Joel Yonts, the CISO of a Fortune 500 automotive supply company, isn't pleased with many of his peers. Their complacency and timidity around security is widening the chasm between victory and defeat by an ever-growing margin, and simply put, the losses really are piling up.
In security, where the threats evolve on an almost daily basis, most organizations – even ones operating the most proficient networks – seem content with the traditional perimeter-based, compliance-focused approach of battling the enemy, Yonts says. Such block-and-tackle tactics, as they are known among security pros, may work against the so-called low-hanging-fruit threats – things like SQL injections and common trojans – but they hit a brick wall when it comes to dealing with more sophisticated weaponry, like espionage malware.
“I am tired of [hearing], ‘We are defending at the gate and we are winning,'” says Yonts, 40, the CISO since 2006. “No, we're just letting the attackers attack us as many times as they want until they get in.” He blames this inherent defect on an industry where security programs largely have been built by the guidance of audit firms, which place heavy emphasis on meeting compliance mandates, such as Sarbanes-Oxley, and apply a good deal of weight to guarding against the insider threat, often overlooking today's advanced adversary.
Meanwhile, networks are getting owned with regularity by well-funded and well-trained assailants, who use their deep pockets and slick skills to quietly burrow in, establish a foothold and then purge sensitive data. In many cases, the victim organization doesn't learn about the intrusion for weeks, months, or even years – and even then, a third party is the entity that usually notifies them.
“They're bleeding data,” Yonts says of the targeted firms. “They can be happy with their compliance scores, but they're bleeding data.” Worst of all, these enterprises are operating under a false sense of security. “They'll totally downplay a compromised PC because the connection between one compromised PC turning into data exfiltration is not something people are living with,” he says.
As evidence, Kroll Advisory Solutions' recent report, “HIMSS Analytics Report: Security of Patient Data,” which examined the health care industry in particular, found that despite increasing rates of compliance, the number of organizations reporting breaches jumped from 13 percent in 2008 to 27 percent last year.
It's become a common refrain that security doesn't equal compliance, yet many practitioners remain asleep at the switch. Yonts is not alone in his sullen assessment. Lately, other respected security professionals have publicly announced their disdain with the current state of affairs. Shawn Henry, the FBI's former top cyber cop, got quite a bit of print when, upon announcing his retirement, took to the media to proclaim that the nation is on the losing end of the war on hackers.
“I don't know that we can ever get ahead of this right now with the current state of architecture and attribution,” says Henry, now president of services at security start-up CrowdStrike.
But Henry and Yonts have a solution – or at least a tactic: Offense.
Depending on whom one asks, the definition of offense in the cyber security realm will differ. Generally speaking, however, it has little to do with actual retaliation, as that is something typically reserved for the military domain. (Last year, the Pentagon officially announced that it can use physical force to respond to a cyber attack).Instead, within the private sector, organizations can retaliate in other ways, including sharing information about the opponent or driving the hackers' costs up by making successful attacks much more difficult to accomplish.
“I think we're entering a period when companies have to think more like they are spies,” says David Burg, principal of the forensic technology solutions and cyber crime practice at PricewaterhouseCoopers.
At his company, Yonts has adopted a five-pillar approach to security (see sidebar, below). The first three – defining data, reducing vulnerabilities and implementing automated defenses – cover what Yonts deems the traditional approaches, which seek to reduce conventional attacks to a minimum. For example, the company takes great stock in its email security and awareness training. Both speak to the common hacker ploy of spreading spam or inserting malware into a target network by tricking an employee at the company to click on an email attachment that looks legitimate, but isn't.
“I think we're entering a period when companies have to think more like they are spies.”
– David Burg, principal of the forensic technology solutions and cyber crime practice at PricewaterhouseCoopers
But, when trying to counter the more advanced risks is when his fourth and fifth tenets kick in: incident response and attribution. These pillars are especially important for Yonts' business, which can easily become a victim of the trusted relationships it has formed with partner organizations.
“If [attackers] were able to compromise one of my vendors and implant malicious code in my data, it would be very hard for me to detect it,” Yonts says. “At the end of the day, you'll have some vulnerability left and some attacks will get through.”
Don't underestimate the significance of that last sentence. In a time where more security pros are accepting the realization that network compromise is a part of doing business, Yonts understands this isn't a death sentence. In fact, his own company sustained a breach in 2008 and was forced to notify 56,000 customers that their financial data was exposed by a hack. But, the incident could have been worse.
“From the time an attacker gets a foothold to the time he gets expanded to an elevated foothold, to the time he finds the data, to the time he gets that data out, it is time,” Yonts says. “It's not instantaneous. Being prepared is critical to winning this.”
That's where the fourth and fifth pillars come into play. Incident response, by definition, is not a novel strategy, but at Yonts' company its capability is as robust as one might find anywhere. Yonts has a dedicated team in place whose job is to immediately spot an infection (aided by technology that can help discover the proverbial needle in the haystack), perform a full forensic exam on the compromised machine, reverse engineer the malware and, most importantly of all, comprehend the threat.“We want to understand the level of attack and the gist of the malware,” Yonts says. “If it's fake anti-virus (AV), which is trying to trick people into paying for AV, as opposed to a remote access trojan, then we're going to react differently. Depending on what is created and what the levels of sophistication associated with it are will drive the level of efforts.”
As was mentioned earlier, kinetic or digital retaliation is not typically a response option, unless one's office is located in a five-sided building in Arlington County, Va. But, Yonts says he has come up with the next best thing: hitting the attackers where it hurts – in the wallet. He calls this final pillar “attribution.”
