A 2017 survey of IT leaders suggests the vast majority of businesses are overconfident in their perimeter defenses. More than 90% said, “businesses feel that perimeter security is keeping them safe.”
Yet nothing in cybersecurity is guaranteed. The last couple of years have proven record-breaking in terms of cybersecurity statistics. Moreover, 2017 is on pace to do it again.
As astronaut Neil Armstrong is attributed with having said, “When you get overconfident, that’s when something snaps up and bites you.”
Cybersecurity has long been a game of cat-and-mouse, but this time it’s different. Recent developments have put nation-state quality weapons in the hands of even the casual adversary.
These were underlying themes in a recent podcast with our own Druce MacFarlane – Preventing Attacks from Spreading. The podcast was hosted by the Information Security Media Group (ISMG), which publishes trade publications including Bank Info Security, Gov Info Security, and Healthcare Info Security, among other others.
Below is a look at some of the key questions and answers stemming from that podcast.
What’s different about how cyber threats are spreading today?
The so-called Vault 7 release has been instrumental in the lateral spread of malware. It has enabled malware to move from one device to another using server message block (SMB) and other communication protocols. While these protocols have been in place for years, they have never been used in this way before.
Wannacry and Petya were examples of this development and took advantage of an exploit called EternalBlue. Both of these ransomware attacks not only circumvented perimeter defenses but used the infected devices as a launching pad to tap into other devices on the network.
The SMB protocol in and of itself isn’t new. For example, the Stuxnet exploit made rounds in the Middle East a few years ago this way. However, it was reliant on someone having administrative privileges to log into a device and then escalated those privileges to spread.
What’s different, and far more dangerous, is that newer forms of malware are able to move between devices without having that administrative privilege in place. If systems inside the security perimeter are ill-equipped for zero-day malware, they wind up being vulnerable and this is how ransomware has wreaked such havoc recently.
How do you mitigate the risk of over-reliance on endpoint security?
If you take a long view of the industry, you’ll notice it has technology darlings. One year it’s sandboxing, and the next its endpoint DVR or security analytics. These methods are important, but overemphasizing any one method is prone to leave an organization vulnerable. Obviously, perimeter defenses and endpoint security remain essential but it shouldn’t be the exclusive focus.
In the U.S. it’s football season, and football provides an appropriate analogy: save for a few specific cases, football teams don’t put their entire defense on the line or it will be vulnerable to easy touchdowns. Instead, they have linebackers and safeties to plug the gaps and react to as an offensive play evolves.
Yet this is what sometimes happens in network security when organizations rely too much on endpoint security. Everything that gets past the perimeter defense is trusted when they really need something also inspecting traffic inside the network.
Wannacry and Petya are case studies of how this goes wrong. Once malicious code from these programs has infiltrated the perimeter, it spreads laterally and there is nothing to detect the malware traversing the network.
Now some will point to patches and note that if the systems are up-to-date, the concern is easily mitigated. However, large organizations have lengthy change management processes to test new patches to be sure they don’t introduce a new problem to the environment. Indeed, when vulnerabilities are announced, bad actors will try take advantage of drawback.
However, there’s more than one way to solve a problem. For organizations that have instrumented their internal network with an intrusion detection system (IDS), new detection rules are often available fairly quickly.
For example, when EternalBlue was identified, Snort and Suricata rules were available in about 1.5 weeks. Any security team monitoring internal traffic would have been able to pick up that exploit and stop it before it spreads.
What does Bricata do differently to help solve this problem?
Bricata plays squarely in the IDS and IPS market. It is a standalone product that provides depth to a cybersecurity posture and solution brings several other advantages:
1) Current signatures based on modern threat intelligence. The solution provides a signature engine which finds known threats. As with the Wannacry and Petya example above, Bricata keeps up with modern threat intelligence to detect emerging threats as they occur. It can perform blocking as well as detection depending on the user settings.
2 )Network metadata to identify genuine threats. Bricata harvests metadata that helps identify which alerts are relevant. While most organizations have lots of tools generating alerts – financial services companies have 25 or more – security analysts still have to determine which alerts are meaningful.High value target enterprises can easily experience 100,000 alerts per day, many of which we call “trivial true positives.” These are alerts that while accurate, are typically associated with a system that is reasonably patched and so it’s not a big concern. When network metadata is correlated with signature events, analysts are able to identify anomalies that are truly important.Metadata also offers two other important benefits. First, if Bricata discovers a device was compromised the enterprise will want to understand what the user was doing prior to the event. The metadata provides organizations with the insight to modify behaviors and prevent it from happening again.Second, the organization will want to know what other network devices that user’s machine called after the compromise. This helps determine the scope of the problem and draw a fence around the event. This information is very time consuming to assemble in incident response, but Bricata puts it at the analyst’s fingertips.
3) Content inspection based on machine learning. Bricata can also perform a degree of content inspection. This means when files are being transferred between devices, the solution conducts a binary analysis. Bricata has licensed algorithms from Cylance to identify the malware as it’s traveling inflight across your network.Of course, you still need a strong endpoint defense, but there are gaps where threats slip through because not every device is instrumented with an endpoint agent. There are a variety of reasons why this happens:
- The device uses a different operating system than the agent
- The device is new and has not been on the network long
- It’s mobile and logs on to other networks (i.e. BYOD)
Providing that additional level of content inspection inside that trusted network has never been more important. In aggregate, the solution brings together three different methods of detection – signatures, metadata and content inspection – and the combination is what helps reduce the time to containment and time to resolution.
4) Extends the value of your existing security investment. Bricata was engineered to integrate with other products in the security ecosystem. The metadata the solution harvests is a useful input, not only for the Bricata user interface, but also for security information and event management (SIEM) solutions, for example.SIEMs and other security analytics solutions are only as good the data being fed into the systems. Without good data, these systems are unable to conduct the correlation that provides the insights enterprises are seeking. In many ways, Bricata extends and increases the value of the overall security investment.
* * *
Security is a continuous balance between convenience and protection efficacy: Employees need network access to perform their duties, but enterprises also need to be able to defend themselves against threats.
The trend is such that more sophisticated tools are being leaked and leading to equally sophisticated attacks. This isn’t likely to slow down anytime soon. While end-point security and perimeter defense remain fundamental, overconfidence is fraught with risk. Organizations need to prepare for an event where malware slips through and spreads laterally.
The podcast runs just about 15 minutes in length and is well worth a listen: Preventing Attacks from Spreading.
If you enjoyed this post you might also like:
10 Trends in Threat Hunting and Security Analytics