Today we live in a world where cyber attacks and cyber espionage are commonplace. DDoS attacks take down web sites we normally access. Spear-phishing attacks trick us into revealing personal information. And data breaches compromise our credit card numbers stored in a retailer’s database. Everyone, it seems, is defenseless against relentless attacks that target everything from Facebook accounts to the SCADA systems controlling nuclear power stations.
The problem is, cyber defense technologies that traditionally protected us from attack are often no longer able to do so. Firewalls, anti-malware tools and the like cannot block zero day attacks that aren’t previously identified. Zero days can slip past conventional perimeter security tools undetected, and then wreak havoc inside the network.
The Pattern of a Data Breach
Data breaches such as those discovered at Target, Sony Pictures, and elsewhere are not random. They generally follow a set pattern, and require careful planning and execution.
First, the attacker identifies his target, and searches for security weaknesses that he can exploit. It’s easy to find tools and sites (like Shodan) on the Internet that can scan for systems or components that have known vulnerabilities.
After identifying the point of entry, the next step is to actually gain entry. In other words, the attacker needs access to a system which can be used as an escalation point. Again, tools such as Metasploit and others make it simple to do this – and are easy to locate. This step is usually accomplished either through a brute force attack, or by using credentials gathered from somewhere in the environment, often through social engineering.
Once privileged escalation is achieved, the intruders generally have unrestricted freedom on the compromised systems. They can extract data, modify system settings, and install back doors they can use for future access.
Getting the stolen information out of the breached organization, and covering their tracks in the process, is relatively easy for the intruders to do with applications such as Corkscrew. Tor, or other deep web services, can then move the information. And they generally have plenty of time to do so. According to Mandiant, hackers maintain persistent access on the network for an average of 205 days before they are discovered.
Cyber Defense Thats Stops Malware and APTs in Their Tracks
Despite the prevalence of cyber attacks, and the seemingly impossible task of stopping them, malware and APTs do have a chink in their armor. To be able to do their worst, they need privileged access to a system. Ultimately, if they can’t install something, they can’t attack.
The often overlooked cyber defense practice of managing privileged accounts – whether used by administrators, services, tasks, whatever – stops attacks that penetrate the perimeter dead in their tracks. Organizations that deploy privileged identity management with continuous monitoring and scanning (like attackers do) of registries, daemons, tasks, hardware components, services and privileged accounts, can prevail in today’s environment of unremitting cyber warfare.