Security Experts:

Disasters, Damage and Discovery: Detecting Breaches Before It’s Too Late

When it comes to security, we all know that prevention is key. But when you consider that even titans like Apple, Twitter and Facebook have allegedly suffered breaches and attacks, it’s obvious that detection and response plans are critical elements in any organization’s infrastructure. As the saying goes, “hope is not a strategy.” Today’s businesses must develop an intelligent plan in advance to detect and handle breaches if they want to prevent widespread data loss and a damaged brand reputations.

It’s true; some breaches are more obvious than others. Yet most organizations won't know they're breached until it's too late; as incredible as it sounds, Verizon’s 2013 Data Breach Investigations Report says that in 2012 more than 65 percent of breaches remained undiscovered for months. Unfortunately, we know that a good number go undetected far longer; in July of this year, we learned that the largest hacking and data breach ring in U.S. history went undiscovered for about seven years. Businesses can be so oblivious to their own breaches, in fact, that many intrusions are discovered first by external parties. ISPs and threat-monitoring intelligence groups often will notice communication involving malicious IPs and domains with bad reputations, while end users -- employees and customers -- might encounter odd system performance or strange activity.

This is far from ideal for the afflicted organization, which no doubt would prefer to discover and resolve the breach internally. Even in cases where an organization does detect their own breach, the hacker has usually had time to explore the network, locate and penetrate relevant systems and collect data. Time is of the essence when it comes to compromised data, which is just another reason that discovery and recovery are so paramount.

Check Box

So why is it so tough to detect a breach promptly? One reason is that attackers are versatile, using multiple forms and methods to invade systems and cover their tracks with minimal noise. The Verizon report shows that amongst their profiled breaches, 52 percent used some form of hacking, 76 percent of network intrusions involved stolen credentials, 40 percent used malware, 35 percent involved physical attacks and 29 percent leveraged social tactics, while 13 percent resulted from misused privileges. From one organization to another, the type of threats can differ widely as well. As a result, monitoring suspicious activity can be like searching for a needle in a stack of needles.

That said, businesses can and should adopt best practices to prepare and protect themselves. By instituting alerting mechanisms that indicate an incident has occurred, companies can position themselves to discover and contain breaches before the damage is irreparable.

Stopping Breaches in Their Tracks

Bolster your security. Conduct comprehensive risk assessments that look at your architecture’s weaknesses, possible threats and their potential impact, prioritize, and then take remedial measures. Proactive monitoring, scanning and remediation, along with establishing your architecture on a security-focused foundation, all contribute to a more robust security posture. Tools that automatically implement security countermeasures to prevent further attacks while engineers investigate manually and confirm or clear the alert can prevent data loss when integrated into an organization's overall security plan.

Reduce your attack appeal. Most threats are opportunistic and exploit low-hanging fruit. By minimizing your attack surface, using layered security and locking down high potential attack vectors, you eliminate points of entry and investigation time. There are inherently less environmental variables to worry about. Using macro-level data and correlation to spot trends and mitigate them accordingly is critical to making your attack surface smaller – we’ll talk more about that below. Another tip: through careful IP reputation management and blocking, you can essentially hide yourself from malicious traffic and over time, become less visible to would-be attackers.

Pay attention to anomalous activities. Set up notifications for anomalies such as abnormal web application requests, brute force attempts and increased traffic for certain ports and protocols – and assign someone to respond, investigate and determine if the event is simply a fluke or something more serious. Taking Computer Security Incident Response Team (CSIRT) action on every anomaly just isn’t practical; engineers who possess the right investigative tools and the knowledge to efficiently investigate events will be far more effective at mitigating data loss. A direct and efficient investigation and documentation plan are vital to prevent inconsistencies and expedite breach detection.

Turn your data into your watchdog. Collect and study forensic data and archive it in a way that maintains its integrity - then correlate it. Let your data tell you a story that over time will help you determine if you’ve been breached or are under attack, rather than just guessing. Using this macro level information, plus the risk assessment we discussed above to highlight your biggest vulnerabilities helps you reduce your attack surface and ID breaches quicker. Keep in mind, for this to be effective, you must collect data consistently using a documented standard; if you wait until suspicious activity occurs to begin collecting evidence, it won’t be sufficient to provide the complete and contextual picture you need. Also take advantage of third-party security data. Whether it’s known bad IPs, malicious domains, advanced persistent threats or the like, your organization can use these as building blocks for an integrated security model.

Remember that many breaches and compromises are engineered to work in stealth mode, operating in a way that doesn’t alert system administrators. For this reason alone, a multi-layered detection and recovery plan is a must to protect your organization, making the difference between a catastrophic breach that devastates your business and a breach that’s quickly contained and terminated.

view counter
Chris Hinkley is a Senior Security Engineer at Armor where he maintains and configures network security devices, and develops policies and procedures to secure customer servers and websites. Hinkley has been with Armor (previously FireHost) since the company’s inception. In his various roles within the organization, he’s serviced hundreds of customer servers, including Windows and Linux, and overseen the security of hosting environments to meet PCI, HIPAA and other compliance guidelines.