A fair percentage of clients that I have provided incident response services to over the last 12 months are operating without security or oversight on the Internet, meaning not a single person employed at that organization is solely dedicated to working on security issues. While this is common for small companies and startups, these clients matured over the years to the point where they had hundreds or thousands of employees and even more computing devices on the network. What had not occurred, however, was the investment in security commensurate with the growth of the company.
After having conducted a number of such Breach Readiness Assessments over the past year or so with customers in a variety of industry sectors – including, aerospace, financial, telecommunications device manufacturers, and health care technology – we’ve compiled a list of the Top 10 gaps that we’ve observed during these engagements. The following list is roughly ordered in frequency of occurrence (gaps at the top were seen at more customers than those further down the list), but all were observed at numerous customers.
I just returned from a weeklong trip to Europe, where I contributed my voice to the wildly successful series of RSA Security Summits. With near unanimity in London and Zurich the audience accepted our premise that as a result of the changing IT landscape – including cloud, mobile, big data, extended workforce, supply chains – and the realities of today’s sophisticated attackers, the approach to security in organizations needs to dramatically change. Furthermore there was also general agreement that today’s preventive security systems, that are largely perimeter and signature-based, no longer provide sufficient defenses, and that to compensate organizations must improve their detective and response focused security controls. This quickly led to the practical and real challenge of how organizations can best make those improvements. How in an environment of fixed security budgets can organizations invest to create or significantly enhance their monitoring and response capabilities?
In Part I of my post on Switch Targeting, I discussed the fundamentals of how adversaries use seemingly trusted hop points as vectors in and out of primary targets similar to how bank robbers target, stage and execute their robberies. Now I want to introduce the concept of the three “R’s” or R3 based on my experience in the field helping organizations position themselves to detect where these switch targets may be relative to their own attack infrastructure as part of designing a Next Generation Security Operations Center (SOC). R3 is comprised of three focal areas for the Chief Information Security Officer (CISO) to consider —- Readiness, Response and Resiliency.
In part 1 of this blog, “Beyond the Zero Day” we focused on detecting malicious JVM [Java Virtual Machine] activity and identifying the ‘blob’ that was downloaded. No subsequent network activity was detected after the download, but that doesn’t discount successful malware delivery and deployment. We can certainly seize and forensically examine the host, but that might require massive time investment for an organization and we don’t even know what we’re looking for yet. The first place to start is by examining the Class file that kicked off the HTTP GET for our ‘blob’.
Over the last few weeks I have outlined several elements of Security Operations that are bubbling to the surface in my blog series “Next Generation Security Operations”. The series really focused on the reactive side of security management and a key theme was the connection between nuts and bolts security with broader processes. A key point I wanted to communicate was not only the need for companies to remain vigilant and evaluate the detective side of security management but also look outside of the technical infrastructure for inputs to improve the reaction time within Security Operations. As most of my readers are GRC Practitioners, this connection stimulated some interesting conversations I had with customers from the GRC side of the house and I hope made some of the same connections from the security side.
Over the last few blog entries, I outlined some of the dimensions that security operations need to think about during 2013 and beyond. In some respects, this is the tip of the iceberg – there is only so much you can cover in a blog. However, I think there are some important items to put on the radar.
This blog series examines response options to an enterprise intrusion of some sort, be it by “APT” or Hacktivists” or some other category involving a purpose-driven actor. I’ll refer to these as targeted attacks even though they are often not targeted too specifically, but that’s a different topic. These threats pose a risk to the organization that is, generally speaking, more severe than typical malware on a single system. A hactivist attempting to discredit your company will probably have more of a business impact than a single computer infected by the Zeus crimeware trojan. Of course, that “common” Zeus infection could happen to be on a system used by someone in finance who has access to company records, as seen in actual attacks, and may indicate a major threat to your organization.
With all the recent Java Virtual Machine (JVM) exploits, a lot of attention is being focused on figuring out how best to mitigate the vulnerability. Detection has been limited to signature-based attempts, mostly firing on class names or well-known strings within the JAR/Class. While this works for the commodity malware based on pre-packaged kits like Black Hole and Redkit, a clever adversary will re-write the exploit and avoid that simple detection method.
Years ago, companies had to worry about the “brick and mortar” threats – physical theft, property destruction, natural disasters. Next, it was the “bits and bytes” threats – intellectual property theft, website defacement, denial of service attacks. Now, there is a new element to our threat landscape – the “flesh and blood” threats. I don’t mean personal physical attacks but rather attackers exploiting an individual for nefarious purposes.