Industry discussion and analysis of many recent high profile cyber attacks– such as the RSA and Sony breaches – indicate that these attacks each followed a distinct, multi-stage approach to penetrating the organization’s network, targeting sensitive data and successfully stealing it. There’s been a tremendous focus on stopping an initial breach, but little focus on the following stages. That needs to change.
Take the home burglary analogy. An intruder picks the lock on the front door, disables the home alarm system and gets into the house. But before any real damage is done, the burglar needs to explore the house to find and collect the valuables, fill the pillowcase with jewelry and other valuables and then escape out the back door. Similarly, today’s cyber attackers move in phases and advanced attacks take place over time. In fact Verizon’s 2011 Data Breach Investigations Report indicates that more than 60 percent of 2011 breaches happened over a span of “months or longer before discovery.”
Let’s briefly examine each attack phase:
First, the attacker breaches the perimeter, establishing a beachhead inside the network. Then, the attacker establishes a backdoor connection to a command and control server to download toolkits and additional payloads from an external site. But this is only the initial breach. The attacker still has plenty of work to do, and there is still an opportunity to disrupt the attack before any real damage is done.
Once the stage has been set, the attacker begins to move laterally around the network, taking inventory of the resources, and looking for opportunities to collect additional credentials or upgrade the privileges they already have to gain access to the organization’s “crown jewels.”
Finally, armed with knowledge of the network and the necessary credentials, the attacker can collect and eventually exfiltrate the data. Now the damage has been done.
Though several new solutions have recently hit the market to help organizations prevent or detect the initial breach, they are far from foolproof. In fact, almost all rely on prior knowledge or “signature” of an attack to some degree. The inevitable conclusion is that attacks will breach your network. You will need a solution to monitor for lateral movement and privilege escalation. That is, unless you just want to wait to see what’s been stolen.
It’s also becoming increasingly clear that the ability to monitor for lateral movement during an attack is an essential step in gathering actionable intelligence on attack activity. Over the next few weeks we’ll delve deeper into this line of reasoning in more detail. Stay tuned!