– “UPS reveals Data Breach” –
– “Target loses 110 Million Bank Card Numbers” –
– “Russians Hack JP Morgan Chase” –
Just a couple of recent headlines. And the list goes on…
We read about new security incidents virtually every day. It is almost a free marketing machine for professionals and vendors in the security space. But before running out the door to buy the latest and greatest in what the market has on offer today, let’s take a closer look at why and how these breaches occur and what areas to focus on to minimize the threat to your organization.
In most of the incidents we see, the target is data, including credit card information, bank account numbers, customer information, user credentials or any other type of sensitive information.
In many cases, these attacks can be characterized as unsophisticated attacks (as in the recent iCloud brute force attack). Actors use common hacking toolkits that are readily available on the Internet, to perform scans that help them find open ports, craft packets a firewall will let through, or detect vulnerabilities in a network environment. When they find something, they dive into it and occasionally hit the jackpot, discovering an open directory with customer information for a well-known brand.
Although these unsophisticated attacks can be very damaging for a company, they tend to be random. In that respect, falling victim to them is a combination of bad luck and poor security practices rather than anything else. This is different with more sophisticated and targeted attacks.
Companies can be targeted for many reasons, ranging from political or ethical motives (for instance concerning child labor or ill-perceived market domination) to personal or commercial gain. Whatever the reason, when your company is targeted by an attacker or group of attackers, the threat is far greater. For one thing, the attackers are focusing on just one target, allowing them to exhaustively explore possible vulnerabilities (as such, sophisticated attacks do not have to be truly advanced). But above all, these attackers are motivated, determined and persistent. Persistent to reach their goal and willing to do what is needed.
“Nothing in the world can take the place of persistence…Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent.” - Calvin Coolidge
This persistence lays the basis for what is often referred to as an Advanced Persistent Threat (APT in short). What makes these types of attacks so dangerous is that the attackers have a goal and – in most cases – a plan on how to reach that goal. Such a plan goes beyond technical tools and tricks; it also contains a good deal of social engineering. Social engineering tactics are playing into human psychology, where the facts an attacker already knows are used to gain trust and cleverly fish out additional pieces of information.
In most cases, these attacks start with a single e-mail message to a person or persons whose credentials seem valuable. This is called phishing or even spear fishing. It is easy to make such an e-mail appear to be sent by someone the recipient knows and trusts. And, if written well, the e-mail will not raise any suspicion when enticing the reader to click a link or open an attachment. That simple action will insert the first malware into the target environment, ranging from key-loggers and remote access Trojans to (variations of) ZeuS malware in order to steal employee credentials.
Other courses of action they may take are in the realms of recruiting an insider, targeting a partner organization with rights in the enterprise or even going as far as placing an insider into the organization. Insiders in this respect are people who rightfully hold accounts in the enterprise, either as an employee, contractor or partner, and are willing to misuse their credentials to support the attack.
Once the attackers are in, they will exploit all the access they have to increase their level of control in the environment. In FBI-reported cases where US banks and credit unions were targeted, the actors even went as far as following online courses on the company’s intranet to familiarize themselves with proper procedures and policies. They misused credentials to raise credit limits and select accounts with the highest balances before initiating oversees transactions. By gaining full control over the wire transaction process, the actors were able to transfer sums between $ 400,000 and $ 900,000 per transaction.
So, how we do we protect ourselves against those types of attacks? Let’s stick with the last example to assess that. Following these incidents, the FBI compiled a list of recommendations made to financial institutions.
As logical as the (not exhaustive) list may seem, its practices and measures are not implemented in many organizations today. Nor are they being enforced and actively monitored. And given the sheer size and complexity of larger global IT environments, that is even understandable in most cases.
‘How to begin?’ and ‘Where to start?’ are questions many security officers are still struggling with. The answer depends very much on your current situation, maturity level and type of organization. However, some general observations and recommendations can be made in that respect.
Our digital world has undergone some significant changes in the past decade. The omnipresence of ‘anytime/anywhere’, ‘everything as a service’, ‘mobile computing’ and ‘bring your own device’ has created a world that is hard to control. The services and data you need to protect can literally be anywhere. Users expect to be able to have access no matter where they are or which device they happen to use at the time.
The one thing that best serves as a linking pin connecting all the dots is the individual (or identity) using the device to access your data and services. Therefore, I am big advocate of an Identity Centric Security approach. Below I will visit five areas worth looking into, taking the identity-centric approach as a starting point.1. Increase Awareness
a. Ensuring people have the right entitlements;
b. Enforcing access controls to authenticate users and grant appropriate access;
c. Monitoring the user activity once access has been granted.
next step is an integration of these domains to facilitate more context-aware
and intelligent monitoring capabilities. The first two domains are linked
almost by nature: you cannot grant access to a person if you don’t know which
entitlement that person has.
Utilizing that information in your monitoring environment, however, is much rarer – but also very powerful... Many provisioning systems need time before a change in entitlements is enforced in all target systems. But when your monitoring solution knows about the entitlements change, misuse can be detected with a simple correlation rule.
Or think of a scenario where your SIEM solution alerts you on anomalous activity in system XYZ. In most cases, the best you get is an account name. Now imagine you can directly tie that account name to the person behind it, see their position in the organization, get an overview of other accounts they have, assess the activity in this account, etcetera. That allows you to make an actual threat assessment in seconds, after which you can directly take appropriate action.
Insider threat goes
far beyond employees who have bad intentions. In most cases, careless or
unaware employees pose a much bigger risk to organizations. In focusing on the
user identity, making sure no excess privileges are granted and monitoring
actual behavior to detect abnormal activity, an important step is made to guard
your organization against sophisticated and targeted attacks. When combined
with ongoing (or repeated) user awareness programs and adoption of proven
security best practices, your company will be a much harder target to crack.