Incident Response, TDR

Fighting the unknown enemy

As malware's threats become increasingly sophisticated, companies have good reason to grow their information security budgets for top-line external defenses. Yet, recent events – namely, the whistleblowing escapades of Edward Snowden – have underscored the potential of internal threats to be just as dangerous as those from the outside. In fact, Forrester recently found that insiders were the top sources of breaches in the last year, with 25 percent stemming specifically from abuse by malicious insiders.

With rogue employees taking the spotlight, too little consideration is given to innocent and completely well-intending users, who can be just as dangerous. It's not necessarily that these users err in judgment; rather, it's that they've simply become complacent, not anticipating any kind of attack and trusting that the perimeter will keep them safe. This mentality, coupled with today's advanced malware defenses and OS patch deployments, has resulted in users themselves becoming the focus of exploitation.

Modern hackers are increasingly adopting strategies similar to those the anti-malware industry has traditionally used, by leveraging honeypots. Watering holes, for instance, are a form of honeypot attack where a website known to be frequented and trusted by a specific target audience is infected with malware.

Another method being used to great effect is DNS poisoning, a form of man-in-the-middle attack where DNS records of popular websites are modified to redirect users to malicious domains, which are often made to look like the original site to trap unsuspecting visitors.

The point here is that cyber attacks don't always start with a network breach, they can start on a trusted website, where perimeter defenses are rendered irrelevant. Instead of cyber criminals trying to break down barriers and penetrate security defenses, they are effectively invited in by one of your internal users.

Both watering hole attacks and DNS poisoning are inherently difficult to identify, and therefore, to prevent. The problem is that these types of exploits rely on third-party websites or servers to attack users, which are impossible for organizations to lock down when employees need internet access to be productive in their roles. 

As the old adage goes, the best form of offense is a good defense. The same approach applies for security, except in this case, you may have to defend against an unknown enemy where the usual rules of identification do not stand. This means that traditional defenses must be bolstered with a mitigation strategy that will help you nullify the inevitable breach.

Malware requires admin rights to bury deep into the system and propagate across networks, inflicting serious damage to corporate systems. Users with administrator accounts, therefore, are prime targets. From a security standpoint, removing privileged accounts from users makes sense in every way, but on the other hand, granting users with privileged accounts is often seen as a necessity for driving productivity and enabling users to manage their systems and applications. Striking the balance between IT security and user experience is a constant battle, but organizations should not feel forced to give up either end.

Fortunately, they don't have to. A least privilege environment is the middle ground between running with admin rights that sacrifice security, and standard rights that stifle productivity. Privilege management solutions allow IT personnel to manage admin rights at the application level, meaning that rights are assigned only to the applications and tasks that need them, instead of the users. This means you can empower your users to work effectively with standard accounts, without the risk of malware creeping onto the corporate network.

There is an element of human trust that comes with any IT environment: the business must trust IT to protect against internal and external threats, IT must trust that employees are security-aware and using caution online, and employees must trust in the safety of the websites they visit on the job. But the perils of these sophisticated exploits have made it increasingly difficult to maintain this balance.

Least privilege is the cornerstone of an effective defense-in-depth security strategy, and can help organizations of all sizes create a workplace culture that is efficient, productive and above all, secure – inside and out.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.