On detection and response
18 02, 14 Filed in: Blog Posts
Organizations need to move beyond merely trying to keep attackers out and start building the capability to quickly detect and respond to intrusions while designing compartmentalized networks to slow attackers once they have breached the perimeter, buying more time to detect and respond to the attack. According to the Verizon Breach Report 69% of breaches were spotted by an external party. This shows us that security staff are often asleep at the wheel.
Effective detection and response capability can be difficult and expensive, it is not as simple as deploying a piece of technology that will sound the alarm when a breach happens. Intrusion prevention systems, web application firewall, security information and event monitors, file integrity monitoring software, and other technological detection mechanisms require extensive tuning when they are deployed and continue to require ongoing tuning to adjust to changing conditions on the network. Without tuning these systems will generate mountains of false-positive alerts, essentially “crying wolf” so frequently that legitimate attack alerts will be lost in the noise and ignored as well.
While some technology, such as intrusion prevention systems and web application firewalls, have the ability to automatically stop basic attacks when they are well tuned and properly configured, a sophisticated attacker will eventually be able to find a way around these and we must have real live humans paying attention to the network in order to stop attacks. Many of the sophisticated attackers are located overseas and are likely not keeping standard office hours therefore this monitoring and response capability must be operating 24x7 in order to be effective. Staffing for 24x7 monitoring capability can be difficult and cost-prohibitive for all but the largest of organizations and this is an area where many companies may benefit from outsourcing the monitoring and initial response roles to a managed services provider.
Most typical networks have security resources concentrated at the perimeter with very little to protect systems inside the network from each other. This puts the attacker who successfully breaches the perimeter in a position where he can “pivot” on the compromised system and use it to attack other, potentially more sensitive, systems on the network without much interference. Unfortunately any host can provide the gateway for an attacker to breach the perimeter whether it is a poorly written web application that allows commands to be run on the underlying server or a user who falls for a phishing email and downloads malware onto their workstation.
Protecting and building the capability to monitor an entire network with all of its possible attack points can be cost-prohibitive regardless of the size of the organization. This can be mitigated by compartmentalizing the network into separate segments, for example building a dedicated section of the network for systems that handle credit card data and protecting this from the rest of the internal network with firewalls, intrusion prevention systems, and other security measures just as it would be protected from the Internet. This would impede an attacker who managed to compromise another less sensitive and protected system on the network by forcing him to go through the internal security perimeter, hopefully attracting attention from the security team as a result. An advantage of this approach, beyond slowing attackers down so that they are more likely to be detected, is that it also allows organizations to concentrate their limited security resources on the network segments that contain critically sensitive data rather than expending resources unnecessarily on systems that would not directly impact sensitive data.
Although all of the details haven’t been released yet, these lessons can be applied to the Target breach based on what we do know and suspect of the techniques used there. The attackers are believed to have gained entry into Target’s network by using the login credentials of an HVAC company that provides services to Target in order to access a web page (suspected to be an invoicing system). Although we don’t know how well segmented Target’s network is, a segmented network where critical systems like point-of-sale terminals, are isolated from other unrelated systems would make it much more difficult for the attacker to move into the point-of-sale systems undetected. The attackers are also believed to have conducted a test-run of their malware by installing it on a few point-of-sale terminals before deploying the malware on a wider scale. The attack seems to have run for a few weeks before it was detected, demonstrating that Target likely did not have the monitoring and response capability necessary to detect that the POS systems had been compromised (such as with file integrity monitoring) or to detect the stolen card data being exfiltrated from the network (such as with data loss prevention technology). It is believed that the breach was detected through fraud analysis on the stolen cards or undercover purchases of stolen cards rather than by direct detection on the network further illustrating this point.
Effective detection and response capability can be difficult and expensive, it is not as simple as deploying a piece of technology that will sound the alarm when a breach happens. Intrusion prevention systems, web application firewall, security information and event monitors, file integrity monitoring software, and other technological detection mechanisms require extensive tuning when they are deployed and continue to require ongoing tuning to adjust to changing conditions on the network. Without tuning these systems will generate mountains of false-positive alerts, essentially “crying wolf” so frequently that legitimate attack alerts will be lost in the noise and ignored as well.
While some technology, such as intrusion prevention systems and web application firewalls, have the ability to automatically stop basic attacks when they are well tuned and properly configured, a sophisticated attacker will eventually be able to find a way around these and we must have real live humans paying attention to the network in order to stop attacks. Many of the sophisticated attackers are located overseas and are likely not keeping standard office hours therefore this monitoring and response capability must be operating 24x7 in order to be effective. Staffing for 24x7 monitoring capability can be difficult and cost-prohibitive for all but the largest of organizations and this is an area where many companies may benefit from outsourcing the monitoring and initial response roles to a managed services provider.
Most typical networks have security resources concentrated at the perimeter with very little to protect systems inside the network from each other. This puts the attacker who successfully breaches the perimeter in a position where he can “pivot” on the compromised system and use it to attack other, potentially more sensitive, systems on the network without much interference. Unfortunately any host can provide the gateway for an attacker to breach the perimeter whether it is a poorly written web application that allows commands to be run on the underlying server or a user who falls for a phishing email and downloads malware onto their workstation.
Protecting and building the capability to monitor an entire network with all of its possible attack points can be cost-prohibitive regardless of the size of the organization. This can be mitigated by compartmentalizing the network into separate segments, for example building a dedicated section of the network for systems that handle credit card data and protecting this from the rest of the internal network with firewalls, intrusion prevention systems, and other security measures just as it would be protected from the Internet. This would impede an attacker who managed to compromise another less sensitive and protected system on the network by forcing him to go through the internal security perimeter, hopefully attracting attention from the security team as a result. An advantage of this approach, beyond slowing attackers down so that they are more likely to be detected, is that it also allows organizations to concentrate their limited security resources on the network segments that contain critically sensitive data rather than expending resources unnecessarily on systems that would not directly impact sensitive data.
Although all of the details haven’t been released yet, these lessons can be applied to the Target breach based on what we do know and suspect of the techniques used there. The attackers are believed to have gained entry into Target’s network by using the login credentials of an HVAC company that provides services to Target in order to access a web page (suspected to be an invoicing system). Although we don’t know how well segmented Target’s network is, a segmented network where critical systems like point-of-sale terminals, are isolated from other unrelated systems would make it much more difficult for the attacker to move into the point-of-sale systems undetected. The attackers are also believed to have conducted a test-run of their malware by installing it on a few point-of-sale terminals before deploying the malware on a wider scale. The attack seems to have run for a few weeks before it was detected, demonstrating that Target likely did not have the monitoring and response capability necessary to detect that the POS systems had been compromised (such as with file integrity monitoring) or to detect the stolen card data being exfiltrated from the network (such as with data loss prevention technology). It is believed that the breach was detected through fraud analysis on the stolen cards or undercover purchases of stolen cards rather than by direct detection on the network further illustrating this point.