Attackers Have Luck On Their Side - Prevention Is Not Enough

Last updated at Wed, 27 Sep 2017 17:47:05 GMT

Some security professionals mistake the "assume breach" mentality to be a statement that people are giving up on trying to prevent cyber attacks. To the contrary, many of us believe that you need to do everything in your power to incapacitate intruders, yet it is impossible to stop 100% of malicious actors from finding entry. There is solid logic behind this, and I want to use some (pre-Disney) Star Wars examples to illustrate. I apologize to any true fans out there - I have only watched the trilogy a couple of dozen times.

Data breaches were not as predictable as they appear in the news

The colloquial phrase states that "hindsight is 20/20", but there is a great deal of experimental evidence to explain our natural inclination to think an event was more predictable than it actually was. Post-mortem analyses of nuclear meltdowns and terrorist attacks frequently make the result look predictably obvious when judged in a scenario when only the relevant events are under examination because they neglect the massive impact of (both good and bad) luck. Data breaches are no different: we have reached a time when consumers view retailers as having been myopic for not watching their partner portal accounts more closely or for not recognizing the important one percent of their alerts that corresponded to a sizable theft of data.

This is actually the same point that Family Guy made about the design flaw found within the first Death Star's schematics. Once it was successfully destroyed, it appeared to have been obvious that a single, tiny opening would be the fortress's undoing, but we are talking about a two-meter wide weakness in a defended battle station the size of a moon. That equates to an extremely unpredictable occurrence and its designer agrees. The most frightening aspect of this plot device is that it is even more optimistic than modern environments. Despite being very focused on accomplishing our company goals (acquiring revenue efficiently, responding to rapid changes in the market), the security professionals in our organizations need to eliminate every single weakness without disrupting business.

All they need to find is one way into your environment

If eliminating every single known vulnerability doesn't sound impossible enough for your organization, we can all be comforted by the fact that zero-day vulns are available on the miscreant equivalent of eBay. To make our efforts to protect our data from theft even more difficult, cyber attackers have shifted to using the impersonation of legitimate users as their favorite vector of attack. The JP Morgan Chase breach in 2014 was publicly disclosed to have occurred because a single public-facing server (out of thousands) lacked the demand for two-factor authentication to gain access. This is the disturbing part of hindsight bias: security-minded organizations with excellent plans and a history of solid execution are scrutinized for missing an edge case covering less than 0.01% of all entry points.

Stories that never find their way into the press include the thousands of squashed cyber attacks targeted at businesses every day. The ability for these cyber guerillas to remain undetected while trying every affordable exploit, quick phishing email, and external scan they can imagine significantly increases their likelihood of success. The Rebel Alliance did not have the luxury of testing the first (or second) Death Star's defenses before mounting the successful attack; the realities of modern environments and their evolution from the traditional network infrastructure to include mobile and cloud make it even less imaginable to reduce our attack surface to zero.

We need to protect every entry point while maintaining a business

Even the most security-conscious business needs to continually make IT trade-offs to keep succeeding in the market in which it competes. You may adopt the cloud to be more efficient; you probably allow employees to work through the evening by sending email from their phones; you likely need to share large files and sensitive information with your trusted business partners. Having a security policy, security reviews, and clear implementation plans that involve the security team are extremely important for securing your organization and can get you over 99% secured, but we all know it won't ever reach 100% secure. This risk asymptote is the bane of our existence and is not going away. If we are going to provide access to our workforce, partners, and customers, there will always be a way for others to fraudulently gain the same level of access.

If the challenge to secure our every-changing environments weren't a large enough challenge, we are blessed with the frequent flow of new vulnerabilities within the technology already in place. These discoveries are frequently made by researchers, attackers, and, once in a while, children. We don't have the benefit of a single architect having built our entire networked environment from the first plan and line of code, like the Empire did. We need to purchase hardware and software from others and integrate it all in a secure fashion, so attackers do not need to steal a single, highly confidential set of data tapes and examine them for a "design flaw". They can look to hundreds of ubiquitous technologies to find a design flaw to attack, be it a software vulnerability, server using only one factor for authentication, or hijacking a root certificate designed to force ads into your browser. To tie this back to the Star Wars analogy, posing as storm troopers to infiltrate the Death Star or taking down the defenses at their source on a nearby moon are a lot more like a modern intruder getting onto your network. The criminals are crafty and learning through trial and error.

Assume some attackers will get in or they'll have free rein when they do

All of this is leading to the greater point: some intruders will get in. The only unknown is exactly how they will get into your network. It does not mean all is lost. Quite the contrary, once you accept this, you can ensure that your organization has a plan to detect these intruders who have successfully found an entry point. InsightIDR is designed to help you with the attackers who get inside. Just as Luke and Han were unable to remain undetected for long when they infiltrated the Death Star, you can set traps, monitor typical user behavior, and watch areas of restricted access more closely to find intruders and shut down their access before they steal anything of value.

To learn more about InsightIDR and Rapid7's other solutions for detecting compromised credentials, check out our compromised credentials resource page and make sure to download our complimentary information toolkit. We will show you how we can detect the crafty intruders who get inside.