise. Perhaps their goal isn’t to find intellectual property or personal identifiable information, but to spy on their victim by turning on the webcam and microphone without the user knowing it.
Enterprises face these types of threats on a daily basis. One of my favorite industry adages is - We have to be right every single time, but the attacker only has to be correct once. I couldn’t agree more. It’s as if we are playing a game of chess with the enemy, except instead of going turn for turn, they get three moves for every one of ours. Of course, the attackers never fight fair. The malware they employ is getting harder and harder to find.
In my demonstration I use a pervasive Remote Access Trojan (RAT), known as DarkComet, which focuses on command and control communication. In this toolkit, the authors have made created “signature-less” droppers by adding randomisation routines, which are loaded onto the victim’s computer.
Scary right? Vendors present this reality to show enterprises everything that’s bad in the real world, how easily it can happen and the extensive damage it creates. However, there is hope - a realization by organisations that you can’t prevent bad things from happening on your network or your endpoints. It’s human nature to want to prevent harmful incidents from occurring. As a parent, we want to protect our children knowing that they will experience the cuts, bruises and scrapes. What matters is how we react to these unfortunate events.
A board director reads the latest news and sees their competitor’s name in the headlines: Company X suffers major breach and millions of customer records were stolen. A chain of events unfolds. The board member calls the CEO and states “This breach cannot happen to us,” then the CEO calls the CISO to say “We need to prevent breaches into our networks. Are we secure and what happens if we’re compromised?” The CISO is immediately put into a difficult position, a “prevent bad stuff from happening” scenario. What kind of funding for prevention vs. detection do you think the CISO is going to get?
Brian Karney, Fidelis’ SVP of Products, laments regularly with an accurate point “If there’s a dollar to be spent on security, it’s going towards prevention and not detection and response.” This is unfortunate, but again, there is hope. Organisations are now realizing they can’t prevent everything, but in the absence of prevention, what’s the answer? Detection. Getting better and faster at detecting the bad things that happen in the enterprise.
From a metrics perspective, it really comes down to two key focus areas: 1) Mean time to detect; and 2) Mean time to resolve. It’s as simple as that. Can organisations reduce how long it takes to detect when they’ve been compromised? Can they get faster at resolving these incidents? These are the two big questions that need answering.
I’m not saying that prevention is dead! Quite the contrary, there are so many threats (both commodity and targeted) out there that can be characterised as a signature, rule or pattern. Strive for prevention, but realise that at the end of the day, you will always need to detect the hidden and deeply embedded threats that prevention tools missed.
I’ll leave you with one of my favourite historical quotes (from a Russian proverb), which has perfect cybersecurity significance in meaning: “Trust, but verify” (Доверяй, но проверяй). It was spoken by U.S. President Ronald Reagan in the 1980s, emphasising trust and cooperation with the USSR, in relation to their mutual nuclear disarmament. This quote can be applied perfectly to cybersecurity and is actually great advice for enterprises today.
Come by and see my ‘’Attacker vs. Victim” demo at the Fidelis Stand, B160, InfoSecurity Europe in Olympia London between 7 and 9 June 2016. I’d like to hear about your security ops challenges and share stories.
-- Justin Harvey, CSO