Eight creative strategies to address the sophisticated adversary
Joe Goldberg, security evangelist and senior manager of product marketing, Splunk
Advanced cybersecurity threats, whether they are posed by cyber criminals, hacktivists or nation-states, have been damaging organizations for years. Leveraging social engineering, spear phishing, custom malware, and stolen credentials, they have been evading detection and stealing intellectual property and customer data seemingly at will.
The recent theft of some six million Social Security numbers from the Department of Revenue in South Carolina is just one of the latest in a long string of high-profile data breaches.
So what is an organization to do? Below are some creative measures and tactics for forward-thinking security teams to implement in 2013 to better level the playing field of cyber warfare. Some of these ideas are not new and some are relatively low tech. But they all are worth a closer look.
- “Big Data” security information and event management (SIEM) solutions that index and search in real-time terabytes of log and machine data coming from both “non-security” and security sources. These solutions can use advanced correlations, statistics and math to identify the outliers and anomalies that represent the minute fingerprints of advanced threats that hide in a sea of “non-security” data. Since these SIEMs retain terabytes of unmodified historical data, they can also be used for incident investigations and forensics. Leading vendors here include Splunk and the Hadoop ecosystem.
- Signature-less, anti-malware solutions that detonate incoming email attachments and web links in virtual sandboxes to see if any malicious activity results, such as OS, browser or application exploits, or suspicious software being installed. These solutions are effective in identifying advanced malware, zero-day, and targeted APT attacks that bypass traditional, signature-based, anti-malware solutions. Leading vendors here include FireEye, Palo Alto Networks, and Proofpoint.
- Network tools that can capture and search all inbound and outbound network traffic to identify threats in real-time regardless of protocol. These tools can also be used for incident investigations, including using packet captures to get down to the body of a web mail or to view a specific attachment. Leading vendors here include Narus, NetWitness, and Solera Networks.
- Web application firewalls which can protect web-based applications from top attack vectors including SQL injection, cross-site scripting, cross-site request forgery, session hijacking, and cookie/session tampering. Given that many public-facing web applications are internally developed and may have code flaws that leave them vulnerable, this additional security layer is critical. Leading vendors here include Imperva, F5, and Citrix.
- Spear phishing employee training where employees are trained on how to identify and report spear phishing attempts so they do not click on malicious links or attachments in emails from unknown senders. Research shows that up to half of all employees will fall for a phishing attack. After a few training sessions, the number typically falls below 10 percent. Hosted offerings exist that allow organizations to automate and emulate real phishing attacks to provide visibility on susceptible employees and also educate employees in the process. Leading vendors here include PhishMe.com and Wombat Security Technologies.
- Red team exercises where a friendly third-party is retained to attempt to breach your organization. Let them try to get in using any technology and method that does not break anything. Any tool related to vulnerability scanning, penetration testing, web application exploits, or wireless network scanning is fair game. Same for any social engineering tactic, such as spear phishing or calling employees while masquerading as IT to obtain their credentials. These exercises will find your weaknesses fast so you can fix them before they are exploited.
- Honeypots, or decoy servers or systems, set up to gather information regarding an attacker or intruder into your network. Make the honeypots look realistic to an attacker and put some data on them that appears to be confidential, but is not. With no legitimate employees having, or needing, access to these systems, any traffic going to the honeypots should be investigated as being a possible threat. There are commercial and free honeypots available that cover a wide range of use cases and levels of interaction. Entities or projects offering honeypots include Atomic Software, Honeyd, and KeyFocus.
- Air-gapped network, where the confidential data is on separate network that is physically isolated from other networks. This is a drastic measure often associated with the defense and national intelligence communities. And ideally limiting credentials, VLANs, and network segmentation should suffice in place of air-gapping. But, right or wrong, employees and executives consistently fall victim to social engineering-led attacks and offer an internal beachhead from which an attacker can launch an attack. So physically separating employee machines from the confidential data may make sense for more enterprises and organizations.
Again, these are just a few clever tactics to identify and defeat advanced threats in 2013. But given today's advanced threats are creative and are constantly leveraging new technologies and exploits, you too should think originally in deploying new tactics in defense.