Ryan Kazanciyan, principal consultant for Mandiant, a vendor that responds to about 35 advanced attacks a month at the world’s largest organisations, says most are from phishing a particular user.
Although businesses invest in user education so workers don’t click on a legitimate-looking attachment or link it takes just one duped user to infect the network, he says.
Where organisations can flip the equation back in their favour is by making the attackers have to work much harder once they establish their initial foothold. “Success is as much of a game of rapid detection and response and containment vs. 100 percent, bulletproof security because that’s just not realistic,” Kazanciyan says.
“The key is to make it as expensive as possible to maintain a presence in your environment and steal data. It’s absolutely an economics thing.”
Organisations must learn from each compromise, he says. To do that, they should search for indicators of infection through network analysis and host-based forensics. When investigating a breach, organisations must “fully scope the compromise”, reviewing which systems and accounts were accessed, which tools and network addresses were used, and what data was stolen.
Kazanciyan also advises victims not to tip off attackers that they are on to them, or risk the adversary changing tactics to again avoid detection. “The idea is if you are proactively looking for indicators of compromise, maybe you detect that successful attack within days or weeks rather than months or years,” he says.
Rothman of Securosis says that “until you know where the issue is, you’ve got no shot”.
He recommends full-packet capture, egress filtering, data-flow tracking, access restrictions to compromised devices, and network segmentation as helpful detection and remediation tools.
“I would make the assumption that the attackers are there,” Rothman says. “I want to acknowledge that they’re there and put them in a box as well as I can, and I want to monitor everything they’re doing.”
The future of cybercrime fighting Salvatore Stolfo, professor of computer science at Columbia University in New York, believes the IT industry is a long way from becoming dependable. He pins this on the fact that system creators are unable to measure their resiliency.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
