When tens of thousands of security professionals and exhibitors gather each year in San Francisco for the annual RSA Conference, the mood typically is one of hope and promise. Keynotes, session tracks and vendor pitches traditionally promote the ideal that, while today's adversaries are worthy, cunning and deep-pocketed, they can be kept at bay with the right combination of people, policies and processes.
But just days before this year's installment was set to open in February, hackers infiltrated the network of HBGary Federal to expose the sometimes-embarrassing email communications of the security services firm and its sister company, HBGary. The incident certainly placed a damper on the proceedings in the City by the Bay.
“I think people expect basic companies to which security is not core to be more vulnerable,” says Josh Corman, a research director at The 451 Group. “But I think that was a smack to the head to say security companies are potentially as prone to attack. It got very real, very quickly.”
The news didn't get any cheerier after the conference closed, with revelations that at least two other high-profile security firms, RSA and Comodo, sustained precision attacks that, at the very least, demonstrated the ease by which criminals can claim proprietary information that doesn't belong to them.
Which all begs the question: Is today's security model fundamentally broken? Some experts believe it is.
But the more pressing question may, in fact, be: Should organizations housing valuable assets accept the inevitable – that their systems will be successfully penetrated, if they haven't already – and instead face their fate by focusing efforts around limiting the damage and forcing the attacker to expend more resources than they would like?
It is a difficult question to answer “no” to, especially considering recent developments (including email marketing firm Epsilon's massive breach), and going back to last year's stealthy “Aurora” compromises, in which Google and a number of other Fortune 100s were successfully penetrated by what has come to be known as the advanced persistent threat (APT).
“Anyone who thinks if they are specifically targeted that they're going to be able to keep the bad guys out, they're naïve to the point of stupidity,” says Mike Rothman, analyst and president at Securosis, a security consulting firm.“If your organization possesses something that is going to be of interest to a nation-state, you can pretty much guarantee you're already compromised.”
A CISO's perspective
Larry Whiteside, CISO of the Visiting Nurse Service of New York, is responsible for information security at an organization that has never been specifically targeted in an attack. But that hasn't stopped the 38-year-old from being realistic about the current threat landscape – that he and his team are powerless to some extent.
“The big thing is [criminals are] getting smarter at a faster rate than security is,” Whiteside says. “It's an uphill battle that we as security professionals are constantly striving to get ahead of. I just don't know that we can.”
Visiting Nurse Service (VNS), with about 8,000 users, is the largest nonprofit home health care provider in the country. Its mission is to provide residential health aides to tens of thousands of patients, and it serves the five boroughs of New York and neighboring Westchester and Nassau counties.
“Anyone who thinks if they are specifically targeted that they're going to be able to keep the bad guys out, they're naïve to the point of stupidity.”
– Mike Rothman, analyst and president at Securosis
With no intellectual property to protect, VNS certainly is no Google. But, with personal health information becoming increasingly attractive for cybercriminals wanting to conduct medical identity theft, VNS is a ripe target nonetheless. And while no malware has ever infiltrated the network in Whiteside's 3½-year tenure, he understands that relying on perimeter defenses is an outmoded way to think about fortifying his network.
Instead, he entrusts a healthy chunk of his security arsenal to patch, configuration and standards management.
“I don't think putting an APT protection device in your environment is the answer,” he says. “I think that is one small part of a much larger issue. When I go look at the tools, it's not that the tools don't have validity, but there's a good percentage of things you could stop right away if you have good patch management, configuration management, even turning on egress filtering. It's a mandatory piece of my security infrastructure to be able to allow out only what needs to be allowed out.”
Whiteside has developed a standard model for how VNS' systems should be configured, and he uses a scanning tool from eEye Digital Security to profile ports, services, operating system levels, vulnerabilities and patches to ensure they are in “compliance.”
But don't be deceived by Whiteside's use of the term. Sure, VNS is hamstrung by a number of regulatory mandates, but he values standards management above any government edict.
That is a lesson more end-users – and vendors – should take to heart, says Corman of The 451 Group. He says many well-resourced organizations are falling victim to advanced malware attacks because the security industry is suffocated by a compliance focus. Yet, Corman estimates that at least half, possibly all, of the Fortune 100 have had intellectual property stolen by digital crooks.
“We're wildly underprepared to protect our secrets,” Corman says. “I'm not sure anyone can protect themselves and their IP.”
Corman has a particular distaste for the Payment Card Industry Data Security Standard (PCI DSS), a 12-step, prescriptive baseline for protecting credit and debit card information. He says that while the guidelines have helped organizations more seriously consider data protection as a business imperative, they also have boiled security down to a least common denominator. As a result, businesses, particularly the middle market without the budget to purchase advanced analytical and detection tools, have suffered.
“The attacker knows you're compliant and they do not care,” Corman says. “They're not going to use techniques that are easily detectable by that very, very low bar. We are in serious need of an upgrade in the way we approach and do information security. There is a very large gap that needs to be reassessed.”
If no action is taken – Corman believes more products need to be developed that contribute to situational awareness – the security market risks becoming a punch line. “If we're not careful, we're going to be the TSA (Transportation Security Administration),” Corman says. “Everyone knows the TSA is theater, but everyone in our industry thinks we're better than theater. Let's stop thinking we're going to prevent these [advanced attacks] with the current stuff.”
A game of economics
For as sophisticated and well-funded as today's adversaries are, they typically gain entry inside an organization through the age-old tactic of social engineering.
