In the wake of recent data breaches and scandalous system compromises, a two questions have been spawned in the minds of millions: how are these companies getting hacked, and why is it that many times they are not detected in time? Maybe the heist can be attributed to a rise in threats or exposure. Many will say that technology is just evolving too fast. Eye-catching terms such as advanced persistent threats (APT) and data exfiltration have been haunting the minds and souls of corporate security professionals and systems administrators in recent years. A recent poll conducted by ISACA showed that one in five companies have been targeted by persistent threats, exposing a more persistent, intelligent and stealthy cybercriminal.
It's easy to view a breach is a one-time thing and that once one breaches the perimeter, alarms will sound as would happen in a bank heist. The truth of the matter is that, many times, once an APT breaches the perimeter, the exfiltration of data and the intrusion occurs for months undetected. This aspect is clearly seen in past reports, such as “Operation Shady RAT.” In this APT campaign, research indicated that many government entities and Fortune 100 companies had data exfiltrated by illegal perpetrators for as long as 28 months undetected.
A breach also begs the question, how can this be solved? Does that mean I need to purchase the latest and greatest intrusion detection system on the market? The answer is no. As history has shown us, security is far from a tool or appliance; it is not a software or hardware solution, but rather it is a process. Many times, large corporations will purchase intrusion detection systems and will be flooded by the chatter and false positives if it's not tuned to the business' processes and needs. Due to the flooding, security and systems administrators start tuning down and whitelisting almost everything under the sun. At the end of the day that million dollar solution is all but an expensive line conditioner and paper weight. This turns into a vicious cycle and we implement solution after solution to no avail.
So, is all lost? Far from it. The point many companies fail to understand, and many times the reason these breaches go undetected, is that the focus of security is in the ingress, or inbound stance. This focus causes companies to fortify their perimeters for inbound threats, but do little to nothing for outbound or egress traffic. Companies need to many times treat outbound connections with the same voracity as those that are inbound. Use effective filtering in both ways.
They must monitor and analyze outbound traffic to include those which many times seem harmless, such as web traffic. Understand the chatter and direction in which your applications communicate to the world. Use web filtering for clients, limit outbound connections, and whitelist with caution. That is the simple solution, if one knows its traffic and patterns within the corporate network, greater are the chances for one to catch any anomalies that might rise up from it.
The ever-evolving and continual game of security is like that of many sports we know; they're offense and defense. As in any sport, what is crucial to the victory of any team is an expression we know as home field advantage.
A team knows where the turf is harder to stride; where there are rocks and holes which can hinder their performance. That same concept needs to be applied to our networks. Our networks are our field; no one knows our network better than us, the people who maintain it. We need to use that to our advantage. Understand your traffic and identify what would be normal behavior. Use the tools and technologies at your disposal as leverage to win the never-ending security game.
