In January each year, many of us (myself included) typically take time to reflect on the year that was, and the things we want to improve upon in the coming 12 months. Like many, I made some 2019 resolutions that will help me in both my personal and professional life. I’ve often wondered, if we can make personal and professional resolutions to improve ourselves, can we also make resolutions to change our departments and our organizations?
The recent holiday season brought with it an expected uptick in response calls from clients looking for help in responding to, or otherwise dealing with, suspicious or malicious activity in their environments. After we had worked though this flurry of issues, I had some time to reflect. These organizations were from vastly different industries and of different size. Each had a different organizational and ownership structure. Yet despite those differences, I saw some commonality:
- In each case, their own internal security monitoring tools (if they had them) didn’t alert the organization. It was either a business partner / service provider, a customer, law enforcement or a third party that had informed them about the issue.
- During their initial triage, those who could look back through historical records were surprised at how far back the activity went.
- Attempts to isolate systems showing malicious activity weren’t successful. The refreshed systems soon began exhibiting the same activity shortly after being placed back on the production network.
- There were active disagreements between staff on what the issue was, how it originated in their network and of most interest to me, if this would be considered a significant issue or not.
In these and other cases, we noticed that each organization was on its back foot when the incident arose. They weren’t prepared to deal with it and didn’t have a clear course of action. Moreover, none of these organizations ever thought that this problem was going to happen to them.
Given these events, we know attackers will usually be able to get a foothold in a network. They might compromise a web server here, or use phishing to obtain remote access there; but it will happen eventually.
Based on our recent Protiviti Security Threat Report, we also know that attackers will persist in an environment for an extended period of time. They are not in and out in a matter of a few hours, but will learn about their target and move from system to system, gathering more and more information. This process takes time, particularly if the attacker is trying to evade detection and obtain access to sensitive information or powerful access to an organization’s systems. Industry reports cite that on average, attackers can persist within a network for months before being detected. Our own experiences support those statistics.
If current preventative controls aren’t stopping attackers getting footholds in our networks, and detective controls aren’t alerting us in a timely manner, if at all, what are we to do? I propose we must look at a third option – proactive controls. Instead of waiting to be alerted to malicious activity, why not go in search of it? If we can reasonably assume that attackers are targeting our networks and may have footholds on some of our systems, why not search them out? Is it better to try to put out a small kitchen fire or wait until the entire house is ablaze?
The question then becomes, if we are going to hunt for these threats, how do we go about doing so?
We can begin by thinking about our IT environment, and understanding a few key facts:
- What is our most sensitive information? What would be damaging if it were either made public, given to competitors or removed from our environment?
- Where is that information stored and how do we access it?
- What does typical day-to-day activity on our network look like?
Using this as a quick baseline, the goal is to attempt to identify abnormal activity in our environment that may result in a compromise of sensitive data. We accomplish this by forming a hypothesis about how an attacker may be attempting to move throughout the environment, use certain powerful accounts or internal software, or communicate back to their systems. Then we test by searching in the environment for evidence to either prove or disprove the hypothesis. If we find something malicious, then we can begin a formal incident response process. If we disprove the hypothesis, the exercise is still valuable, as we have learned something new about the environment and can use the output to better help detect attacks in the future.
Organizations are working on finalizing strategic goals, business strategies, audit plans and their overall approach to a successful year. In 2019, in addition to our personal resolutions, let’s also resolve to improve our organizations by getting proactive about our security.
Are you thinking about adding proactive security controls to your environment? Here are some questions to ask to get started:
- Do we have the visibility into our environment to identify potentially malicious network communications?
- Can we identify all of the systems and devices on our network and determine if they are authorized or unauthorized?
- Are we able to understand the difference between normal network and user activity and actions that might be from an attacker?
- Do we have the resources and tools to dedicate time to a hunting function within the information security group?