Any security programme should start by finding out who is already inside the company. Once any company reaches a certain size, someone will find a way in.
This is according to Richard Bejtlich, CSO of Mandiant, during his keynote at the ITWeb Security Summit.
He says two-thirds of the time, someone will tell an organisation they have been infiltrated; one-third of the time they will discover it for themselves. “However, this is an improvement, as last year, up to 90% of the time it was an outsider, either a peer or law enforcement, who would have informed a company it has been breached.”
He says break-ins can be roughly broken down into the following attack vectors: 75% break in via phishing, 20% are Internet-facing computers that are attacked via an SQL vulnerability; and around 5% are breached through a malicious insider, or compromised hardware such as flash drives.
Bejtlich says once a company is aware of who is inside, the next step is to consider whether to contain, or watch. “If this is the first breach, there is no real value in immediately trying to contain it. Bear in mind, by this stage an attacker will have been inside for around eight months. They will already have what they need, and will have installed malware on around half your computers. All you’ll effectively be doing is tipping them off.”He says to rather consider a comprehensive response. Find out each place they are, and which systems are compromised. “Then hit them with a ‘big bang’ remediation. Enlist all staff, and in one fell swoop, disconnect from the Internet, take all PCs that were accessed offline, change all usernames and passwords, and patch what you can.”
However, even after these actions, it is still likely the attackers will have some access. He cited examples of companies Mandiant has assisted, where around 37% of attackers came back in, after vanishing for about six months. “Sometimes they come in directly at the company, sometimes through a third party or a partner.”
Bejtlich says there are four ways to discover a breach. Firstly, use a cloud-based solution, or a company that monitors command and control servers used by intruders.
“Secondly, use the network. Put sensors on the network and look for activity going to remote systems. Security Onion offers a great open source monitoring product for free.”
Thirdly, he advises to look at threat logs. “Look at application logs, logs from systems. Collect and analyse the information. Again, you don’t need to buy software such as Splunk; Security Onion again has a free open source version that does the collection, and leaves the analysis for you.”
Finally, he says to look at the endpoint. “This is the most difficult to deal with, as to do it effectively involves interrogating the endpoint. The alternative is to put an agent onto the system, which queries the system, and will tell you if it has been compromised.”
He says it is vital to keep sweeping until you have uncovered all the infected systems.
According to Bejtlich, there are two ways to know if you are doing a good job. “There are two metrics I track. Firstly, how many incidents have I had in the past year, and how do I classify them. DDOS? Intrusion? Lost or stolen devices? A company must be able to answer those questions.”
He says the second metric is to work out how long it took from detection to containment. Detection and containment can be done through better software, better rules of engagement, and better asset management – essentially, improved practices.
Many people start their security programme considering what could happen to them, Bejtlich concludes. “More important is to find out what they are doing to you now. Use that to prioritise your defences, and then go into the theoretical stuff.”
Our comments policy does not allow anonymous postings. Read the policy here