The previous step – incident response – speaks to quickly identifying and shutting down a successful infiltration before it can do any sizeable damage. Combine that with gathering evidence about the attacker to share with anti-virus companies and law enforcement, and Yonts' and his team are trying to effectively eradicate the value proposition for the criminal.
To share threat intelligence data, Yonts leverages the bonds he has formed in the research community thanks to his role as chief scientist and founder of Malicious Streams, a side project that analyzes malicious code and hacker techniques.
Yonts strongly believes in collaboration. Whether his company is hit by an attack with the goal to steal data center space in order to launch spam or distributed denial-of-service (DDoS) attacks, all the way to more sophisticated assaults designed to pillage credit card numbers or intellectual property, he will share that data with the pertinent parties.
“Suddenly every AV company has all the samples,” he says. “They have automated systems. Suddenly everyone in the world is protected within a couple of hours.”
“...by using pieces of technology, you can make yourself safer, protect your intellectual property and raise the bar for the adversary.”
– Shawn Henry, president of services at CrowdStrike
The next step is to prepare a more formal version of the attack to be shared with law enforcement. Yonts' forensic investigation team is trained in compiling evidence that is “completely admissible” in court. That may not always mean providing the suspected names of the responsible parties, but sometimes clues, such as offending IP addresses, can go a long way to bringing charges against someone, especially when combined with an investigation already underway by the FBI or a related agency.
“When we share with law enforcement, I am pressing for conviction,” Yonts says. “It builds a more complete picture. We're an attempted victim, and here's some evidence that supports it. It puts pain back into the criminal organization.”
Attribution is essential to taking the fight to the intruder, says CrowdStrike's Henry. It involves using technology to identify the attacker through hints, such as signatures, command-and-control infrastructure, tactics and funding sources. Armed with this information, entities can better protect themselves.“I think it really is important to know who is attacking you,” Henry says. “If someone breaks into my house, I want to know who it is and what it is they're looking for. What I'm suggesting is that by using pieces of technology, you can make yourself safer, protect your intellectual property and raise the bar for the adversary.”
“We're not seeing anyone going truly offensive in terms of hacking back in the commercial space,” Burg says. “However, companies are starting to think aggressively.”
Some organizations are turning to tactics like sandboxing, honeypots and decoy/dummy data to throw an attacker off the scent or allow them to be traced. “We certainly take the advantage to socially engineer the attacker back,” Yonts says. “Not to attack their system, but to confuse and disorient them.”
There are even some vendors, such as Florida-based Digital Bond, which make modules that run Metasploit exploits designed for critical infrastructure systems. The idea is not to provide the enemy with a roadmap, but to offer IT professionals an easy way to demonstrate the vulnerabilities that are out there. “We have to try something different,” says founder and CEO Dale Peterson. “Stuxnet didn't even wake people up.”
Yet, not everyone is dismissing the possibility of counter-sabotage as an option. Ian Amit, director of services at IOActive, a computer security services firm, recently presented at the SOURCE Boston security conference on the importance of thinking like an attacker. For far too long, organizations have stuck with an old-school way of treating the threat, he says.
“Hackers have a much broader spectrum of operations when you compare it to current defenders,” he says. “They engage in threat modeling, then they launch their attacks, whereas the defense is based on alerts and detection. Understanding offense is a critical part of a defensive strategy. If you don't keep up with what the attackers do, you're by definition behind.”
Amit's response plan is not unlike that of Yonts – understand what one needs to protect and who the “threat agents” are – but where it diverges is encouragement to immerse oneself in enemy territory.
One example he showed the crowd in Boston is to identity a particular online forum from which attackers are acquiring tools that are being used to target one's organization. Next, embed oneself in that community by creating a bogus profile. Post messages, achieve a positive, trusted reputation and work up to taking over an account that produces tools. Then, booby-trap those tools so one is notified the next time the aggressor uses them.
Such a made-for-Hollywood covert operation may not be for everyone, Amit admits, especially when one considers the legal ramifications. “There is a big legal issue hovering on top of everything,” he says. “My recommendation would be to consult with your lawyer and find a way to perform this, and understand how aggressive you can be in defending yourself. This is not to attack everyone who is out to get you. Some actions might be prosecutable, though in my experience, there are ways to perform them where it would not be frowned upon.”In lieu of cloak-and-dagger, Amit says security pros also can do something much simpler: Be aware. “I can tell you that the sophistication level we're seeing from the hackers is not as high as is being perceived in the media,” Amit says. “It's just that these tactics are being used in ways defenders are not expecting.”
Except if you are someone like Yonts, who says that when he goes to bed each night, he can rest knowing his team has done everything to foil the next attempted network trespass. A compromise may occur, but the key is limiting the damage.
“We respect our attackers,” Yonts says. “We don't taunt them. We deal with the threat. They may get to the data, but they're not going to be able to wallow in the data.”
Source: Joel Yonts, CISO at a Fortune 500 automotive supply company
The five pillars of securityDefense
*Define the data – Scout exactly where confidential assets lie within an organization in order to apply appropriate protections.
*Reduce the vulnerability – Ensure that known software and hardware bugs are patched with the latest updates.*Implement automated defenses – Traditional controls like anti-virus, firewalls, filters and intrusion prevention systems are pivotal in stopping most threats.
*Perform incident response – But there will be zero-day vulnerabilities, undetectable malware and targeted attacks. That is why performing a full forensic exam is key to understanding the threat.
*Attribute the adversary – With that information, the victim organization can share details about the attackers with anti-virus companies and law enforcement, hopefully preventing them from striking again.