RSA 2013: Hackers will get in, so spend the money on pushing them out
While most people assume the high price tag of an advanced attack comes from the cost of gaining access to a network, intruders also spend big money maintaining that foothold. And that is where some organizations, particularly those that are high-value targets for adversaries, may want to direct their security attention.
"If you're Google, it doesn't matter how fast you run, the bear wants you," said Tim "TK" Keanini, chief research officer at nCircle, a vulnerability and risk management company.
Richard Bejtlich, CSO of incident response firm Mandiant, said often companies are unaware for weeks or months than attackers have breached their firewall and are clandestinely conducting reconnaissance or siphoning out information.
"Once they're in your enterprise, they have to be perfectly stealthy," he said. "But that's predicated on someone looking for them."
That's why he suggested organizations allot more resources to spotting the saboteurs, through technologies like network and host-based monitoring and robust logging. Then, once they're detected, make their work harder.
Bejtlich likened the challenge to physically defending a bank. The SWAT team doesn't guard the doors each day, but if there's a robbery, they're the ones coming for the crooks.
"You should apply even more pressure once they're in," he said. "They can break in all day long, but if you can catch them and kick them out, that makes it very difficult for them."
The panel suggested taking "active defense" measures to defeat the attackers. That includes leveraging deception and decoy data, or "breaking" the hackers' automation – such as inserting delays into scripts they are using – so they can't perform their activities with ease, said Christopher Hoff, chief security architect at Juniper Networks.
The hope, of course, is that if intruders believe a company is not worth the time and effort, they'll opt to go after someone else.