5 practices to shift the burden to the attacker
According to the 2015 Verizon Data Breach Investigations Report, there were more than 79 790 security incidents in 2014.1 Headline stories like this are well known and the data is alarming.
The pragmatic approach for organisations to fortify defences includes: acknowledging today's reality, it's an inevitability; recognising the threat landscape, as attacks can originate from outside and from within; identifying the attack paths, the routes which attackers take once inside; and limiting the breach longevity, thereby reducing attack exposure.
"Data breaches are inevitable, but an attacker is only as good as his/her ability to move through your network and access sensitive area", says Joshua C Douglas, CTO, Forcepoint.
So if preventing breaches is an impossibility, how should cybersecurity professionals focus their efforts in order to minimise the impact of an attack?
To fully understand these five practices which follow, one needs to understand the concepts of lateral movement and cyber dwell time. Understanding these concepts enables organisations to shift the threat burden to the attacker, making their assets and infrastructure a less desirable target.
Essentially lateral movement is the route the attackers follow within a network. It provides key insight into the intent and potential impact of a breach.
Usually the initial onset of malware delivery is not to extract as much intellectual property as possible, but to establish a gateway into environments that the attackers do not control. This gateway is the start of the attacker's lateral movement to gain the targeted intellectual property or control of a system. Attackers often use an individual's credentials, which allow them to move under the guise of a legitimate user. Understanding where and how this occurs is critical as it provides insights into both the intent and potential impact of an attack.
The concept of cyber dwell time is the amount of time the attacker is in your network. It begins when the attacker enters your network and continues until you eject them or they leave. Reducing dwell time as much as possible is the goal, providing the attacker with the least amount of opportunity to achieve lateral movement and remove critical data from your organisation. Research shows that attackers spend an average of 200 days inside a network before being eradicated.2
First practice is to have the fundamental security controls in place. An attacker is forced to invest greater resources in finding a way in, when basic security controls are enforced. These include, regular patching, restrictive administrative access, two-factor authentication and network segmentation, where possible. When implementing best practice security controls, a core step should be to identify high-value targets - the systems and people vital to the success of the organisation. Monitoring the security of these assets should be prioritised.
The next practice is to ensure granular visibility and correlated intelligence. Organisations should implement network monitoring functionality and collect logs from any device that records indemnity usage. This will enable the organisation to create red flags related to identity theft, data loss, and abnormal activity on a daily basis. A critical capability lies in correlating actions to every machine or user, whether on or off the network. This forensic visibility and correlated intelligence are imperative to be able to trace threats to their origin and to determine dwell time.
The third practice is that of continuous endpoint monitoring, as the majority of attacks start with the host or employee. This continuous endpoint monitoring results in contextual awareness and a perception of end-user activity, which shapes the organisation's endpoint policies. It also allows for quicker detection of malware and abnormal user behaviour.
Actionable prediction of human behaviour is the next practice. Building attack profiles, based upon an adversary's likely plan, allow an organisation to anticipate movements an attacker might take to access high-value targets. With this profile, should an attacker gain access again, you are likely to gauge the path that they would take through your system. This is critical to containing lateral movement and in reducing dwell time.
Due to media exposure or executive level visibility, high-profile employees are likely entry points into the enterprise. Knowing this, the organisation can yield actionable predictions of both normal and abnormal human behaviour to create a framework for creating zones, reducing privileges, and giving the security team the ability to combat attackers once inside the organisation's network.
Lastly, is the practice of user awareness. Educating employees, not only on corporate policies and government mandates, but also on the growing risk that advanced threats pose to the organisation, is imperative. Users who are targeted by attacks should be provided with the information about the attack, so that they can be aware of what future attacks may look like. Essentially, these users will become human intrusion detection systems.
In conclusion, Douglas notes that: "if you combine good technology and processes with great people, enterprises amplify the ability to combat advanced threats, reduce dwell time, and detect lateral movements".
Containing dwell time and being able to predict lateral movement makes it less likely for attackers to return, once they are aware of the company's ability to detect and contain the breach, as it is costly and becomes too much effort. Attackers will rather choose the path of least resistance and move on to somewhere else.
Source: INFOSEC Institute - The seven steps of a Succesful Cyber Attack - July 11, 2015