An Integrated Defense
Print Issue: November 2016
After spending almost two years in isolation, six men emerged from a locked facility in Moscow in 2011 to cheers from the scientific community.
The volunteers—three from Russia and one each from France, Italy, and China—were part of an experiment designed to test the effects of isolation on small group dynamics and individual psychology. The experiment lasted 520 days, the approximate time it would take for a round-trip to Mars from Earth.
This summer, however, something less inspiring than space travel hit the 520-day mark: the median time it takes Asian companies to detect a data breach.
“Organizations across the Asia Pacific allowed attackers to dwell in their environments for a median period of 520 days before discovering them,” according to Mandiant’s M-Trends 2016 Asia Pacific Edition report.
The median for Europe, the Middle East, and Africa is only slightly better, coming in at 469 days—significantly higher than the global median time to detection (TTD) of 149 days, according to Mandiant.
This lengthy window of time to operate undetected is giving modern-day hackers the opportunity to lay the groundwork for sophisticated campaigns, such as ransomware, to wreak havoc on their targets.
“To put this into perspective, a Mandiant red team can obtain access to domain administrator credentials within—on average—three days of gaining initial access to an environment,” the Mandiant report explains. “Once a domain administrator’s
credentials are stolen, it is only a matter of time before an attacker is able to locate, gain access to, and exfiltrate and steal desired information.”
Cisco, which identified the global average TTD as between 100 and 200 days, has also raised concerns in its Cisco 2016 Midyear Cybersecurity Report about how increased TTD is allowing malicious actors to pull off sophisticated cyberattacks against corporate networks.
“The rise in ransomware activity, and the breadth of recent campaigns, underscore how adversaries benefit from having unconstrained time to operate,” the Cisco report adds. “It allows them to quietly lay the groundwork for their campaigns, strike when they are ready, and ultimately succeed in generating revenue from their efforts.”
As the world has seen in 2016, attackers can earn vast amounts of revenue from these campaigns, targeting 90,000 victims per day and netting an estimated $34 million in one year alone, Cisco says.
To avoid detection, attackers are using cryptocurrency, Tor, HTTPS encrypted traffic, and Transport Layer Security (TLS). Exploit kit authors are also enabling attackers’ success by quickly reverse-engineering patches and exploiting “unmanageable vulnerability disclosures,” according to the report.
“And a new twist to malvertising is providing adversaries with a high-efficiency and hard-to-track method to increase traffic to compromised sites, so they can infect users’ machines and eventually launch ransomware attacks,” the Cisco report explains.
Another factor that’s inhibiting companies’ ability to decrease their TTD is the increasing number of vulnerabilities that they must defend against. If the current trend continues, more than 10,000 vulnerabilities will be disclosed this year.
“That’s an inordinate amount of things for a defender to have to defend against,” says Jason Brvenik, principal engineer for Cisco Security Business Group.
These factors all come together to give attackers a unique advantage over defenders who are struggling to keep pace, Brvenik adds.
“The attackers, they have time on their side; they can attack at will, when they want, and have an expanding time to operate once they are successful,” he says.
Cisco has seen this in its own TTD, which is considerably lower than the industry average at 13 hours in April 2016—down from 50 hours in 2014—but has fluctuated for certain malware families.
“Adversaries continually create stealthy techniques to avoid detection,” the report says. “Security vendors counter these efforts with better integration and threat detection…significant drops in TTD show periods when Cisco gained an edge on the adversaries—detecting threats at a rate faster than they could develop and launch new techniques.”
For instance, some malware threats increased Cisco’s TTD to more than 14 hours in March 2016 because Cisco analysts had to investigate the new threats before detection could even begin.
“TTD trended higher than the median for several malware families associated with ransomware due to the time required for analysts to investigate these threats when automated techniques, such as heuristics (algorithms) and sandboxing (separating running programs), were unable to provide early detection,” the Cisco report said.
While Cisco’s TTD is much lower than the industry average, Brvenik says there is more the company—and everyone else—can do to reduce the attack surface that defenders have to protect.
“While we have the good news—we’re able to reduce the time to detection—we’re seeing that we’re presenting an increasingly large attack surface for the adversary,” he adds.
One key aspect of reducing the attack surface is knowing what data exists and where it is, so defenders can protect it, says John Wethington, vice president of Americas at the security software company Ground Labs.
“What we’re finding, consistently in these enterprises, whether they have been hacked or believe they haven’t been hacked yet, is that they don’t know where all their sensitive data is,” he explains.
Companies are struggling with knowing what data they have because it’s being generated at a rapid rate and security teams can’t keep pace.
“While they think they are doing a good job and protecting the data that they know about…unstructured data is being created by the terabyte daily, so there’s no way for them to really keep up with where all this data is and what’s happening with it,” Wethington says. “By the time they detect this hack, the data’s been exposed.”
To combat this problem, Wethington says its critical for companies to know where their sensitive data is and decide what data needs to be protected, either for trade secret purposes, regulatory purposes, or as intellectual property.
“All data is sensitive in some way, shape, or form,” he explains. “So organizations have to decide what they’re going to protect, and, to do so, they need to understand what data is in their environment.”
Companies also need to understand what applications they are leveraging to protect that data—whether it’s an off-the-shelf product or something created in house. To protect their data and ensure that they are not leaving it exposed, companies should understand how these applications interact with each other.
“Look at the process memory in these applications that have been developed internally to see if they are handling data properly,” Wethington adds. “You need to be able to look at your environment holistically, understand where all of your data is, and make a decision on what data is truly sensitive to you.”
Looking at the network environment holistically to create an integrated defensive posture is something Brvenik also says can help companies reduce their TTD.
“The trend in the space has been to buy a point solution to solve a pain you realize you have today, rather than to look at the entirety of your organization and figure out how to present a defensive posture that doesn’t suffer in silos,” he explains.
Brvenik explains that having an integrated defense is having systems that communicate with each other. For instance, if the system knows that a firewall allowed a connection by a user that then communicated with three other systems, it can defend against introducing malware.
“That is a very different incident response posture than, ‘Well the operational team says that the firewall is working fine and the intrusion prevention system saw an event for a host, but it wasn’t high priority, and the antivirus didn’t report anything,’” Brvenik says. “Your response is very much dictated by that holistic view and that is the integrated defense that people need to create visibility.”
With that integrated defense approach in mind, companies should look at technologies available on the market that can help them reduce their TTD down to the hours range and then evaluate how the product would work with what they are already using, according to Brvenik.
“I think you’ll discover more breaches—maybe not to the severity that you’re dreading, but hopefully
you find that they are there and you can take care of them,” he explains. “That process—integrating, looking for, and measuring—will allow you to identify the weak spots.”
Once those weak spots are identified, companies can then hire penetration testers to test their defenses so they can measure their TTD. “That’s going to improve your TTD pretty rapidly once you have visibility into where your gaps are,” Brvenik says.
While individual companies can take action on their own, Wethington says a cultural shift is needed before TTD is reduced companywide—decreasing the amount of time that attackers have to infiltrate systems and compromise corporate data.
“Educating the end users, holding management and even the board of directors responsible for these data leaks when they do occur, I think that’s when we’ll finally see a real shift,” Wethington says. “We’ll start to see that number drop dramatically because the onus will now be back on not just the individual, but also on senior leadership to take action, make the appropriate investments, and make security a part of their normal business as usual.”