No company wants to get hacked, but the honest truth is that most companies have already been compromised. They just don't know it yet because they aren't looking for it. Businesses have initiatives and antivirus and are following PCI compliance, but compliance isn't security and antivirus won't keep malware off your machines. There's a knee jerk reaction in the corporate world to buy more preventative appliances but that's not a solution. Prevention is ideal, but detection is a must, because prevention often fails. How do we detect? We need people, good people.
First, you need to recognize that your business is going to be compromised. That phishing e-mail that looked like a legitimate customer's purchase order is commonly how attackers get inside. Your employee was trying to do the right thing by working with a customer. Are you willing to stop answering all business e-mail because you could be attacked? Of course not. Attackers know this and use social engineering to the best of their abilities to get you to open their malicious attachments and click their malicious links. Why doesn't antivirus stop it? Attackers have their own labs full of antivirus products and they keep changing their malicious links/files until they get a version that antivirus vendors don't catch. It's essentially VirusTotal.com where their malicious files aren't shared with security vendors. Every time you put up a wall, attackers will try and often succeed in finding a way around it. That doesn't mean you should stop putting up walls making it difficult for the bad guys, you just need to understand that your defenses will be breached.
Now that you understand you've got attackers on the inside, what can you do about it? Detection! You need data, logs, and people. You need to learn what is "normal" on your computers so you can find anomalies. Most malware isn't particularly stealthy. Attackers are lazy, if they can hide in plain sight they will. If you're not looking at your systems, the attackers don't have to use advanced techniques to hide. You also need to learn what normal network traffic looks like. I highly recommend a web proxy. Even if you're not blocking any of your employees' web surfing you still get a record of all the traffic and with those logs comes visible command and control traffic. Once you know how to look for it, I guarantee you'll find it. Most importantly, you need people who can spend the time to understand operating systems, your environment, and learn how to spot the anomalies. This is a skill that is built with experience. It's not something you can learn in a classroom, although once you learn what normal looks like, SANS 511 can teach you great techniques for finding anomalies. I highly recommend the class, but it's not a substitute for getting in the trenches and learning what is normally running on your computers.
There's a common mistake that's made in Security Operation Centers (SOCs) and that's hiring too many inexperienced analysts. Your company security relies on the folks that staff your SOC and watch your operations. If you hire people who haven't worked in IT before, how can you expect them to know what processes are normally running on a Windows system or what botnet traffic looks like? You're essentially sending out a militia and expecting them to do the work of a professional army. If you're going to have inexperienced analysts, they need to be paired with highly experienced analysts who can teach the right instincts. Only then will they become good at detection.
This blog is intended to help bridge some of the gaps in knowledge I've seen in the industry. I've never come across a class that specifically tells you what malware looks like on Windows systems. This kind of work is a blend of operating systems forensics, system administration, and network traffic analysis. In my decade plus in the field I've seen a lot and hopefully I can help move the needle by sharing my war stories.
No comments:
Post a Comment