Threat Management, Threat Intelligence, Malware, Network Security

RSA 2013: Hackers will get in, so spend the money on pushing them out

As even the most well-resourced enterprises fall to victim to compromise, security that is focused on keeping the hackers off the network is quickly becoming an anachronism. Now, practitioners must instead concentrate their energy on pushing the attackers out once they're already in.

A group of security industry veterans, all now representing vendors, joined a panel Tuesday at the RSA Conference in San Francisco to discuss raising the price tag for adversaries to accomplish their mission. 

While most people assume the high price tag of an advanced attack comes from the cost of gaining access to a network, intruders also spend big money maintaining that foothold. And that is where some organizations, particularly those that are high-value targets for adversaries, may want to direct their security attention. 

"If you're Google, it doesn't matter how fast you run, the bear wants you," said Tim "TK" Keanini, chief research officer at nCircle, a vulnerability and risk management company.

Richard Bejtlich, CSO of incident response firm Mandiant, said often companies are unaware for weeks or months than attackers have breached their firewall and are clandestinely conducting reconnaissance or siphoning out information. 

"Once they're in your enterprise, they have to be perfectly stealthy," he said. "But that's predicated on someone looking for them."

That's why he suggested organizations allot more resources to spotting the saboteurs, through technologies like network and host-based monitoring and robust logging. Then, once they're detected, make their work harder.

Bejtlich likened the challenge to physically defending a bank. The SWAT team doesn't guard the doors each day, but if there's a robbery, they're the ones coming for the crooks.

"You should apply even more pressure once they're in," he said. "They can break in all day long, but if you can catch them and kick them out, that makes it very difficult for them."

The panel suggested taking "active defense" measures to defeat the attackers. That includes leveraging deception and decoy data, or "breaking" the hackers' automation – such as inserting delays into scripts they are using – so they can't perform their activities with ease, said Christopher Hoff, chief security architect at Juniper Networks.

The hope, of course, is that if intruders believe a company is not worth the time and effort, they'll opt to go after someone else.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.