It’s time to face it. Traditional perimeter security defense is dead. The question enterprise organizations face is no longer “Will I be breached?” But instead, “Have I already been breached? Do I have an active threat inside my network right now? And if so, where is it, what is it doing right now and what is it after?”
Today’s advanced persistent threats (APTs) – attacks launched by highly skilled, well-resourced cyber adversaries – demand a new approach.
Join Enterprise Strategy Group senior principal analyst Jon Oltsik and CounterTack for a 45-minute webinar on May 16 at 2:00 p.m. EST to learn the benefits of virtual machine introspection for real-time monitoring and actionable forensics intelligence across all stages of an active attack.
- Gain unparalleled situational awareness into your network environment
- Arm yourself with superior on-premise threat intelligence about activities targeting your company
- Adapt to changing cyber enemy skills and tactics
- Ensure seamless integration with existing infrastructure and security operations workflows
Register Now!
For more information on virtual machine introspection from CounterTack, download this .
We’re thrilled to announce that CounterTack has partnered with HP and has received the HP ArcSight Common Event Format (CEF) certification for our flagship product, Event Horizon.
By leveraging CounterTack’s unique virtual machine introspection capabilities, this partnership will provide joint customers with unparalleled, real-time cyber attack intelligence, such as file, process and network data. This deep forensics information can help organizations enhance security event correlation, reduce false positives and boost security operations response capabilities.
CounterTack’s interoperability with the HP ArcSight correlation engine will provide organizations with valuable, real-time forensic details, such as the timestamp of the attack, information on the process initiating outbound connection to the remote host, and information on the process modifying files and the process modifying Registry Key values.
According to HP’s Buck Watia, director, Business Development, Enterprise Security, “Trusted interoperability and immediate remediation are critical for customers looking to combat evolving cyber threats head-on.”
Interested in learning more? Check out full details here.
William Jackson's recent article in Government Computer News, "The Untimely Death of The Advanced Persistent Threat?" is an interesting read. Apparently RSA and Mandiant no longer like the term "Advanced Persistent Threat." (Aren't they the ones who defined it in the first place?). I share the concern they have with the term, but for a very different, more obvious reason.
Let me ask you a question. When does a "threat" become an "attack?"
It seems to me that a "threat" represents a potential attack. If a burglar is inside your house looking under the sofa for the sterling silver, is there a "threat" of a robbery? Seems a bit more urgent than that. If a well-armed enemy soldier is found wandering around a military base, wouldn't that be considered an attack?
That's my issue with the term "advanced persistent threat." The attacker is inside your network, actively trying to evade detection and steal your data. Seems like you've moved well beyond a "threat." You are under attack. So let's call it what it is. "Active Attack" or "in-progress attack" are more accurate descriptions, don't you think?
“Even the best security technology and expertise can’t stop a well-funded and determined attacker,” writes Dark Reading’s Kelly Jackson Higgins.
When it comes to detecting advanced persistent threats (APTs), the danger, of course, is that the attackers will inevitably penetrate your layered defenses and find themselves in a position to do some real damage. The threat is no longer held up at the gates of your network. It lurks inside as well.
The industry is coming to terms with the idea that layered defenses are no longer sufficient. Attacks will get through, no matter what you do. So why are organizations only focused on improving external barriers? Do we really need next generation firewalls? You bet. What about next generation anti-virus protection? Absolutely. Make your defenses as strong as you can. But, these “next generation” products are incremental improvements. Good from far, but far from good enough. They raise the bar for the attacker, but with time, they too will be breached. These improvements represent evolution, when what’s needed is revolution.
So let’s carry this to the next logical step. Once you’ve made the mental leap from “defend and protect” your assets to “find the enemy within and mitigate potential damage,” you need a new strategy and new tools. Can you even currently find an in-progress attack that has breached your perimeter? It’s incredibly hard to stop an attack if you can’t see it in the first place. Further, do you know what the attacker is after? Do you have any situational awareness at all? The answer is unfortunately, ‘no’.
Organizations need to be in the business of “intelligence,” not just “protection.” The only way to detect an adversary inside your network is to monitor activity deep inside the operating system, where no one can tell you’re watching – but you can see everything, as it’s happening. The only effective way to do that is through virtual machine introspection. Applied virtualization technology is game-changing stuff for sure, and quite capable of sparking the revolution our cyber security industry so desperately needs.
