Monday, October 23, 2017

To Solve the Data Breach Crisis, It’s Time to Look Within Ourselves

by Alex Moyes, UK Country Manager, LightCyber 

Opening Data Economy’s special end-of-year blogroll, Alex Moyes, UK Country Manager at LightCyber, blogs about data breaches which have become an epidemic.

After so many monumental data breaches in 2016, you are probably questioning why the security industry cannot seem to overcome this problem and start stemming the tide of headline after headline of loss, humiliation and damage.

If it seems like network attackers can effortlessly sneak through data centres to steal or destroy an organisation’s assets, your perception is not far off the mark. The truth is that there is a tremendously high rate of success for an attacker to accomplish their objectives and get away cleanly.

Most of security today is based on a 20-year old model of “known bad” that first encounters a threat, then identifies it and creates a way of blocking it.

This basic strategy is still a valid and important way to conduct security. It can, potentially, deflect the vast majority of security threats, especially vulnerability exploits.

The reality today is that security infrastructure needs to address all threats, not just the ones that are known. Today it is nearly certain that a motivated attacker will find a way into any given network.

Some white hat penetration testers actually guarantee that they can gain a foothold in any network within two days—and these are the good guys who have some self-imposed limits on tactics they are willing to use.

Now it is imperative to find the attacker as quickly as possible and stop them before they can steal or damage assets. The industry average for dwell time is five months.

This means that for five months an intruder can stay hidden while conducting an attack on a network—plenty of time to steal or cause damage.

This dynamic needs to change and 2017 will prove challenging for those who don’t adapt. To achieve this, organisations need to uncover the operational activities that an attacker has to perform to be successful.

These activities are difficult to find, because they can blend in with other network events. They can be singled out, however, if you know what normal looks like for each user and device on the network.

This “known good” model can identify anomalies between the established baseline of normal and what is currently occurring and then ascertaining what is likely indicative of an attack.

The known bad approach is primarily concerned with stopping malicious software, and it is still essential.


Network attacks may be initiated with malware, but once an intruder has gained access to the network by compromising a user computer or account, it is human run. At this point, the attacker is concerned with learning about the network they have accessed and extending control to get to the assets.

Both this reconnaissance and lateral movement phase typically uses administrator and networking tools as well as other utilities and procedures. Finding these steps won’t be accomplished by looking for technical artefacts of malicious software, but rather by looking for anomalous and unexpected behaviours.

This familiar known bad model has driven a progression of “the next best” security systems from stateful firewalls to gateway anti-malware to intrusion detection and intrusion prevention to network sandboxing to threat intelligence.

Each carried a promise of stopping the bad guy, but none has been able to fulfil the promise 100% of the time. Therein is the difficulty of being a security operator.

To achieve complete protection, you must block every attempted intrusion. An attacker just needs to be successful one time and has an almost unlimited number of attempts to accomplish it.

Making the shift to “known good” is a difficult one for security professionals. For so long we have been focused on trying to keep attackers and malicious software out of the organisation.

With the known good approach, one should acknowledge that attackers will get through.

It also demands a shift from being focused on the perimeter of the network to being more inward looking, examining network traffic to and from data centres and interactions from users.

If some data centres are cloud-based, they must be included in the behavioural monitoring.

Another reason for security teams to start looking inside themselves is that, increasingly, network attacks may be performed by an insider—an employee, contractor or even a vendor that has legitimate network credentials.

Also, once an external attacker gains a foothold, they essentially operate as an insider, using administrative functions to accomplish their goals.

chainlink-690503_1920One reason why data encryption, network segmentation and even data security is no match for a sophisticated attacker is because they are using valid credentials to perform each step.

Typically, commandeering the credentials of one user will only get the attacker so far.

They will likely have to leverage the credentials they have gained to get to another user machine or account and so on until they can get to the targeted assets.

This leapfrogging from one user or machine takes time, but it can generally be accomplished without too much trouble for the attacker.

If a security team is only looking at the network perimeter, they will miss the critical reconnaissance and lateral movement steps, which involve many steps and provide multiple opportunities for detection.

At the perimeter, one may hope to find the command and control communication and—if it goes that far—data exfiltration. In theory, these are both tell-tale signs of an attack, but in practice they can be easily disguised to avoid detection.

Since the attacker owns both ends of the communication—a point inside the network and a point outside—they can encrypt the transmission or hide it within social media traffic, an image file or various other disguises.

Data breaches have become an epidemic. With severe penalties coming from progressive laws such as the EU’s General Data Protection Regulation (GDPR) and costs for clean-up and damages escalating to new heights, organisations must address the problem in a new manner.

Looking inward, as well as outward, will provide the much needed response.