We visited BlackHat2014 earlier this month where we enjoyed the opportunity to interact with white/grey/blackhat hackers, researchers, security vendors, consultants, CISOs, security analysts and other security professionals. At BlackHat and in our latest discussions with CISOs, we found five themes that influence today's security landscape.
At BH, we spent the week with CISOs, incident response experts and hackers, all of whom secretly shared stories of their experiences with cyber attacks. Whether their stories were about an attack that occurred in their network or one of their customer's, one theme is clear: Today's hacking is a well-crafted operation. It is a campaign with goals, dedicated teams and lengthy planning, leading to a very precise operation. It is no surprise that we all face a great challenge when dealing with cyber attacks.
Our tip: Don't get overwhelmed by the complexity of the issue. Make sure you have visibility of ALL elements in the network: users, endpoints, servers, connections, etc. Look for tools that analyze behavior and search for abnormal patterns as an indication of compromise.
Because hacking teams are dedicated, determined and sophisticated, penetration becomes inevitable. There are so many ways to enter a network; therefore, we must assume that a determined hacking team will succeed, no matter what perimeter prevention mechanism an organization has put in place.
One method that hackers use is compromising user credentials. A good example of this is the recent news report on Russian hackers getting a hold of over 1.2 billion stolen passwords. Usernames and emails prove to be successful tools that help hackers enter a network. Hackers can also enter a network through mobile devices, and even through Wi-Fi systems in airplanes . In short, hacking teams will always find a creative way to sneak in.
Our tip: Prevention is important, but not sufficient. Penetration will occur no matter what prevention system you put in place; therefore, you must prioritize detection and response in order to identify if you have already been breached.
Even though attackers do everything they can to cover their tracks, they still leave some evidence behind. The best, most reliable place to look for evidence of a breach is within the "ground zero" of attacks: the endpoint. Commonly, endpoints are used as the attacker's penetration point. However, even when this is not the case, endpoints serve as the location where attackers persist, recon, and move laterally in the network. Despite this revelation, endpoints are still neglected as IT tends to fear the pain associated with agent deployment.
Our tip: Don't leave the endpoints as your environment's blind spot. Look for endpoint solutions that are easy to maintain and cause no interference with user experience, because we are all aware of the consequences of a hard-to-implement and intrusive endpoint solution. Check out Gartner's review of EDR (Endpoint Detection and Response) solutions for further information and ideas on how to build your endpoint detection and response capabilities.
When security teams try to detect complex hacking operations, it is essential that they are equipped with big data analytics capabilities. Big data analytics can process data collected from the environment and detect abnormalities that are indicators of compromise. However, we found out at BlackHat that not all analytics are alike. Some require investments in talent and resources in order to increase the value of the analytics. Many security professionals complain about the new "analysis-paralysis" malady caused by sophisticated non-actionable analytics tools. In short, one must procure a solution that has a built-in presentation of the data.
Our tip: Automation is key. Use systems that build insight from a data analysis, enable automated incident investigation and automated incident response in order to cut time and make your response more actionable.
Even when you think you have detected the attacker's activity, there is a good chance that this is a decoy action. Hacking campaigns always include a decoy activity built to drive your attention away from the "real" attack.
Our tip: Use detection tools that have a built-in mechanism that identifies deception and provides context so you can understand the full scope of an attack.
BlackHat 2014 has proven that it is no longer a question of "will" you be breached, but a question of "when" you'll breached. Security teams must shift their mindset and make sure they have the right capabilities to deal with this reality. Sophistication, automation and adaptation are the name of the game.