How Enterprises Can Better Combat Advanced Cyber Attacks

Posted on December 27, 2017 by Sean Cunningham

Numerous relatively recent cyber attacks have successfully breached organizations that should be the cyber world’s equivalent of Fort Knox – exceedingly hard to penetrate. Yet as the infiltration of systems at the likes of the Security and Exchange Commission, National Security Agency and credit bureau giant Equifax underscore, no entity is immune from hackers.

Why is this so, even as cyber defenses at so many places continue to improve? The answer is that software security is a complex, chronically evolving challenge. It cannot be addressed solely by cutting-edge technology or by hiring more cyber pros. Cybersecurity is a continuing journey, and like any journey one replete with ups and downs. Indefinite fixes – let alone quick fixes – do not exist and never will.

Organizations must fight the ongoing prospect of cyber attacks like an army would fight a major war, learning from mistakes, experimenting with fresh tactics, and embracing an ongoing commitment to intelligence gathering. Losing battles along the way is highly distasteful, but a necessary price to pay to ultimately come out on top.

The Good News

There is good news, however. The cyber defense arsenal is evolving and getting better, and additional advances are in the works. A security researcher named Jacob Torrey, for example, has cooked up the Hardened Anti-Reverse Engineering System (HARES), which encrypts software code in a way in which it is decrypted by the computer’s processor just before the code is executed. Sometimes it gets bogged down with technical issues but, in fact, it can prevent reverse engineering tools from reading the decrypted code as it is being run.

Savvy companies are also finding ways to deal with tricky exploit kits, which don’t have to depend on unsuspecting users to download their malware but rather lure them to an infected website, where the exploit kit takes over. As it turns out, these can be largely neutralized with a strong and continually updated software patch management program – effective because exploit kits typically run outdated and vulnerable software.

Down the road, the application of AI – particularly machine learning – is highly promising. Some dismiss it as a silver bullet, but more experts believe it will be highly useful in detecting advanced breaches amid increasingly complex IT environments -- especially if AI and human experts join forces, rather than compete with each other.

Another key way to restack the deck in favor of organizational victims of cyber breaches is for them to embrace an offensive, as well as defensive stance against threat actors. Among the interesting players in this space is Attivo Networks, a leader in deception solutions for cybersecurity defense. Attivo develops traps and lures – called “honey nets” – to attract an attacker, which can be a human or a bot or an advanced persistent threat. Then it locks up the perpetrator in quarantine within the system and records actions and details for forensic analysis.

Don’t Discount the Importance of Good Security Hygiene

As impressive as new, more sophisticated cybersecurity offensive measures are, it is noteworthy that even some of the biggest and most pernicious cyber attacks could have been stopped in their tracks simply with better security hygiene. A case in point was this summer’s Equifax breach, which exposed sensitive data on more than 145 million people. Prior to the breach, Equifax was trusted by consumers and businesses to protect sensitive data and even upsold services to detect and counteract identify theft.

Ironically – as so often happens – Equifax apparently dropped the ball on security protection. The breach reportedly occurred because of an unpatched vulnerability in an open source framework in use at Equifax. The vulnerability was known – and fixable. Unfortunately, a study of security software initiatives by The Building Security in Maturity Model (BSIMM) showed that only one in four organizations systematically identified open source software (OSS) in their software portfolios, and that less than one in 10 proactively controlled OSS risk.

These vulnerabilities in OSS applications are becoming a norm for hackers to exploit. Using application security solutions such as Prevoty detects and prevents application attacks. Down the road, collaboration between App Sec and Dev Ops will be key to solving these attacks.

There are, of course, cybersecurity breaches, such as advanced persistent threats (APTs), that snake their way into enterprise systems and networks, usually gaining a foothold via socially engineered Trojans or phishing attacks. They wreak havoc even when no significant security mistakes are made. APTs are sets of stealthy, highly sophisticated computer hacking processes that eavesdrop on target systems and extract data from them over time. Once the sole domain of resource-rich nation-states, they now “live” on networks in the manufacturing, telecommunications and energy sectors, among others.

How to Deal with Advanced Persistent Threats

Enterprises can more effectively deal with APTs, but the application of technology alone is insufficient. It requires creativity and strategy. Enterprises need to make a proactive effort to understand typical network traffic patterns and be on the alert when patterns seem awry. An APT doesn’t know which computers communicate with other computers, but the right people at an enterprise should know this in detail. Companies that track network flows are ahead of the game. At some point, an APT will typically try to copy large amounts of data from a server to some other computer the server doesn’t usually communicate with. When it does, it can be identified and stopped.

This has never been easy to do, of course, and the ever-growing reams of data being generated and transferred over networks makes it harder for cyber pros to monitor everything that get exchanged, opening more opportunities for hackers. Hiring more cyber pros would help, but there is a huge talent shortage. A solution, however, might lie in machine learning – and in joining the application of artificial intelligence with human experts to reduce the flood of false positive and alerts that unsupervised machine learning produces.

MIT’s Computer Science and Artificial Intelligence Lab has led a significant effort in this arena by developing a system that reviews data from tens of millions of log lines daily and singles out anything suspicious. The filtered data is then passed on to a human analyst, who tags legitimate threats. Over time, the system fine-tunes its monitoring, learning from its mistakes and successes, and eventually improving at finding real breaches and reducing false positives. In one 90-day test, system was ultimately able to detect 85% of attacks without human assistance.

How Enterprises Can Enhance Their Security Today

A system like this is not yet ready for widespread implementation, but there are steps enterprises can take today to mitigate advanced cyber breaches. Here are seven important ones:

Assess your organization. Many cyber attacks take advantage of basic, often unnoticed security vulnerabilities, including poor patch management procedures, weak passwords and insufficient end-user education. A good vulnerability assessment is essential.

Classify your data. Data classification policies and tools help separate information that may be targeted from less valuable information. Data classification enables data to be divided into predefined groups that share a common risk. The most appropriate security controls can then be applied.

Weigh possible threats from insiders and partners. Outsourced security program assessments help evaluate the state of an organization’s security posture by providing an objective view of your policies, processes and controls.

Ensure basic security policies are in place. Good firewall configuration, application security, patch management procedures and password and authentication policies should be well-established internally and with contractors.

Make a point of optimizing existing security tools and technologies. Programs and processes commonly have gaps that can be exploited. Take the time to assess whether vendors’ products should be upgraded or whether you should instead invest in new technology.

Examine your identify management system to make sure that access to sensitive information is granted very carefully. Monitor employee roles carefully as they change, as well as outsider accessibility to data.

Enhance your detection capabilities to make sure they flag attacks as effectively as possible. In so doing, make a point of using several solutions to detect malicious activity, enhancing the odds of success. And these solutions should probe internal, as well as external threats.

Additional measures can also be taken, but these represent a good starting point to help combat the most advanced cyber threats. They matter. Take them seriously. With a respectable cyber budget, the right mindset and a disciplined approach, organizational cyber victims can begin to turn the tide against the best efforts of their adversaries.

Contributors

Sean Cunningham

Managing Director, Trident Capital Cybersecurity

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.