The question of stopping targeted attacks has been on my mind for a while. Of course my partners and I have to suffer through far too many vendor briefings where they claim to stop an APT with fairy dust and assorted other black magic. But honestly, it is a legitimate and necessary question.
Ever since Google came clean a few years back about Aurora, and everyone then acknowledged the persistent, likely state-sponsored attacker as a class of adversaries, vendors have been APT-washing their stuff trying to convince anyone who would sit still that their run-of-the-mill IPS or endpoint protection product had a chance. Basically this rash act was necessary to keep the cash cow hemorrhaging money, even in the face of mediocre (or worse) efficacy of existing controls.
But here is the thing these vendors missed. Very few of the adversaries most organizations face are advanced or persistent. Most are today’s version of script kiddies trying to smash and grab their way out of the despondency of their existence. It’s much easier and more lucrative than robbing a bank, after all. So most existing controls still have some role to play in tomorrow’s defense. But we all know existing controls are not sufficient.
Yet targeted attacks do exist, and the legitimately advanced attackers are now targeting further afield to achieve their objectives. They are attacking the supply chains of their targets to gain deeper footholds, earlier. And now that we have a better idea of the tactics they are using, we start to see offerings built very specifically for these kinds of attacks. I won’t say we’re seeing real innovation yet, but lots of vendors are learning and evolving their offerings to factor in this new class of attacker. Unfortunately it’s still way too early to get a feel for whether real innovation is happening (or will happen), or whether this is just a classier version of APT-washing.
Regardless of what happens on the prevention side, you still need to monitor the hell out of your stuff. As Mandiant described in a blog post that has since disappeared from their site (wonder if they’re now doing work for Global Payments, hmmmm), the folks at Global Payments evidently found the first breach themselves by monitoring their egress traffic and seeing stuff they didn’t like leaving their network. Was it too late? Of course. But it’s a hell of a lot better to catch it yourself than to hear from your payment processor or the FBI that you have a ‘problem’.
We will see a lot of new stuff, as everybody tries to get ahead of attacks – even targeted ones. But it’s career-limiting to plan on stopping them; so we still push investment in monitoring, forensics, and response – even in the presence of new and innovative protections. Or is “Can you stop a targeted attack?” the wrong question to even ask?
Photo credit: “Bullseye” originally uploaded by bitsofreality
Reader interactions
5 Replies to “Can You Stop a Targeted Attack?”
Good discussion @ds and @MikeRothman. I think @ds understood my point well — that a balanced approach is needed. You must plan for failure, which involves having plans and tools for monitoring for breach and incident response; however, your primary defense should be prevention. The cost of clean-up (finding breaches, incident response, remediation, brand damage control, customer records compromise, etc) far exceeds the cost of preventing the attack in the first place. Yes, I have developed a product that prevents breach. Why? Because that’s exactly what we need in this industry — innovation on the prevention side. It’s time to re-think how we do security and increasingly people are beginning to think about how we keep the adversary at bay instead of searching for them on our networks.
I agree with @MikeRothman’s point that a lot of organizations don’t understand their vulnerability to attack. However, the response for the ones who do understand should be to put in place an architecture that prevents attacks to the greatest extent possible, contains their damage when successful, and monitors for breach of compartments to facilitate quick remediation with minimal loss of IP and sensitive records. And by the way, for those that don’t know, the way the bad guys get on your network who are after your data and money is by spearphishing. If your plan to defend against this type of attack is counting on every user to make the right decision when presented with an email (even if you have a training program), then you don’t have a plan.
The reason I am adding my voice into the fray is because the loud guys have heavily influenced security practitioners in believing that you can address this problem by monitoring and “quickly” responding to a breach — whatever that means. Today quick would be faster than a year. Trust me, if you could detect an attack in the first place in a reasonably short time period (measured in seconds not months), you would stop it, or nominally contain it. The fallacy of the logic in monitoring and response is that you can detect the attack that bypassed the tools. If you could, then you would simply update the tools, which is how the security industry works (and failed) by and large. Instead, humans end up detecting artifacts of attacks long after the attack has been successful — after the damage is done — hence the IR industry was born that attempts to perpetuate itself by saying you can’t prevent the attack. That’s the most expensive dollar in security you can spend — incident response.
