Last month I delivered a talk at CyberSecurePakistan’15 conference and made an attempt to shed light on a blackspot in our corporate network security monitoring (NSM) practices.
Companies are playing Whack-a-Mole with security incidents.
In the face of ever growing sophisticated and targeted attacks the Network Security Monitoring (NSM) practices are becoming less concerned about intrusion analysis and more about playing Whac’a Mole.
The following stats which are derived from real life security incident response operations depicts a clear version of the problem.
Verizon DBIR 2015
The above graph from Verizon Data Breach Investigation Report (DBIR) report maps compromise and discovery activities which took days or less. Around 80% of intrusions took days or less to compromise a network but only 20% were discovered in days or less of time frame.
In 60% of cases, attackers are able to compromise an organization within MINUTES – Verizon DBIR 2015
What’s the norm for rest of 80% discoveries which didn’t take place in days or less?
According to Mandiant’s incident response experience in fortunate 100 companies it takes roughly 7 months to just discover the breach. The longest intrusion discovery time is 8 years (2,982 days).
Question to ask!
Where the heck are we disposing forensic artifacts for these intrusions?
The only reason we aren’t able to detect an intrusion for months is that either we aren’t acquiring enough artifacts or we are not processing them the right way.
In computer systems the data is found either at rest or moving, so does our artifacts. Activities in a computer network can be observed either on the network medium or in the computer systems. Our network gadgets and operating systems do generate tons of forensic artifacts including flows, data dumps, events, logs. Numerous other can be pulled on demand, like OS artifacts.
The problem lies in the practice of acquiring & processing the artefact dataset. Attackers who float across the network for months definitely generate various footprints but why we don’t see them?
How Our NSM Works
There are two basic entities in our NSM operations
Now, we introduce the above entities as
We feed all of our dataset into fancy security box and then place our security personnel in front of the dashboard.
This practice leads us to these issues
Hindered Visibility: The box which is powered by either dumb signatures or artificially intelligent algorithms is aimed at shortlisting a little chunk of “interested” artifacts and save you from getting overwhelmed by the volume of dataset. What it does with the “non-interested” part of your dataset? It either discards or keeps in an archive to expire as per retention policy.
Inadequate Security Personnel: Now that you’ve a fancy box what’s left to put it on work? You need an “engineer/administrator” for the box. Now, that box certified guy boasts expertise like
- Installing the box
- Keeping the box update
- Taking backups of the box
- Understanding the dashboard
- Generating reports
No doubt why most of the times it’s someone else from outside who knock at our door, informing us about a fire in our own house.
What are we really doing here? The forensic artifacts of those advanced intrusions are either being discarded by the box or kept in an archival system for the inadequate security analyst to discard later when storage quota or retention policy is triggered.
What we actually need?
Upgrade the box administrator: First upgrade the box administrator to a security ninja. Learning how a vendor’s equipment work isn’t a big deal. We need to focus more on learning cutting edge intrusion analysis techniques which leverage skills like deep packet inspection, vulnerability assessment(not using nessus), exploit analysis and threat modeling etc. We can do it by posting less of such job ads
and start hiring more of these guys in our NSM operations
Process the missing artifacts: Now that we’ve got ninjas in our team equipped with cutting edge intrusion analysis techniques, enable them to hunt for the lost artifacts and give them maximum visibility of the network. Don’t throw out the boxes but consider them automated systems to detect known threats not a silver bullet to hunt advance threats.
A better model would be
Next-Gen Incident Response — Hunting: Intrusion detection/prevention techniques have been defeated repeatedly and attackers will keep bypassing our traps. Same goes with forensics where anti-forensic is followed by anti-anti-forensic and then anti-anti-anti-forensic and it never ends. Incident response is not a reactive action.
To decrease the breach discovery days from 7 months the security team shouldn’t wait for events to pop-up. A continuous hunt operation should be carried by security personnels to make sure there is nothing lurking under their nose and if there is any, then they should be able to discover it in few days or ideally minimum possible time to avoid losing intellectual property in terabytes and getting a free headline on newspaper front page.
At the end some food for thought from Verizon DBIR 2015 report
70-90% of Malware samples are unique to an organization.
95% of Malware types showed up for less than a month, and four out of five didn’t last beyond a week.