Defenders have to step up and employ advanced response techniques to stop attackers from taking over their IT environments, according to a Trend Micro executive.
While organizations are concerned about Advanced Persistent Threats, the bigger worry is what the attacker is doing once inside the network, Tom Kellermann, vice-president of cyber-security at Trend Micro, wrote in a whitepaper released Aug. 14. Once inside, the adversary can do more than receiving and executing instructions from a remote command-and-control center. That intruder is spreading through the network, stealing data, and taking careful steps to remain hidden, Kellermann explained.
The attackers are employing a number of steps to remain hidden, such as patching the actual vulnerability that was exploited in the first place to prevent anyone else from coming in and reducing the frequency of contacts back to the C&C server, Kellermann said. Organizations would need to rapidly detect when there are intruders and act to remove the threat.
"This is a new and sophisticated threat which requires and advanced persistent response," Kellermann said.
Detecting the intruder doesn't mean immediately taking action, though. The IT department has to monitor the environment to identify all malicious parties, know what path they took within the environment, and understand exactly what the damage is. It requires patience, but it is critical to ensure the organization has the complete picture of what the current situation is, Kellermann said.
Organizations need to shift some of their defensive energies towards diagnosis, Joe Gottlieb, president and CEO of Sensage, told SecurityWeek. In many cases, the evidence of the breach and the steps the attackers took are all in the logs the organization collected, but no one was paying attention, Gottlieb said. If there is no concerted effort to understand the information being collected and there is no situational awareness, then the organization is crippled in its response.
Logs are often used reactively, once the incident has happened, but they can also be used to see attacks as they develop, Gottlieb explained.
"This is not a time to go in all guns blazing," Kellermann wrote.
Instead, the defenders need to be able to correlate what is happening to other organizations with what is happening inside the network, Kellermann said. Finding commonalities such as IP addresses, users, domains, and networks, give the defenders information necessary to act.
"Firms need to increase the level of discomfort to the point where the adversary flees in search of easier prey," Kellermann wrote.
Defenders are often focusing on known infections and not looking at what is in the network, Andrew Brandt, director of threat research at Solera Networks, told SecurityWeek. Instead, they need to be looking for "tendrils of connections" to other servers and applications to track down what attackers are doing within the network, Brandt said.
Trend Micro research has found that over 90 percent of enterprise networks contain active, malicious malware with one new threat created every second, Kellermann said. Just focusing on the malware is no longer enough, and traditional defenses have been "rendered obsolete," he concluded.
Related Reading: The Value of Security Event Correlation
Related Reading: Effective Security Requires Context
Related Reading: Attackers Place Command and Control Servers Inside Enterprise Walls
Related Reading: Attacks Using Command & Control Servers Inside Compromised Networks