With most cyber-attacks, the damage is done long before any corrective actions can be taken.
Managing identities and their access is an essential part of any security program. Yet even when identity and access is well-managed and user activity is within policy, do the credentials and the behavior make business sense? If you can’t interpret user activity with the context of identity and what is normal behavior, your organization may be living with a false sense of security, providing a significant window of opportunity for attackers.
Hard-to notice threats
Security was once focused on “walling off” sensitive data, but today’s threats follow a less linear path.
In 2009, a Gmail account belonging to a Twitter employee was compromised. Usually this wouldn’t be a corporate problem, but that personal breach was used to infiltrate the employee’s Google Apps account and other employee accounts. And remember, don’t allow yourself to criticize too harshly – file sharing using personal cloud apps is common practice.
Twitter was using Google Apps as a way to share sensitive corporate documents and information, so accessing the documents was not out of policy for the compromised user accounts. However, Twitter lacked the ability to detect abnormal activity, as the hacker gathered information for three months. It might have been longer had he not revealed his own activities as a way of highlighting concerning security practices.
These types of long-duration harvesting attacks using hijacked credentials have become increasingly common. In January of 2013, the New York Times reported that hackers had infiltrated its networks in an attempt to discover the sources of an unflattering story about relatives of China’s then Prime Minister. The initial attack is believed to have been launched by a targeted spear-phishing campaign, which allowed the attackers to plant remote access tools (RATs) in order to facilitate further access. The New York Times was able to detect the attacks and let it run for four months to study the attacker’s methods as part of a story they prepared.
Further examples aren’t difficult to find. Even the highly-publicized Target attack from last year started with a malware-laced email phishing attack sent to employees at an HVAC firm that contracted for the nationwide retailer, three months prior to the discovery of the breach.
Casino-style security?
These threats thrive where credentials can be compromised by social engineering.
As we consider how best to respond, perhaps we should seek our inspiration by looking to the masters of mixing security and social access – Las Vegas.
The ceiling of every casino is studded with hundreds of electronic sentinels – cameras that watch everyone – guests and employees alike. And of course, there are employees paid to watch the employees, who themselves watch the guests. If you’ve ever wanted an example of layered security designed to defeat an insider threat, take a stroll across a gaming floor.
But despite all the security, Las Vegas is hardly a place that springs to mind when we think “security.” It’s possible to have a wild time in a casino and remain blissfully unaware of the cocoon of monitoring around you because, in the end, the job of the security team is precisely to make sure that you have fun – that you get what you came for – within certain parameters. However, step outside those parameters, and your fun will come quickly to a crashing stop.
The approach they take is simple – provide guard rails, set expectations, monitor for anomalous behavior and to respond quickly. Guests aren’t constantly aware of security saying no – far from it, yet at the same time casinos are extremely safe places (assuming you don’t mind losing your shirt on the blackjack tables). Security is present, effective, and for the most part, transparent – a model that many enterprise security teams (and users) would welcome.
Andy Garcia in Ocean’s Eleven, Warner Bros. 2001, courtesy of www.lebanontimes.com
Automation is critical
Rapid responsive action is easier said than done. Critical breaches can happen so fast that you can’t rely on human intervention to respond in a timely manner. Automation is critical to making real-time threat response possible.
Ideally, a set of policies can be established so that a system can constantly monitor behavior and immediately identify and alert on abnormal activity. For example, if an employee who normally works from an office begins downloading a database or other sensitive files at 2 am from a university in a nearby city, that activity should be flagged as abnormal and escalated to a security operations team.
But how are policies created? Security teams can’t be expected to consider every possible threatening scenario and create rules to respond to them all. So for automation to become feasible, to make it worth the investment, it must go further to detecting trends of normalcy by identity. This is where the future of research and development must make progress.
In an ideal world, your security system should be able to identify unusual actions and shut them down automatically, in real time. So regardless of who is using your accounts – insiders or someone who has hijacked their credentials, your sense of security doesn’t have to be false.
Automated identification of anomalous behavior holds significant promise for reducing the time that compromised accounts can be used to harvest your sensitive information.