A number of recent industry articles have caught our attention lately – all highlighting the serious inadequacies of current security approaches and underscoring the need for fundamental and far-reaching changes. Here are a few of our must-reads for the week:
Watching and Waiting
Unlike many cyber hacks that pick their victims at random, instigators of APTs carefully choose their targets – defense contractors and financial firms are prime examples – and wait patiently for just the right moment to strike, writes Ben Worthen of the Wall Street Journal.
In dissecting an APT, it’s clear that the attacker follows a series of phases before taking off with valuable intellectual property and other business-critical information (and in many cases, continuously exfiltrating information over time).
The bad guys are good – really good, in fact – and it’s virtually impossible to stop every APT. But there are ways to minimize the risks. Worthen explains that when it comes to APTs, a perimeter-centric security model simply won’t work. He also notes that although APTs are extremely stealthy, they still leave tracks. “While it is hard to detect an APT, it is comparatively easy to find out how and when an attack occurred after it has been identified,” writes Worthen.
But the question remains: what about those attacks that can’t be recognized and identified?
U.S. Outgunned in Hacker War
Last week, the FBI executive assistant director and top “cyber cop” Shawn Henry offered a sobering view of our nation’s current ability to keep cyber attackers at bay. “We’re not winning,” he said in one of his final interviews before resigning after more than two decades with the bureau. His comments come as Congress reviews two competing plans to help protect critical U.S. infrastructure.
According to the Wall Street Journal report, too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking or the costs they may have already suffered unknowingly by operating vulnerable networks.
"I don't see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it's an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security,'' Henry said.
“We've been playing defense for a long time… You can only build a fence so high, and what we've found is that the offense outpaces the defense, and the offense is better than the defense,'' he argued. A new approach to cyber security – from technology to processes to people – is absolutely critical.
Richard Clarke on Who Was Behind the Stuxnet Attack
Richard Clarke, who served three U.S. presidents as counterterrorism czar, has an urgent message for our nation: we are defenseless against today’s advanced cyber attacks that could easily bring down our nation’s entire electronic infrastructure, including the power grid, banking and telecommunications, and even our military command system. In a sobering interview with Ron Rosenbaum of Smithsonian, Clarke paints a bleak picture – a nation totally vulnerable to cyber attacks that is primed to conduct an offensive cyber war without having any defensive plan of action in place.
In this riveting Q&A, Clarke reveals his personal belief that the U.S. is taking a dramatic offensive strategy – utilizing the infamous cyber worm, Stuxnet. In fact, Clarke boldly opines that the United States government was responsible for the Stuxnet attack.
Clarke is quoted as saying, “My greatest fear is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts. Where we lose our competitiveness by having all of our research and development stolen by the Chinese. And we never really see the single event that makes us do something about it. That it’s always just below our pain threshold. That company after company in the United States spends millions, hundreds of millions, in some cases billions of dollars on R&D and that information goes free to China....After a while you can’t compete.”
Industry discussion and analysis of many recent high profile cyber attacks– such as the RSA and Sony breaches – indicate that these attacks each followed a distinct, multi-stage approach to penetrating the organization’s network, targeting sensitive data and successfully stealing it. There’s been a tremendous focus on stopping an initial breach, but little focus on the following stages. That needs to change.
Take the home burglary analogy. An intruder picks the lock on the front door, disables the home alarm system and gets into the house. But before any real damage is done, the burglar needs to explore the house to find and collect the valuables, fill the pillowcase with jewelry and other valuables and then escape out the back door. Similarly, today’s cyber attackers move in phases and advanced attacks take place over time. In fact Verizon’s 2011 Data Breach Investigations Report indicates that more than 60 percent of 2011 breaches happened over a span of “months or longer before discovery.”
Let’s briefly examine each attack phase:
First, the attacker breaches the perimeter, establishing a beachhead inside the network. Then, the attacker establishes a backdoor connection to a command and control server to download toolkits and additional payloads from an external site. But this is only the initial breach. The attacker still has plenty of work to do, and there is still an opportunity to disrupt the attack before any real damage is done.
Once the stage has been set, the attacker begins to move laterally around the network, taking inventory of the resources, and looking for opportunities to collect additional credentials or upgrade the privileges they already have to gain access to the organization’s “crown jewels.”
