Operation Stop The Exfiltration
This is the second installment in an occasional series on a new sense of urgency for incident response after a cyberattack. See part 1, Incident Response Now Shaping Security Operations.
The sophisticated cybercriminals who stole 40 million payment card accounts from Target had to work harder than most bad guys. Not only did they have to gain a foothold into the retailer’s network via its HVAC contractor in order to infect its POS system, but they also had to set up shop inside the Target network on one of its computers in order to siphon and ship out the data from the POS to their own machines.
“They had to move laterally and needed a control node. So they had to set up a command and control inside Target” and attack the POS at the time the cards were swiped and the data briefly unencrypted, Mike Lloyd, CTO at RedSeal Networks, told us. “Target raised the bar, so the attackers had to. This is an endless game. Yes, Target did lose in the end, but you can learn from what they did well: They forced the attackers to put a command and control inside their [Target’s] network.”
What could have made the difference in Target’s breach — and in that of other victim organizations — is if the retailer had in place more hoops for the attackers to jump though, so it could have stopped them from commandeering the internal machine, or deterred them from exfiltrating the stolen data altogether, he said. Target apparently had blocked outbound paths on its POS, so the attackers couldn’t just send the data out from there. Instead, they did so via another computer at the retailer.
“You try to make it so they can’t simply walk out of the building,” Lloyd said. “It’s not literally putting tar or glue on packets. But if the number of locations [machines] that could talk to the POS is very limited,” for example, the chances of the attackers exiting the building with stolen data are much lower.
“How can you make it harder for them to get data out?” he asked. “You can build a better maze.”
There are no specific tools or sure-fire techniques for tripping up attackers trying to grab data. However, there are ways to configure the environment to slow them down and potentially stop them in their tracks, or even shut them down before they manage to pilfer anything. It’s a matter of closing unnecessary conduits to sensitive and at-risk data and becoming intimately familiar with the normal and acceptable goings on in the network, so you can spot the outliers.
Cris Ewell, chief information security officer at Seattle Children’s Hospital, said there is no easy way to stop an attack from becoming a breach, but a solid and well-rehearsed incident response (IR) plan can go a long way. Ewell, who reports to the hospital’s general counsel as well to a board-level committee, oversees the security and IR operations. “Incident response is one of my top four activities for the hospital. We are very proactive at looking at things and stopping them before they happen, because they could become a breach.”
Knowing the risks facing key machines and how they communicate with other machines helps. “You have to really focus on narrowing that scope as much as you can.” The hospital has been executing that strategy for the past four years, narrowing holes in firewalls, for example, and closing any risky or unnecessary ports on its nodes.
Seattle Children’s monitors its traffic closely, and none of its internal systems have direct access from the Internet. That access goes through a portal with Citrix virtualization and two-factor authentication. “That decreases the risk pretty significantly.”
At the least, you need to understand when an incident has occurred, Ewell said. “There’s nothing you can do to stop someone from coming in. [The] adversaries are incredibly bright and well funded, and if they want our data, they are able to get it. That’s the first premise” all organization face today.
The hospital’s regimented and proactive incident response operation is more the exception than the rule today among enterprises. Incident response represents less than 10% of the overall IT security budget at most organizations, according to a recent Ponemon Institute study, and more than one-third of organizations do not have a fully operational IR team.
“We collect terabytes of data,” Ewell said. “Unfortunately, it’s that little blip… [determining] what’s important or not. That’s where my team is focusing on: How do we do the analytics to build that intelligence in?”
Ewell belongs to multiple ISACs and regularly swaps threat information and experiences with other CISOs in his region. “We are sharing things like certain IPs, ‘I just saw this, and it looks unusual. Did you?’ We are talking. That’s the first part to how you stop this. That’s what makes us different” from other organizations.
The missing link in his organization — and one that is common among many others — is the tools to help security and IR analysts sift through monitoring events more accurately, find the real problems or potential ones, and not miss that tiny blip that could be the attack. “I know my high-risk targets… we are watching those every day. That’s how we’re successful in stopping incidents quickly.” Ewell’s team is working on developing its own custom tools to drill down even more on the “blips.”
Dan Hubbard, CTO at OpenDNS, said measuring the baseline of your servers and PoS terminals and setting security policies and alerts around that metric can lock out a lot of attacks. “There’s not much reason for your POS or other servers to be connecting to servers in Russia and downloading data. Context of identity and the baseline are key,” because it may be just fine for an end user to download a whitepaper from a Russian website, for example.
Monitoring can help spot an attacker moving from one machine to another inside your network. Experts say host IPS systems also can help stop malware from running on machines.
In Target’s case, RedSeal’s Lloyd said, it may have been a matter of limiting the number of locations the POS could communicate with, or cranking up the levels of the host IPS on its servers. “You could put that [sensitive system] in a controlled network zone, but you don’t see many commercial companies doing this.”
At the least, it’s locking down with tighter controls the machines that communicate with critical data. “It’s slowing them down through architecture ahead of the attack,” he said.
A security and IR team member at a large US manufacturer said attacks are becoming more precise now, because cyberspies and the more sophisticated cybercriminals are conducting detailed reconnaissance before breaking in. “It’s sniper hacking now. They know exactly where they want to go. There’s no poking around. They already know what our network looks like.”
Next: How to conduct a smooth incident response operation
Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, … View Full Bio