The Cyber Protection Equation
© 2014 FrontLine Security (Vol 9, No 3)

Although Henry Ford wasn’t referencing network security when he said “getting ready is the secret of ­success”, his words are particularly appropriate when talking about keeping the cyber world safe. Despite all available security precautions, it’s just a matter of time before a breach happens – and when it does, the fallout is significant.

As a sign of the vulnerable times we live in, 2014 has been dubbed “The Year of the Breach.” Of course, we’ve heard that before. We see more sophisticated and more costly breaches every year. If recent discoveries about some of the leading retailers are any indication, that trend isn’t going to change ­anytime soon.

And it’s worldwide. Our research shows Russian hackers taking aim at government, military, and security operations – gleaning information that would likely benefit the Russian government. We have also uncovered political hacktivists in Iran, who appear to be conducting full-out espionage against Iranian dissidents and U.S. defense firms.

But it is not always about spying, sometimes hackers want access to their victims’ bank accounts. Other times, they may be after IP-related details. And the frightening fact is, it doesn’t matter how many ­millions of ­dollars are spent on security measures – targets of all shapes and sizes have fallen victim to zealous hackers with an agenda.

Of course, there is the enormous financial hit of a breach to consider, with untold amounts of money spent on mitigating the losses. But there are other costs to consider. Following a breach, businesses face losing customers and credibility – intangibles that are very difficult to put a price tag on.

Be Prepared
Standard breach timelines repeatedly show that most companies are not prepared for a network attack. Discovery might take minutes or months, but regardless, it takes time to determine the depth and the damage.

What’s to blame? Unprotected networks? Failed technology? Lack of staff? Any of these could shoulder the responsibility of a data breach. Put all of them together and you may as well personally hand over your password to attackers.

But is blaming the “perimeter” the right answer? Just as first responders will shore up the perimeter of a disaster by putting defenders around the scene, corporations large and small focus their efforts on protecting the network. Resources are dedicated to keeping the bad stuff out and protecting what’s inside. Restricting access is definitely a good move and must be part of the solution.

But what if something breaches that carefully laid-out defense? There’s nothing left to mitigate the attack, because all the resources were dedicated to prevention.

First Responders
What if that equation changed? What if, instead of investing everything in keeping a network protected, we dedicated equal resources to incident response?

Breaches happen. The key is not to invest 100% in preparing for a breach; we need to prepare equally to respond.

Three key factors can help when a security incident occurs: a mix of reliable intelligence feeds; data capture and analysis tools; and the ability to anticipate and adapt.

Reliable intelligence. An intelligent alerting system, which is threshold-based and sends out alerts before problems even exist, offers a first glimpse into potential threats. This same system can trigger other actions when an alert is generated, whether it’s sending emails to specific groups or notifying other work flow systems that something out of the ordinary has occurred. Understanding the nature of a threat, and how to use that information to assess risk, is critical to preparing a response. Who is likely to attack and what would they be after? What could possibly be exposed? A solid threat analytics platform can help answer these questions.

Analysis tools. This seems obvious, but there are two parts to this requirement. Clearly technology needs to be able to capture and provide endpoint data. It also should provide forensic tools to investigate where, when and how a breach happened. But part of the arsenal includes security analysts, who need to be well trained in how to reverse engineer. Just like first responder training covers all aspects of emergency preparedness, analysts need training to respond quickly and confidently regardless of who breaches the perimeter and what they are after. When a breach happens, security analysts have to be prepared to run a large-scale investigation and remediation effort.

Assessment. Attackers don’t rely on the status quo. They’re continually adapting their approach to find new ways to exploit weaknesses, which means anyone with a computer need to continually assess and adapt as well. Review the value and relevance of each security tool, anticipate when it will be out-of-date, and adapt to keep pace. For example, not long ago, we relied on firewalls to keep networks safe. It didn’t take long for hackers to circumvent them, making some anti-virus protection obsolete almost as quickly as it appeared. The ability to be nimble and change with the current threat landscape is essential.

Of course, this is not an extensive list. There are plenty of other steps to an effective incident response plan, but these key elements are a strong start. It’s important to note that all of these need to be in place before a breach happens. Once attackers have found their way into a network, it’s too late. You can’t capture the past. You can’t fully analyze the events that led to the breach because of the many unknowns. Vulnerabilities may have been exploited and modified for future uses. You’re forced to try to clean up without hope of mitigating damages.

The bottom line? Technology alone won’t defeat a determined attacker. Threat actors can find their way into even the most up-to-date systems. Companies need a multi-pronged approach to network security that includes detection, prevention, analysis and resolution strategies. Those who can be adaptive and formulate a strong incident response strategy will find themselves better prepared to respond to a breach quickly, effectively, and – ideally – with as little impact to its customers, its checkbook and its credibility as possible.

Robert Masse is a Director at Mandiant Security Consulting Services.
© FrontLine Security 2014