My message is to invest in innovation rather than ceding the network to the adversary and hoping to find them on the network after the damage is done. It turns out once your customer records are leaked, your email archive published, your IP stolen, all the remediation and incident response in the world can’t get it back. All the King’s men couldn’t put Humpty Dumpty back together and nor can you.
Let’s put in place contingency plans but invest heavily in keeping the bad guys out of the network.
Sorry @anup, I don’t buy it. No one has given up. In fact, the vast majority of organizations hold to the flawed belief that either 1) they aren’t targets or 2) their existing controls are sufficient. Both are fatally flawed and result in the high profile issues we see (pretty much) every day.
If anything, far too many people have underinvested in IR and monitoring, and are woefully unable to figure out what happened.
Though I do agree that if your only points of reference are what you hear going on in the echo chamber (driven by high profile folks like Bejtlich, et al), then you’d draw that very conclusion. I personally spend so much time talking about reacting faster because so few of the folks I work with do it well.
I guess the post was really a red herring, as @ds caught at the end. I do believe the question of stopping a targeted attack is irrelevant. Targeted or not, no one can stop every attack, so monitoring/responding MUST be part of the security program. Regardless of what the monitoring and incident response vendors say.
Just because they are loud, doesn’t mean they are wrong. Nor do they say to focus exclusively on response. I’ve never heard any of them say that publicly.
To wrap up, let’s be clear that Anup sells a product that focuses on prevention. So he’s got an iron in the fire as well. So as it’s in Bejtlich’s best interest to get folks to focus on response, it’s in Anup’s best interest to have folks continue to attempt prevention.
Mike.
I couldn’t agree more with Anup. The debate is being framed by several outspoken and influential people such as Richard Bejtlich whose bias is being ignored almost entirely.
The argument that you cannot prevent so you should only react posits a “false dilemma” which eliminates the middle ground of a balanced approach when the truth is that we can prevent some classes of attacks and for some companies, as you state, that’s all they’ll ever see.
Let’s get it clear: the “detect and react is the best security approach” nonsense is coming from vendors who sell detect and response tools and services and any wisdom they share should be taken with more than a little skepticism.
Maybe the right question to ask is “what the heck are we trying to acomplish as security practicioners”, because from what I’ve seen over the years, if the answer isn’t “I’m trying to use security gadgets” we don’t have one at all.
I think that you can make a damn fine effort to stop targeted attacks. But economically and realistically, almost no one is set up to do so. I would even say that very few should even agonize over that question, as you can get more done and more value out of monitoring and response and what prevention you can get away with.
Vendors definitely are a problem, but so is the media and internal PR. I hate seeing, “we were penetrated by a sophisticated and advanced attack.” Really? Please describe since this ought to be very interesting then! Most of the time, it’s just more advanced and sophisticated than the CxO. So now we get too many people thinking about “APT” when they shouldn’t be, at least not in anything more than a hypothetical role-play brainstorming session. (I believe it’s useful to sit down and plan what you would do in a perfect scenario, but then do what you can do…)
If security could work in a vacuum with a big budget and a free ticket to yank and move the business any way it likes, it could do a very fine job.
While smart people do contingency planning (plan for failure of your defenses), lazy people give up the fight against adversaries and cede the network. The IR industry (people who make $$ by cleaning up after network breach, then allowing it to happen again to win yet another consulting engagement) have successfully convinced most of the security industry to put most of the eggs on services and monitoring for breach post facto under the premise that you can’t stop the breach.
Have the security tools we’ve deployed to stop the intrusions failed us? Absolutely. But that’s a call to arms to innovate, not a call to lay down your arms and cede the network so you can call in the IR guys to keep cleaning up after each breach. Break this insanity cycle. It’s time to get back to what we do best in this country — out-innovate our adversaries to prevent the breach in the first place. Who’s game?