Finally, armed with knowledge of the network and the necessary credentials, the attacker can collect and eventually exfiltrate the data. Now the damage has been done.
Though several new solutions have recently hit the market to help organizations prevent or detect the initial breach, they are far from foolproof. In fact, almost all rely on prior knowledge or “signature” of an attack to some degree. The inevitable conclusion is that attacks will breach your network. You will need a solution to monitor for lateral movement and privilege escalation. That is, unless you just want to wait to see what’s been stolen.
It’s also becoming increasingly clear that the ability to monitor for lateral movement during an attack is an essential step in gathering actionable intelligence on attack activity. Over the next few weeks we’ll delve deeper into this line of reasoning in more detail. Stay tuned!
Sometimes it really helps to state the obvious.
General Keith Alexander, director of the NSA, was quoted by FederalNewsRadio.com yesterday as saying “If we can’t see the attack, we can’t stop it.” See the full story here. He was apparently trying to underscore the need for the private sector to share more information on cyber attacks. He argued that with greater reporting of the attacks, the government would be in a better position to help. I’ll buy that.
But I think we’re getting ahead of ourselves. If organizations don’t see the attack, what are they going to share?
I’ve heard CSOs in the private sector use the exact same words to describe their biggest challenge. “If I can’t see the attack, I can’t stop it,” or “I’m blind to an attack once it’s inside my network.” Aren’t those the ones that matter most?
Multiple layers of defensive solutions are necessary, but clearly not sufficient by themselves. Firewalls, anti-virus, IPS and malware protection solutions are all helpful tools to block an attack, but they only stop what they recognize and see what they stop. Seems self-evident, but what about the attacks they don’t recognize – the ones that get through?
Unfortunately, organizations aren’t very good at this yet. Is it lack of tools? A lack of training and experience? It’s all of these things and more. Organizations are limited by outdated thinking. Meanwhile, the cyber security industry has been all too happy to perpetuate the myth that we can stop the barbarians at the gate. The barbarians have already gotten inside. The question is, what are you going to do about it?
“The reality today is that we are in a race with our adversaries, and right now, more often than not, they are winning,” said RSA chief Art Coviello in front of a massive crowd during the RSA Conference kickoff keynote yesterday.
It’s no longer a question of “Will I be attacked?” but instead, “When?”
“People in our line of work have been going through hell in the past 12 months," he said. "Our networks will be penetrated. We should no longer be surprised by this."
Today’s attackers are determined, they know exactly what they want and are willing to work and wait for it.
"Never have the attacks been as targeted, with the aim of breaching one organization as a stepping stone to breaching others," he said. And according to Verizon’s soon-to-be-released 2012 Data Breach Investigations Report, almost 80 percent of cyber security breaches weren’t discovered until weeks – or even months later.
Coviello continued to explain that traditionally, organizations have tried to build the biggest, strongest defenses possible to keep attackers out – but this Maginot Line-style approach is static, complex, layered and expensive – and simply won’t work.
An excellent LiquidMatrix Security Digest article this week summarizes why we are losing – big time – in the race to stop the existing threats and adversaries we face, noting that:
- Technology evolves at an alarming rate and to secure it you have to stay in front of it, unfortunately there are probably new technologies you probably don’t even know of as users adopt new tech at stupefying rates, the technology that mattered yesterday may be irrelevant tomorrow;
- We are always applying imperfect defenses to protect a fundamentally flawed system, the proverbial wrong cure for an unacknowledged disease;
- The pool of things we have to defend are growing at geometric and sometimes exponential rates (there is no linear) but even worse these things have complexity as both a planned and emergent property. The threats we protect against are continuously improving in capability while growing in number;
- Our capacity to create and move data grows in leaps and bounds but our capacity to protect it does not; and
- Our defenses are only tested to defend against the weakest attackers and our compliance driven approach focuses on only doing enough.
In order to protect their most critical assets, Coviello explained, organizations must fundamentally change their approach to security. They must become as agile and well-informed as their attackers to successfully defend against today’s advanced persistent threats. They must build intelligence-led security programs that leverage ways to monitor, gather, analyze and act on real-time information to detect and combat these attacks.
