We’re thrilled to announce that CounterTack has partnered with HP and has received the HP ArcSight Common Event Format (CEF) certification for our flagship product, Event Horizon.
By leveraging CounterTack’s unique virtual machine introspection capabilities, this partnership will provide joint customers with unparalleled, real-time cyber attack intelligence, such as file, process and network data. This deep forensics information can help organizations enhance security event correlation, reduce false positives and boost security operations response capabilities.
CounterTack’s interoperability with the HP ArcSight correlation engine will provide organizations with valuable, real-time forensic details, such as the timestamp of the attack, information on the process initiating outbound connection to the remote host, and information on the process modifying files and the process modifying Registry Key values.
According to HP’s Buck Watia, director, Business Development, Enterprise Security, “Trusted interoperability and immediate remediation are critical for customers looking to combat evolving cyber threats head-on.”
Interested in learning more? Check out full details here.
William Jackson's recent article in Government Computer News, "The Untimely Death of The Advanced Persistent Threat?" is an interesting read. Apparently RSA and Mandiant no longer like the term "Advanced Persistent Threat." (Aren't they the ones who defined it in the first place?). I share the concern they have with the term, but for a very different, more obvious reason.
Let me ask you a question. When does a "threat" become an "attack?"
It seems to me that a "threat" represents a potential attack. If a burglar is inside your house looking under the sofa for the sterling silver, is there a "threat" of a robbery? Seems a bit more urgent than that. If a well-armed enemy soldier is found wandering around a military base, wouldn't that be considered an attack?
That's my issue with the term "advanced persistent threat." The attacker is inside your network, actively trying to evade detection and steal your data. Seems like you've moved well beyond a "threat." You are under attack. So let's call it what it is. "Active Attack" or "in-progress attack" are more accurate descriptions, don't you think?
“Even the best security technology and expertise can’t stop a well-funded and determined attacker,” writes Dark Reading’s Kelly Jackson Higgins.
When it comes to detecting advanced persistent threats (APTs), the danger, of course, is that the attackers will inevitably penetrate your layered defenses and find themselves in a position to do some real damage. The threat is no longer held up at the gates of your network. It lurks inside as well.
The industry is coming to terms with the idea that layered defenses are no longer sufficient. Attacks will get through, no matter what you do. So why are organizations only focused on improving external barriers? Do we really need next generation firewalls? You bet. What about next generation anti-virus protection? Absolutely. Make your defenses as strong as you can. But, these “next generation” products are incremental improvements. Good from far, but far from good enough. They raise the bar for the attacker, but with time, they too will be breached. These improvements represent evolution, when what’s needed is revolution.
So let’s carry this to the next logical step. Once you’ve made the mental leap from “defend and protect” your assets to “find the enemy within and mitigate potential damage,” you need a new strategy and new tools. Can you even currently find an in-progress attack that has breached your perimeter? It’s incredibly hard to stop an attack if you can’t see it in the first place. Further, do you know what the attacker is after? Do you have any situational awareness at all? The answer is unfortunately, ‘no’.
Organizations need to be in the business of “intelligence,” not just “protection.” The only way to detect an adversary inside your network is to monitor activity deep inside the operating system, where no one can tell you’re watching – but you can see everything, as it’s happening. The only effective way to do that is through virtual machine introspection. Applied virtualization technology is game-changing stuff for sure, and quite capable of sparking the revolution our cyber security industry so desperately needs.
A number of recent industry articles have caught our attention lately – all highlighting the serious inadequacies of current security approaches and underscoring the need for fundamental and far-reaching changes. Here are a few of our must-reads for the week:
Watching and Waiting
Unlike many cyber hacks that pick their victims at random, instigators of APTs carefully choose their targets – defense contractors and financial firms are prime examples – and wait patiently for just the right moment to strike, writes Ben Worthen of the Wall Street Journal.
In dissecting an APT, it’s clear that the attacker follows a series of phases before taking off with valuable intellectual property and other business-critical information (and in many cases, continuously exfiltrating information over time).
