Reflecting on some recent cyber security incidents, I thought it of benefit to write a very simple guide on how to ‘stay safe’ – back to the basics, i.e. no admin rights, application whitelisting etc. My purpose was to bring to mind those typical threats, e.g. shell-code injection, phishing, ransomware attacks – as these are what I considered to be the most common and biggest threats. However, after recently helping some customers with their incident response challenges, I have reached a completely different conclusion. Those are not the biggest cyber treats faced by business worldwide.
The biggest threat for cyber security is in fact TIME!
After studying a number of incident response cases involving data breach/ leak that I have been responding to on behalf of our customers, they have all had a few things in common:
– all of the data breach/ leak incidents happened over a period of time (longer than a few days)
– some indicators of compromise were visible and possible to identify if these initial indicators of compromise were identified on time, the subsequent impact would have been significantly reduced if not eliminated completely.
So, if it was possible to detect these compromises, why did the IT team not see them?
In essence, they had one problem – in order to detect an attack, they would have to look through endless list of different logs, NetFlow stats, active connections, traffic patterns and then collate and correlate all of this information together. On the top of this they would need to track endless updates about new vulnerabilities ranging from software to hardware (re recent CPU issue). Simply, they don’t have time or resources to complete this arduous task. They were already busy ‘keeping the lights on’ and were facing an impossible task of handling cyber security without being equipped with the right tools and techniques to do this in the limited amount of time afforded to them.
In organisations that have more than 200 IT assets (switches, servers, laptops, PCs) – the IT team is busy dealing with day-to-day user requests. They don’t always have time to get a quick glimpse of the firewall or AV logs. Many companies just respond to issues reported by end-users., and this process continues until the company ends up on the cover page of a national newspaper depicting another “biggest” and ‘unheard of” data breach in the history on the Universe.
It’s not possible to throw money and an army of people tasked with watching logs, analysing them and tracking attackers.
The IT team have a very limited time available to them, as a result, Persistent Threat Detection must be automated, admin rights given to very few and its use monitored, highlighting and notifying of the most important, actionable alerts.
If a system administrator was alerted each day about one or two high potential issues – they could deal with it, and adequately manage the steps to be taken, ensuring maintenance of an organisation’s security.
There is number of tools available either form the cloud or on premise. One example is AlienVault which collects data from multiple sources, assesses existing vulnerabilities, collates and correlates all of these together, and prioritises risks or incidents providing the system admin with only the most important issues to deal with, and captures and preserves evidence for further deep analysis if required. We as a Managed Security Services Provider often relay on AlienVault in our work.
The modern approach to Cyber Security is described as “assume breach” – every defence measure – regardless how strong or robust, will sooner or later break and provide access to the ‘attacker’. To avoid costly consequences we need to be able to detect and identify compromises quickly, however, we have to remember that IT team doesn’t have time to complete this ongoing task.
As a result, it is safe to conclude that time itself is the biggest threat to cyber security.
If you recognise your issue in the above article please contact us and see how can we help.