Furthermore, Coviello said, “We need to tap more military experience and military intelligence experience. The new breed of analysts I'm talking about need to be offensive in their mindset."
This level of expertise, he said, is critical in combating increased attacks from criminals, hacktivists and "irresponsible nation states.”
It's day two of RSA! Be sure to stop by booth #845 today to check out a demo and enter to win a Vespa. Also, follow @CounterTack on Twitter for more chances to enter the Vespa contest throughout the week. Each day, we'll post a new question and "winning hour" on Twitter. If you answer that question during that that hour, we'll enter your name into the contest again! We'll announce the winner on Thursday.
.JPG)
It’s finally here! The week everyone in the infosec community waits for all year long. The RSA Conference! (And no, we’re not just talking about all of the great parties and chances to catch up with old friends, colleagues and peers – though we’re looking forward to that too!) The CounterTack team has assembled in San Francisco and is hard at work putting the final touches on booth #845 – where we’ll soon unveil the industry’s first and only commercially available security platform powered by virtual machine introspection to combat in-progress cyber attacks. Sound interesting? Come check it out live during Expo hours and while you’re there, enter to win a Vespa scooter or cash prize.
As we count down the hours until the official RSA kick-off, here’s a preview of what conference attendees can expect this year -- from major show themes to some can’t-miss panel discussions.
We recently caught RSA’s pre-conference teleconference with several security analysts who’ll have a strong presence at this year’s show – John Kindervag of Forrester Research, Andrew Hay of 451 Research and Pete Lindstrom of Spire Security. The three-person panel discussed the surge of high-profile breaches seen over the past 12 months, as well as the rise of headline-grabbing “hacktivists” targeting business and government agencies who they believe are profiting from global movements, such as the massive Occupy Wall Street. Traditional, perimeter-focused defenses and “trust models” are completely inadequate, said the panel, in protecting against today’s advanced, highly targeted attacks. Now is the time for a new approach. These experts agree we’ll see even more high-profile breaches in the year ahead – along with some other top-of-mind concerns that will rock the industry.
Not surprisingly, mobile security was the most submitted speaking topic for this year’s conference. The proliferation of mobile devices entering the enterprise workforce is creating massive new challenges for security professionals. As these mini-computers evolve, cyber adversaries continue to refine their tactics, techniques and procedures to compromise consumers’ shiny new smartphones and tablets. These devices are not just another data storage platform – they are an extension of the user’s physical persona, capable of tracking location, covertly activating a microphone or camera and intercepting phone calls and SMS.
451 Group’s Andrew Hay said that until recently, most organizations haven’t done much to secure mobile devices in their network, as they’ve been mostly focused on securing their own end-points. That, he says, is going to change this year, as companies start to look at other sources of data exfiltration and mobile is “definitely one of the things.”
Looking for an interesting mobile security panel to attend this week? Don’t miss CounterTack’s Dmitri Alperovitch host one of RSA’s top rated panels Hacking Exposed: Mobile RAT Edition on Wednesday, where he’ll discuss the next wave of mobile attacks, outline real life investigations and demonstrate the latest in Mobile RAT technologies.
Big Data will be another hot theme at this year’s show. It’s the latest buzzword to hit the industry and organizations are rushing to create massive repositories of information to unleash the power ‘Big Data’ promises. But, the panel cautions, there is toxic data within these repositories, and we could be making it much easier for attackers to access a wealth of critical information. The real opportunity, the panel said, will be finding ways to leverage the power of Big Data to analyze security risks and drive new thought processes around threats and vulnerabilities.
Several panel discussions this week will examine what’s to come for the security industry. Constantly evolving, highly targeted threats are forcing us to re-address everything we once thought to be true about security. The question is no longer “Will I be breached?” Instead, it is a series of difficult-to-answer questions including, “Have I already been breached? Do I have an active threat inside my network right now? Where is it? What are they after?” And for this reality, many organizations are ill equipped. Where Will Infosec be in 2020? is sure to be a thought-provoking panel discussion led by Pete Lindstrom, and one we’re looking forward to.
What other topics have you excited about the week ahead? What discussions should everyone be sure to check out? Let us know on Twitter -- @CounterTack -- and come by booth #845 to continue the conversation. And be sure to check back regularly as we’ll be posting updates throughout the show. More soon!