The bad guys are good – really good, in fact – and it’s virtually impossible to stop every APT. But there are ways to minimize the risks. Worthen explains that when it comes to APTs, a perimeter-centric security model simply won’t work. He also notes that although APTs are extremely stealthy, they still leave tracks. “While it is hard to detect an APT, it is comparatively easy to find out how and when an attack occurred after it has been identified,” writes Worthen.
But the question remains: what about those attacks that can’t be recognized and identified?
U.S. Outgunned in Hacker War
Last week, the FBI executive assistant director and top “cyber cop” Shawn Henry offered a sobering view of our nation’s current ability to keep cyber attackers at bay. “We’re not winning,” he said in one of his final interviews before resigning after more than two decades with the bureau. His comments come as Congress reviews two competing plans to help protect critical U.S. infrastructure.
According to the Wall Street Journal report, too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking or the costs they may have already suffered unknowingly by operating vulnerable networks.
"I don't see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it's an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security,'' Henry said.
“We've been playing defense for a long time… You can only build a fence so high, and what we've found is that the offense outpaces the defense, and the offense is better than the defense,'' he argued. A new approach to cyber security – from technology to processes to people – is absolutely critical.
Richard Clarke on Who Was Behind the Stuxnet Attack
Richard Clarke, who served three U.S. presidents as counterterrorism czar, has an urgent message for our nation: we are defenseless against today’s advanced cyber attacks that could easily bring down our nation’s entire electronic infrastructure, including the power grid, banking and telecommunications, and even our military command system. In a sobering interview with Ron Rosenbaum of Smithsonian, Clarke paints a bleak picture – a nation totally vulnerable to cyber attacks that is primed to conduct an offensive cyber war without having any defensive plan of action in place.
In this riveting Q&A, Clarke reveals his personal belief that the U.S. is taking a dramatic offensive strategy – utilizing the infamous cyber worm, Stuxnet. In fact, Clarke boldly opines that the United States government was responsible for the Stuxnet attack.
Clarke is quoted as saying, “My greatest fear is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts. Where we lose our competitiveness by having all of our research and development stolen by the Chinese. And we never really see the single event that makes us do something about it. That it’s always just below our pain threshold. That company after company in the United States spends millions, hundreds of millions, in some cases billions of dollars on R&D and that information goes free to China....After a while you can’t compete.”
Industry discussion and analysis of many recent high profile cyber attacks– such as the RSA and Sony breaches – indicate that these attacks each followed a distinct, multi-stage approach to penetrating the organization’s network, targeting sensitive data and successfully stealing it. There’s been a tremendous focus on stopping an initial breach, but little focus on the following stages. That needs to change.
Take the home burglary analogy. An intruder picks the lock on the front door, disables the home alarm system and gets into the house. But before any real damage is done, the burglar needs to explore the house to find and collect the valuables, fill the pillowcase with jewelry and other valuables and then escape out the back door. Similarly, today’s cyber attackers move in phases and advanced attacks take place over time. In fact Verizon’s 2011 Data Breach Investigations Report indicates that more than 60 percent of 2011 breaches happened over a span of “months or longer before discovery.”
Let’s briefly examine each attack phase:
First, the attacker breaches the perimeter, establishing a beachhead inside the network. Then, the attacker establishes a backdoor connection to a command and control server to download toolkits and additional payloads from an external site. But this is only the initial breach. The attacker still has plenty of work to do, and there is still an opportunity to disrupt the attack before any real damage is done.
Once the stage has been set, the attacker begins to move laterally around the network, taking inventory of the resources, and looking for opportunities to collect additional credentials or upgrade the privileges they already have to gain access to the organization’s “crown jewels.”
Finally, armed with knowledge of the network and the necessary credentials, the attacker can collect and eventually exfiltrate the data. Now the damage has been done.
Though several new solutions have recently hit the market to help organizations prevent or detect the initial breach, they are far from foolproof. In fact, almost all rely on prior knowledge or “signature” of an attack to some degree. The inevitable conclusion is that attacks will breach your network. You will need a solution to monitor for lateral movement and privilege escalation. That is, unless you just want to wait to see what’s been stolen.
It’s also becoming increasingly clear that the ability to monitor for lateral movement during an attack is an essential step in gathering actionable intelligence on attack activity. Over the next few weeks we’ll delve deeper into this line of reasoning in more detail. Stay tuned!