Ryan Kazanciyan, principal consultant for MANDIANT, a vendor that responds to about 35 APT-style attacks per month at some of the world's largest organizations, says a majority of the cases result from a targeted user being phished.
While many businesses choose to invest in user education so employees don't click on a legitimate-looking attachment or link, it takes just one duped user to infect the network, he says.
Where organizations can flip the equation back in their favor is by making the attackers have to work much harder once they establish their initial foothold. “Success is as much of a game of rapid detection and response and containment versus 100 percent bulletproof security because that's just not realistic,” Kazanciyan says. “The key is to make it as expensive as possible to maintain a presence in your environment and steal data. It's absolutely an economics thing.”
Organizations must learn from each compromise, he says. To do that, they should search for indicators of infection through network analysis and host-based forensics. When investigating a breach, organizations must “fully scope the compromise,” reviewing which systems and accounts were accessed, which tools and network addresses were used, and what data was stolen. Kazanciyan also advises victims not to tip off attackers that they are on to them, or risk the adversary changing tactics to again avoid detection.
“The idea is if you are proactively looking for indicators of compromise, maybe you detect that successful attack within days or weeks rather than months or years,” he says.
“Success is as much of a game of rapid detection and response and containment versus 100 percent bulletproof security because that's just not realistic.”
– Ryan Kazanciyan, principal consultant for MANDIANT
Rothman of Securosis agrees. “Until you know where the issue is, you've got no shot,” says Rothman, who recommends full-packet capture, egress filtering, data-flow tracking, access restrictions to compromised devices, and network segmentation as helpful detection and remediation tools.
“I would make the assumption that the attackers are there,” Rothman says. “I want to acknowledge that they're there and put them in a box as well as I can, and I want to monitor everything they're doing.”
The future of cybercrime fighting
Salvatore Stolfo, professor of computer science at Columbia University in New York, believes the IT industry is a long way from becoming dependable. He pins this on the fact that system creators are unable to measure their resiliency.
“This area lacks precision and science,” he says. “It's mostly ad-hoc. It's not like building a physical system, like a bridge, where you can estimate its lifespan, capacity and ability to resist wind. There's no metric to security. You can't apply mathematical formulation and rate the security of a system. Imagine if we had that, you'd be able to make rational decisions over which system and security is better. If we had that ability, then problem solved.”
So, as users await algorithms that could be decades away, Stolfo says the security industry must up the ante, drop conventional wisdom for a moment and think like a contrarian. One idea Stolfo suggests is what he calls “fog computing,” in which infected organizations mix decoy data with actual data that the attackers are trying to hijack.
“Let them break through – because they're going to break through – and then give them something that's going to poison them,” Stolfo says.
This tactic accomplishes two things: First, organizations limit the amount of real data that leaves their walls and, second, arguably more importantly, they are able to measure the course, cost and effort of the adversary.
Looking at the success of advanced malware from a more macro level, perhaps the celebrity hacker subculture partially also is to blame. Marc Maiffret believes it is. He says events such as the annual Black Hat Briefings conference, in which speakers often parade to the stage like famous stars to present their zero-day findings, contributes to a lack of interest in defensive disciplines.
Maiffret is no stranger to the stardom that can be cast on a hacker prodigy, having discovered a number of major vulnerabilities in Microsoft products, including the hole that enabled the Code Red worm, before he was even old enough to drink. In 1999, he was featured on MTV's True Life: I'm a Hacker and later was named to People's “30 People Under 30” list.
But after awhile, the allure of finding security bugs grew old.
“I kind of got sick of it and I don't know if it's helping people,” says Maiffret, who now is CTO of Irvine, Calif.-based eEye. “It's 100 percent that it's easier to do. That's not in any way to discredit [vulnerability researchers]. But it is definitely more straightforward to find the next Adobe buffer overflow compared to making technology to keep Adobe secure from being leveraged by hackers.”
Now, his focus is on developing defensive technologies – such as eEye's vulnerability management offerings, used by Whiteside of VNY. In his view, organizations should already operate under the assumption that they have been compromised by zero-day flaws, which makes defensive research that much more important.
“I always encourage people who are really good at these things to give the defensive side a try,” Maiffret says. “It's hard, but that's also what makes it intellectually challenging.”
Some talented security researchers are plying their skills to defense. For example, the company Immunity recently released El Jefe, an open-source, Windows-based process-monitoring solution that allows users to quickly detect suspicious behavior.
Back at Visiting Nurse Service of New York, Whiteside adopts Maiffret's supposition that adhering to best practices, particularly configuration management, can make seemingly devastating incidents like Aurora and Stuxnet seem nothing more than drops in a bucket.
“That's how I look at it,” Whiteside says. “If [victims] had [systems] patched or if they had a standard that they had applied to all of their systems – regardless of what kind of data they had on them – then maybe some of those [breaches] don't happen.”
Define the win Ensure your organization has a clear understanding of how it will define a successful recovery from a breach by APT attackers.
Assign accountability Remediation plans fail when accountability for their execution is not clearly assigned to an individual. Each business unit should assign an individual who becomes responsible for the implementation of the plan.
Appropriately assign or obtain the resources required to obtain your goal Remediation fails due to lack of resources – lacking the personnel, technology and processes to follow through on the remediation plan.
Establish visibility Without host-based or network-based visibility, proper logging and threat intelligence (knowing what to look for), you will not be able to determine the scale of the intrusion, or detect and recover from the APT with agility.
Source: MANDIANT M-TRENDS, “When prevention fails”