It has been 16 months since the world of cyber defense changed forever.
2011 has already been dubbed the Year of the Breach and in a year that included the Sony breach and DDoS, Anonymous and Lulzsec attacks, and the Comodo Hacker, the successful breach of RSA, the security division of EMC, stands out as the most significant.
The RSA breach got the attention of every major enterprise around the world because 60,000 of them were contacted directly by RSA to warn them that the SecurID tokens they used had to be replaced. RSA’s strong two factor authentication solution had been targeted by foreign hackers (General Keith Alexander implies China in Congressional testimony), and the attack was successful. Subsequent attacks against primary members of the vaunted Defense Industrial Base (DIB), using compromised tokens, were evidently thwarted.
The biggest impact to the security industry was the realization, once again, that a determined hacker with the right resources can get in to even the most secure environments. Firewalls, IDS, AV, VM, SEIM, NAC, and a cornucopia of other acronyms will do nothing to stop them.
What other “keys to the kingdom” are at risk? The system the Federal Reserve uses for adjusting the money supply? The deal books on major M&A plans? The hallowed crop report from the Department of Agriculture?
The realization that attackers have the advantage and will stop at nothing to achieve their aims has led to the new security mantra “if you can’t stop them from getting in, at least detect them in the process and shut them down before they abscond with the goods.”
How do you do this? Through packet capture and real time monitoring. Of course, just recording network traffic is not enough. You have to monitor the traffic for anomalies and threat indicators. One of the most glaring threat indicators is if an internal IP address is communicating with an IP address that has been identified as a Command and Control server for a botnet or belongs to an adversary. I call this beaconing detection.
It was through packet capture (from Netwitness) that EMC was able to quickly determine the severity of the RSA breach. The attackers had encrypted the exfiltrated data but EMC had a copy of the code used which included the encryption keys. They were able to de-crypt the network traffic they had recorded, leading to sure knowledge of the severity of the breach.
Beaconing detection is a feature in the fastest growing security solutions in the market. I am tracking most of these vendors at 100% annual growth rates, a sure sign of a trend. Intelligent packet capture is a must-have technology in every cyber defense armament.
If you don’t have it you may well be a victim of a breach today and not even be aware.