- In today’s connected world most of us are frantically trying to protect our, or our organization’s, critical data and systems. Despite a couple of decades of constant advancements in IT security, there seems to be even more risks and dangers now than ever before.
This is true, in part, because we have allowed our users vastly more freedom.
We allow them to work from home, bring in their own devices, and generally decide for themselves how the corporate data they are in control of is protected and used.
Another major factor is the threats against us have grown in complexity and intensity at close to the same trajectory as our defenses have improved. In some cases, (0-days and Advanced Persistent Threats, also known as APTs) they are more advanced than most of our defenses, or have perfected their ability to bypass technical security controls.
What Is the Deal?
I have spent the last nine years working in security from all angles, and for the last few I have worked from a primarily offensive point of view. This has given me a unique view of the defenses that many different types of organizations are using. One of the first things that I noticed as I began to focus on offensive security was many organizations are protecting themselves in a manner that would have been great about five years ago. We have advanced our offensive techniques, and the latest leaks of NSA techniques and tools have only shown that the attackers are even more advanced than we thought. It is time for the defenders of our systems to realize they need to be more proactive. Automated controls and limited monitoring of traffic is not enough to stop a motivated attacker. We need to be more proactive if we want to remain safe.
How to Stay Safe
One of the first steps to protecting an organization’s data and systems from today’s advanced threats is to understand that the classic “perimeter defensive” model is no longer effective. Or at the least it is not an effective primary, or only, defensive method. Systems are moving, unknown systems are often allowed on internal networks (BYOD), and users have become much more advanced technologically. In fact, they are often installing software of their choosing and even setting up their own access methods such as unsanctioned wireless access points (AP), the use of a Raspberry Pi as a VPN server, etc. These factors are some of the leading reasons we have the current state of defensive security.
What is in Your Network?
A more effective method to detect these types of attacks is to have a closely monitored Security Event and Incident Management (SEIM) system in place that is receiving and analyzing logs from all of the systems on the network. This is a surprisingly difficult goal for most organizations to accomplish. This difficulty usually rises from one of the most common shortfalls of most IT security programs, asset awareness. Since its inception, the Top 20 Critical Controls have begun with the following:
CSC 1: Inventory of Authorized and Unauthorized Devices - Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access
In virtually every single penetration test and security assessment I have performed it has been an “unknown” system that was not patched that gave me the easiest path into the target network. A defensive strategy and security tools are only effective if they are applied to all systems equally. So, in short, it is critically important in the defense against today’s advanced threats that your organization have some idea what is on its network.
If you have already taken the basic steps and would like to take your organization’s ability to detect and block these types of advanced threats to the next level, it would behoove you to look into some of the solutions available on the market. There is no shortage of Advanced Threat Detection information or solutions available in the market that can be of help.
This blog post is by no means a comprehensive list of how to detect and defend against these types of advanced attacks, however it does identify a few critical steps that can help to greatly increase the effectiveness of a defensive security strategy.
John Nye has nearly a decade of experience in information security, including time with the U.S. Army, CSG International, Peter Kiewit and Sons, First Data Corp, and KPMG LLP. Nye has been working exclusively as a professional penetration tester for the last four years and has presented at numerous local conferences for developers and other IT professionals.