Data breaches: The best defence is good offence

Data Breach overlaying a circuitboard

The Target credit card data breach has generated enormous interest in the issue of Cyber security. A quick Google search for the terms “Target Data Breach” yields more than 28m hits. The sheer volume of results reflect the impact of the breach, which sparked fierce industry debates about cyber security policy and best practices and even resulted in the filing of a class action lawsuit against Trustwave, Target’s PCI assessor, which was filed and then dropped.

The lawsuit reflects a widely mirrored sentiment – one of wanting to assign accountability for the breach. Even Target felt the need to lay blame, and fired its CIO.. As the market for Advanced Threat Defense solution grows, VARS will be expanding their technology and service portfolios in order to help their customers navigate a very complicated threat vector.

Given how opportunistic and ‘surgical’ advanced attackers are, service providers should accompany an expanded network security technology portfolio with complementary services and/or consulting. Rigorously promoting best practices could very well prevent a breach, or significantly limit the scope of one. So, while hindsight is always 20/20, everyone can learn something from the Target incident.

As we all know by now, the attackers found their way into Target’s network through its HVAC contractor’s access to the network. Obviously, the lesson here is that every organization should insource their HVAC needs. I’m kidding, of course, but the reality is that companies are no longer digital islands unto themselves, and a company is only as secure as its weakest link. While we can never be 100% secure, if you can encourage your customers to take a few precautions and implementing some simple programs can significantly enhance our security posture, sending hackers off to find other… pardon the pun, “Targets.”

Key lesson 1:Monitor your entire network for threats, not just the periphery

This is really, REALLY important. As mentioned, the hackers used a contractor’s credentials to access and infiltrate the Target’s network. Web traffic monitoring alone could not have found this initial phase of activity, although it did likely find the command and control signal after the malware was activated. More often than not, specialized threat monitoring solutions will need to be deployed deep and wide across the network.

Before you groan at the thought of deploying yet another security solution, bear this in mind: Advanced attacks are by definition, designed to evade established security controls. Chances are if your firewalls, IPS’s and other systems flag something, what they found is likely not an advanced attack. While a SIEM might capture everything, SIEMs not ‘smart’ enough to correlate disparate events into a targeted attack, and you can spend weeks chasing down alerts without understanding if or how they are related. Specialized threat detection solutions will ensure you catch malware propagation and other artifacts sooner and with more certainty instead of waiting for it to make contact with the perpetrators using a web connection, after the fact.

Key lesson 2: Segregate your networks, assets and people for access, monitoring and risk assessment

Segregation for access is natural in most environments; usually access control is in place with appropriate authentication mechanisms. However what is not obvious is that networks, assets and people demand risk appropriate monitoring and risk assessment. In an ideal world, IT security would have liked to monitor everything and take action on every suspicious activity, however a more real-world approach would be to rank networks, assets and people in terms of risk and priority.

Using this knowledge to direct monitoring and risk assessment will yield better security outcomes. As an example, a retailer might choose to assign a low ranking to a weak malicious activity signal from their guest network; however the same signal from their POS network would require immediate attention and investigation. This is true for other assets and people too. Data center administrators and assets being targeted would mostly rank higher than malicious activity in the guest network. If this sounds like a major undertaking, it usually is - but it is also an incredibly valuable one. The up front effort will yield long terms results, and the outcome is can and should be promoted up the food chain.

Key lesson 3: Automate processes that allow people to be more effective

If it takes a lot of time and manual resources to investigate alerts and other security information, creating the likelihood that a number of these would be ignored or not thoroughly investigated. Thorough investigation requires correlation of information from various security systems, which should be evaluated in context of the organization’s business and network environment in order to accurately assign a priority to it.

Automation of some or most of these processes will enable security personnel to take action early and often, resulting in better security posture. Target is not the only organization that missed a security alert. As per this report from Computerworld, major companies often fail to act on malware alerts. If the cost threshold for acting on alerts is lowered, no doubt many more incidents will be thoroughly checked and attacks defeated.

Key lesson 4:Create a common vocabulary for ranking risk across the organisation

Cross-organizational efforts for dealing with advanced threats require a common understanding of risk. Create a threat classification scheme common to all teams across your enterprise, and define what actions need to be taken for each risk level. This will allow all different resources to act in unison when a significant threat arises while ignoring the irrelevant alerts. Chances are some of the people you want to adopt this vocabulary may not be security people, or even IT people – use laymen’s terms as much as possible.

Just as importantly, share you risk rankings with key external stakeholders such as contractors, strategic partners, and of course, your HVAC vendor.

Key lesson 5: Have Service Level Agreements (SLAs) in place with helpdesk, incident response, network security and other teams based on risk threshold

Dealing with advanced attacks is a complicated undertaking that requires coordination across several teams and organisations. The monitoring team escalated the Target threat alert to another team and they still failed to take action. The reason could be that the response team did not see it as high enough priority or did not understand its significance. Having SLAs in place that require teams to respond to threats within specific timeframes and with specific intensity, based on risk rankings would eliminate these concerns.

I am sure there are many more insights that will follow from further dissection of how the attack took place and what could have been done to prevent it. In the meantime, incorporating these five suggestions into of security operations will ensure your customers have effective processes in place next time a targeted threat comes lurking around.

Shel Sharma is director of product marketing, Cyphort, Inc.