Reflecting on  some  recent cyber security incidents, I thought it of benefit to  write a very simple guide on  how to ‘stay safe’ – back to the basics, i.e.  no admin rights, application whitelisting etc. My purpose was to bring to mind those typical threats,  e.g. shell-code injection, phishing, ransomware attacks – as these are what I considered to be the most common and biggest threats.  However, after recently helping some customers with their incident response challenges, I have reached a  completely different conclusion. Those are not the biggest cyber treats faced by business worldwide.
The biggest threat for  cyber security is in fact TIME!

After studying a number of incident response cases involving data breach/ leak that I have been responding to on behalf of our customers, they have all had a few things in common:
– all of the data breach/ leak incidents happened over a period of time (longer than a few  days)
– some indicators of compromise were visible and possible to identify if these initial indicators of compromise were identified on time, the subsequent impact would have been significantly reduced if not eliminated completely.

So, if it was possible to detect these compromises, why did the IT team not see them?

In essence, they had one problem – in order to detect an attack, they would have to look through endless list of different logs, NetFlow stats, active connections, traffic patterns and then collate and correlate all of this information together. On the top of this they would need to track endless updates about new vulnerabilities ranging from software to hardware (re recent CPU issue). Simply, they don’t have time or resources to complete this arduous task. They were already busy  ‘keeping the lights on’ and were facing an impossible task of handling cyber security without being equipped with the right tools and techniques to do this  in the limited amount of time afforded to them.

In organisations that have more than 200 IT assets (switches, servers, laptops, PCs) – the IT team is busy dealing with  day-to-day user requests. They don’t always have time to get a quick glimpse of the firewall or AV logs. Many companies just respond to issues reported by end-users., and this process continues until the company ends up on the cover page of a national newspaper depicting another “biggest” and ‘unheard of” data breach in the history on the Universe.

It’s not possible to throw  money and an army of people tasked with watching logs, analysing them and tracking attackers.

The IT team have a very limited time available to them, as a result, Persistent Threat Detection must be automated, admin rights given to  very few and its use monitored, highlighting and notifying of the most important, actionable alerts.

If a system administrator was alerted each day about one or two high potential issues – they could deal with it, and adequately manage the steps to be taken, ensuring maintenance of an organisation’s security.
There is number of tools available either form the cloud or on premise. One  example is AlienVault which collects data from multiple sources, assesses existing vulnerabilities, collates and correlates all of these together, and prioritises  risks or incidents providing the system admin with only the most important issues to deal with, and captures and preserves evidence for further deep analysis if required. We as a Managed Security Services Provider often relay on AlienVault in our work.

The modern approach to Cyber Security is described as “assume breach” – every defence  measure – regardless how strong or robust, will sooner or later break and provide access to the ‘attacker’. To avoid costly consequences we need to be able to detect and identify compromises quickly, however, we have to remember that IT team doesn’t have time to complete this ongoing task.

As a result, it is safe to conclude that  time itself is the biggest threat to cyber security.

If you recognise your issue in the above article please contact us and see how can we help.

 

Posted by Derek Mizak

Cyber security consultant working on application of Artificial Intelligence to cyber security practice, Digital Forensic Investigator, ISO27001 lead auditor.