The Case for Better Detection: A Few Real Life Experiences

Monday, November 15, 2010

Pascal Longpre


Most organizations today put their efforts on preventing security breaches. Unfortunately, they disregard the fact that their protections might eventually fail and that intruders will get in.

They have little means to deal with an incident after it occurs.

A penetration testing team will almost always break into a network, no matter how many efforts are put to protect it.

Real Life Scenarios

In the course of my security consultant career, I've seen lack of detection and remediation capabilities take unusual forms. In one case, a large client received a blackmail letter from a hacker saying he had access to some corporate systems and was able to access strategic information from the Internet.

The first reaction from the client was to ask the disconnection of the internal network from the Internet. A panic reaction that came from the fact that he had no way of knowing whether the hacker's claims were true and if they were, from where the attack would originate.

After performing a thorough analysis of the situation, we showed the client that this "remediation" could be worse than the actual security breach. There were thousands of users using the Internet and multiple strategic systems were legitimately connected to external companies through the same channel.

Even worse, we identified multiple direct links to external partners that did not go through the corporate firewall. Cutting Internet access wouldn't guarantee the problem would be solved unless these links were to be cut too.

In the end, we found out the blackmail came from a former employee looking to get some credit (and a job) by highlighting an old security problem. He didn't really have access to the data (and if you must know, he didn't get a job either).

This event has led us to realize how much good detection is important when an event occurs.

  • How do you find the source of a breach once you are made aware of it?
  • How do you know your protections have failed and how do you limit the extent of the breach, if there is one?

In the "2010 Information Security Breaches Survey" released by PWC (1), 15 percent of the respondents reported they have detected actual penetration by an unauthorized outsider into their networks in the last year.

I dare to ask: What about the other 85%? Can they really tell if they've been penetrated or not?

During my penetration testing years, I've only been detected once on tens of intrusions. In some cases, I spent weeks inside employees' computers using them as proxies, along with their own credentials, accessing important corporate systems.

No suspicious log entries or invalid logging attempts were ever generated. A simple keylogger notified me of password changes.

Moreover, I used to access the systems while the employees' where sitting in front of their computer, during regular working hours. All I used was freely available tools gathered from the Internet, lightly modified to evade antivirus signatures.

This all took place about 8 years ago. But the situation doesn't seem to get any better today.

From Larry Ponemon, founder and chairman of the Ponemon Institute, commenting on the January 2010 "Annual US Cost of Data Breach" survey:

"A surprising finding is that malicious or criminal attacks increased substantially. These attacks often utilized data-stealing malware or botnets. We never experienced this type of data breach in the prior five years. Hence, the nature of data breach incidents may be changing."(2)

Were data breaches really never experienced during the previous five years or were they just flying under the radar? Without appropriate detection systems, it is impossible to have a clear understanding of the extent and length of these data breaches.

Companies must accept the fact that intruders will get in and that they must build their security strategy around this fact. They must be able to answer the question: "Is there someone using one of my systems and accessing my strategic information?"

Failure to answer this question might result in a cure worse than the actual disease.

Cross posted from Silicium Security



Possibly Related Articles:
Enterprise Security
Data Loss Prevention Penetration Testing Poneman Detection
Post Rating I Like this!
Robb Reck Great post. And I've got one on a very similar vein coming later this week regarding Prevention vs Detection. Well done!
Danny Lieberman Pascal

Good job man.

I've been saying from day 1 that the biggest value from network DLP is the ability to detect data flows (and not necessarily prevent). Since most companies have no idea what's flowing out of the network, let alone a picture in real time of suspected data breach events - the best thing you can do is start monitoring at the perimeter.

Monitoring inside the network is conceptually similar but requires a lot better performance -and there is technology out there to do it for sure - without installing agents.

Anthonie Ruighaver I wrote a paper on agile security a few years ago (available on the internet, just use google scholar) where I proposed that for every preventive control you need at least one detective control to indicate when the preventive control has been circumvented.
In today's asymmetric risk environment, situational awareness and detection followed by incident response is way more important than prevention. Prevention is really only cost-effective when it actually reduces incident response.
Using pen testing to remove all vulnerabilities is costly and ineffective. Using pen testing to see if your attack gets detected and to judge whether the incident response is adequate should be a standard aspect of any security audit.
Danny Lieberman Anthonie

Totally agree.

What we do with our clients is teach them to implement real-time incident response - this is of particular interest for trusted insider events. If the DLP system alerts to a possible breach of sensitive data - then you take the alert and walk over physically to the employee or contractor involved and talk to them in order to understand what happened and notify their manager. It is fairly simple to script a response like this - whether or not the script is transparent is a separate question.Most of our clients like to use the real time monitoring as a deterrent without undue publicity

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.