6. You have all you need to find the intruder and get rid of him
Australian Federal Police acting manager of cybercrime operations Brad Marden says “logs are the most critical” tool for remediation.
“Logs are crucial to recreating activity to system incident responders – even if they don’t report to police – if they just go to their anti-virus company or CERT Australia; it’s the most critical part of maintaining a security posture,” Marden says.
“They need to know how the hacker accessed their network and what information might have been removed in order to have a successful outcome in prosecution or identifying the harm.”
Logs were critical to helping NBN Co partner Platform Networks recover from David “Evil” Cecil’s attacks last year. Cecil, an unemployed truckie and self-taught hacker from Cowra, had earlier crashed Melbourne hosting provider DistributeIT in a devastating half-hour assault, costing it $4.5 million, the loss of 4000 websites on four unrecoverable servers and throwing its resellers into disarray when the company folded (the carcass was bought by Netregistry).
DistributeIT had inadequate systems to support investigation, but when Cecil soon after attacked Platform Networks, Marden says, a stronger defence informed by logs resulted in a 2½-year jail term for the assailant.
“Through cooperation with police there was little harm” to Platform Networks, Marden says. “If we have a good case, we have good prosecutional outcomes.”
It’s imperative action is taken as soon as a breach is suspected, he says. Resellers should work with their customers to preserve chain of evidence, isolating logs on a separate device and imaging affected systems. Investigators will often use the Encase software to preserve data from being contaminated or over-written and a good security incident and event monitoring solution prior to the attack is vital.
“Preserve (the data) by taking it offline or getting a mirror,” Marden advises. Sourcefire director Chris Wood says organisations need real-time intelligence before “it’s too late”. They need “a full picture of what’s running across their networks”.
7. Know your “3 Ps” – Patches, Privileges and Programs
The Defence Signals Directorate’s Top 35 Mitigation Strategies are the best starting point to limit an organisation’s risk. In 2010 DSD found 85 percent of intrusions could be prevented by employing its top recommendations:• patch applications and operating systems;• limit user privileges;• whitelist applications to prevent malicious apps from running.
“(It) can be achieved gradually, starting with computers used by the employees most likely to be targeted,” the DSD advises.
Trend Micro’s Oliver says users must be trained to accept critical security patches, even though it may slow their workday: “Especially Flash and Java because it’s on every device in the enterprise”.
Microsoft Office and PDF documents are also well targeted. And resellers should install software on their clients’ networks to monitor that the patches are installed and up to date, Oliver says.
8. Who you gonna call?
A cybercrime is a crime and should be reported to police, says AFP’s Marden. “We will take every report into consideration whether it’s to build up a bigger picture or to prosecute,” Marden says.
AFP officers speak at vendor and community security events and it’s worthwhile attending these to rub shoulders: “We try to get out to meet with people,” he says.
Verizon’s Goudie says relationships with police and security contractors must exist before you need them: “The last time you want to negotiate contracts with an organisation is when you’re” under attack, he says.
“Everyone knows to dial 000 when you need it, but very few people know who to call when negotiating a security event.” AFP Cybercrime Operations can be reached on cybercrime@afp.gov.au or tel: 1800 813 784.
9. Learn the lingo
“Veris” is emerging as a standard language for reporting incidents, defining “Who did what to what (or whom) and with what result”. The Vocabulary for Event Recording and Incident Sharing is a framework against which attacks are defined and shared and a basis for historical and trend analysis. It is becoming a standard way for expert witnesses to describe agents, actions, assets, and attributes of an attack.
10. Deal with the social
Intruders scan LinkedIn and social media profiles, and may escalate through individuals to get to their ultimate target. These recces may take up to a year or more of daily diligence to map out the target.
Hacking gangs are known to use management processes to break up tasks in a diligent and methodic way, sub-contracting to underground service providers with knowledge and skills.
“It’s a military-style attack,” says Websense A/NZ sales manager Gerry Tucker. Often the insertion point is an attractive lure, such as an email notification of an award, employment or promotion. More than four in five unsolicited emails have a web link to a compromised host, Tucker says.
“Even those who are paranoid get caught out because of how these emails” are written, he says. And it’s possible that mobile technologies, which encourage people to respond to such contacts on the go and at speed while their attention is diverted, may exacerbate the problem.
Tucker advises resellers to take a bite-sized approach to limit data leaks, using the 80-20 rule to focus on email, web traffic identification and especially unidentified increases in secure http traffic.
RSA’s Farquhar tells the story of a customer’s employee who got an email that he had won an award for five years’ service and should click a link to get his prize.
“It had all hallmarks of spearphishing, and he immediately disregarded it, but turns out it was legitimate,” Farquhar says.
The company had outsourced the awards to another organisation: “Companies need to understand not to muddy the (security) message”, he says.
Bitdefender used off-the-shelf security products and publicly available information to craft personalised emails to fool their recipients, says Bitdefender chief security researcher, Catalin Cosoi.
“Once you have those details you can easily create a targeted email that is very believable to the targeted people,” he says. And although the target company’s systems filtered out the threat, a recipient was so keen to switch roles he fished the offending email from the spam folder and unwittingly executed the exploit on his PC.
“Even though a company may take all defences possible, the weakest link is the employee.”
11. Don’t neglect anti-malware and DNS
With the emphasis on new-age attacks, it’s easy to forget that traditional approaches still have their place as part of a balanced security posture. For instance, Verizon found 69 percent of attacks last year used malware.
CSC’s Lawrence Ostle recommends Layer-2 and application whitelisting solutions to immunise against such malware while keeping an eye on how the layers within the network talk to each other to spot irregularities.
F5 Networks’ Adrian Noblett says attacks against applications are increasing in severity and frequency. “Hackers are sending valid application requests, they’re just sending more of them.”
This may be done to hide the objective of the attack or to bring down a server. In such cases, the subject has turned to a carrier clean feed, he says.
A stable, secure and responsive domain name server is critical to weather such assaults, he says.Watchguard’s Rob Collins advises “factors of two”, for instance, using overlapping anti-malware software because they vary in the ability to respond to threats.
“And secure your DNS channel – there’s no need to have port 53 (DNS requests) open and, if you do, only for certain servers,” Collins says.
12. Your customer’s PoS on the front line
Humble point-of-sale terminals such as cash registers, mobile payment-collection systems, automated tellers and swipers at fuel pumps are vulnerable to skimming exploits owing to being often unattended.
Organisations have payment card-industry requirements to monitor and guard these systems that they often underestimate or neglect to their detriment and that of their customers. That is especially true if, as a reseller, you’re providing PoS as a managed service to your customer.
Organisations should make tamper checks a part of each shift change, and quarantine suspected terminals for forensic investigation. Casual internet use by employees using these devices should be discouraged and they should not be connected to the net unless necessary. Organised crime is targeting payment card information from such systems and “can launch a sting against hundreds of victims during the same operation”, Verizon says.
Resellers and their customers should change default credentials and administrative passwords on PoS (and other internet-facing devices). A firewall or access-control list should also be applied to limit outside incursion. As a reseller, make sure the PoS is PCI DSS compliant.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
