If you think that high profile companies like Home Depot, Sony, JP Morgan Chase and eBay don’t have sophisticated cyber security measures, you haven’t been paying attention. Because there are so many ingenious ways into a network, the story is no longer about deflecting the breach (although still important) but rather cutting off malware’s ability to command and control. What these high profile incidents have taught us is that despite layers of defensive protection, there needs to be an active means to prevent these malicious agents from carrying out their programming. The key is faster identification and blocking communication to their source. We know, like in the case of Sony, that the longer an agent can “play” in a company’s infrastructure, the more disruption and data leakage is likely to occur.
Hitherto people have generally assumed that it was possible to keep malware out of a corporate network with the right protocols and products. They have felt that the occasional breach would be caught by antivirus software on an Intrusion Detection System (IDS) before anything too serious could happen. This idea would seem to be almost criminally complacent.
Free eBook: Modern Retail Security Risk – Get your copy now.
The FBI recently claimed that 90% of companies would have been vulnerable to the Sony attackers. Those of us in cyber-security tend to believe that that particular number is overly optimistic; the real number is more likely around 10%. Here at ThreatSTOP, we base that on what we observe from our customers. We have blocked bots calling home on every single network on which our products have been installed even though many of our customers have dedicated teams whose sole job is to stop malware. The point is that no matter what you do, malware will get onto your network. What we need to figure out is how you detect it, limit what it can access, and stop it.
This must start with a change in mind-set. From now on it has to be assumed that every network is already infected. Once that mind-set is internalized, it can be used as a basis for what to do next. Undoubtedly one clear change that follows from this is that the common practice of not blocking (not even looking at in many cases) outbound traffic has to stop. This need not mean blocking everything, but it should require thought about what devices should be able to connect to the outside world and what protocols should be allowed. For example, it makes sense to block a good deal of the network from being able to do direct external DNS lookups, HTTP access, etc. (Printers and internal file/database servers don’t need to talk to the world outside your organization.) If you block (or at least log and pay attention to the log) traffic from these devices you’ll likely not just stop data exfiltration but quite possibly also identify pieces of malware on your network sooner than otherwise.
The Sony hackers appear to have been inside Sony for months (possibly more than a year) which is clearly one reason why they were able to obtain so much data. They aren’t the only ones; Home Depot appears to have also been compromised for a few months, and there are a number of other examples. If (and this is speculation) the Sony attackers gained access to an internal server, they would almost certainly have tried to get that server to directly access their external drop boxes. Blocking those attempts would not just have stopped the data from getting out; it would also have provided a warning that there was active malware on the network so that an investigation could have begun that might have identified the hackers earlier.
There’s also the question of how to handle devices that come and go on the corporate network. In a BYOD world, this may mean explicitly blocking BYOD from connecting to anything other than certain well-defined guest networks, and it certainly means that anything that leaves the network (e.g. the CEO’s laptop) has to be assumed to be compromised when it comes back in. There have been many examples of criminals setting up fake hotspots to capture data from the unsuspecting, and there is no reason to assume that they would not also drop malware as well. As with the server example, monitoring (or blocking) traffic outbound from potentially compromised devices will help identify a compromised machine before the malware on it can spread. Furthermore, despite the convenience and implied lower data costs, connecting to the WiFi at Starbucks or your hotel or airport terminal instead of over a trusted mobile network looks like very bad security.
By Francis Turner, VP Product Management & OEM, ThreatSTOP
Bio: Francis Turner has worked for over 20 years in the IT and data communication industries, starting with a stint at IBM in the mid 1980s before reading Computer Science at Cambridge University. Subsequently he worked for Madge Networks and Bay Networks. After the latter merged with Nortel, he became the European Product Manager for their enterprise switching division. In 2001 he left Nortel Networks to be CIO at a small biotech company that was seminal in the use of computation in the analysis and creation of new enzymatic processes. Most recently he worked at a consultancy firm assisting ICT companies with their multinational product marketing and business development.