In cyber, absence of evidence is not evidence of absence. Here we discuss the dilemma of detection.Cybersecurity // 23.11.2016
This is the second in a four-part series of posts about the EU’s General Data Protection Regulation and how it will force European businesses to develop their incident detection and handling processes. In my previous post, I dispelled 10 common myths about the GDPR.
There has been much public discussion about the average time to detect a breach. Various reports provide estimates ranging from the optimistic 10 hours (McAfee) to 205 days (FireEye). Earlier this year, FireEye reported that detection times are shrinking. Let’s assume that these figures are representative of the state of play among organizations. What should we make of these reports?
Rather than revealing a meaningful trend, I argue these figures simply illustrate that the ability to detect incidents is far from adequate. It doesn’t matter how many days one shaves off after the initial breach. The long tail of breach is…well, still too long. There are plenty of cases of breaches going undetected for over a year (OPM, DNC, Finnish foreign ministry), over three years (JetBlue), over five years (Gemalto) and even over ten years (Nortel).
Detection is the glaring capability gap in most organizations’ security posture. And practice-proven evidence shows that most breaches are discovered by chance or after a tip-off from a friendly third party, rather than through purposeful security controls within the organization itself.
Let’s assume you have been breached and you find out about it by chance. You’re caught completely off-guard. After 25 May 2018, the EU General Data Protection Regulation (GDPR) requires that a breach must be reported to authorities and affected customers within 72 hours of discovery.
For three full days, the clock will be ticking while you will be mitigating, investigating, fixing and planning the PR to go with the official notification. Your performance will be judged by your customers, the regulators, members of the board, the shareholders and the media. You’ll need to look good under scrutiny. But what if the CEO was unable to provide solid answers to explain what happened?
More often than not, organizations pay attention to logs and forensic readiness only after they have become victims of a breach. It’s like noticing your lens cap is still on right after your kid crosses the finish line. If you didn’t succeed in capturing the moment, it’s gone. Lost forever. You might have evidence that the race took place and you will remember your kid participating. But you cannot share pictures with the proud grandparents.
Similarly, if a breach has gone undetected for an extended period of time, there will only be spotty evidence left. According to Microsoft’s legendary article “10 Immutable Laws of Security,” once an intruder has taken control of your system, the data that you are left with will always be convoluted and incomplete at best, misleading and untrustworthy at worst. It will directly affect your ability to provide answers the GDPR requires.
If the attackers have gained comfortable persistence, they’ve probably cleaned up traces of their actions and perhaps even planted fabricated evidence. They’ve also gained an understanding of how to avoid triggering alarms or leaving obvious traces of their activity in logs, effectively flying under the radar.
Unless you’ve taken measures to actively secure evidence before the incident, your investigations will be based on isolated anecdotes and irrelevant logs. There are bound to be gaping holes in the timeline. It may be difficult to confirm exactly when the initial breach took place, and next to impossible to determine the attackers’ objective and whether they were successful in it.
I still get chills remembering a cautionary episode from the early days of my professional history. An unsuspecting CEO gave an assignment to his CISO to bring incident numbers down. I can only hope that the executive genuinely wanted this to be interpreted as a signal that security must be beefed up.
However, instead of taking steps to address the root causes of observed breaches, the cunning information security manager made sure that attempts to report breaches were discouraged or outright blocked. While the staff on the ground was fighting malware, server compromises and policy breaches, Jedi mind tricks were played on those who attempted to raise flags: “You don’t want to report an incident!” Very little of what actually happened went into executive reports and nothing of substance was done to fix security gaps. The executive probably retired happy without ever knowing about the deception.
I have since stressed to every executive who has bothered to listen that one should prepare for the fact when one starts implementing security enhancements, the number of registered incidents usually rises. I even urge them to treat modest incident numbers with suspicion. Perhaps you are not looking hard enough? Are your incentives working to unearth problems or encouraging to hide them from view? When it comes to breaches, absence of evidence is not evidence of absence!
We have been taught that in the cyber domain, the threat posed by an attacker is asymmetric in nature. According to defender’s dilemma, the attacker only needs to succeed in one place and at the time of his choosing, while the defender needs to succeed everywhere, all the time. Following that thought, all odds favor the attacker and we are bound to lose the game. Isn’t that depressing? Why bother to defend at all when the enemy has already won!
Judging from how slowly breaches get detected (if they get detected at all!) it seems that defenders have indeed succumbed to silent resignation. However, this is not the correct way to approach defender’s dilemma. It is perfectly okay to accept that we cannot stop all attacks from succeeding. But in compensation, we must do more to detect successful breaches, and uncover when and how they took place.
Often forgotten is the fact that attackers proceed in stages and need to follow a path before they meet their objective. In the process, they’re bound to pass through various chokepoints and leave footprints here and there. Chances are, there are signs of abnormal activity for the defenders to find. Our goal should be to exploit this and make it harder for attackers to proceed without being detected.
That means turning our systems into a hostile environment for an attacker, so the attacker is uncertain which actions will be logged, flagged and monitored. We can place roadblocks by taking measures like hardening and compartmentalization, forcing an intruder to employ “noisier” methods than usual. And by collecting all the evidence, we can detect breaches sooner, plus have actionable data to support mitigation efforts and incident response.
Once we’ve prepared well, we’ll have numerous chances to detect what would previously have gone unnoticed. And once we know what made the breach possible, we’ll have a chance to address the thus identified security gaps.
In my experience, organizations that are routinely breached or attacked tend to take on a stunningly professional posture. Threat-aware businesses design their infrastructure so that a breach can always be contained to a limited and manageable subset of systems. They make sure that logs and event information are not only collected, but handled in a fashion that supports anomaly detection and investigation. They keep false positives to a minimum, while never missing even the subtlest of indication of a breach. They recover from incidents fast. They also accept the fact that no system is impenetrable, so they don’t fool themselves by putting all their eggs in one basket.
It’s survival of the fittest at play. For instance, no serious cloud service provider can survive without a top-notch security operations center at the ready to respond to attacks and to mutate the service in an effort to fend off similar attempts in the future. If you run a massive and lucrative operation in a high-risk environment and you develop and maintain your own infrastructure, you will eventually develop mastery in this as well.
But what about everyone else? For those companies that don’t already have their own cyber security infrastructure in place, one that would take years to build, I suggest relying on managed security service providers in the field of managed detection and response. High levels of sophistication are required in terms of skills, technical tooling and sheer volumes of data analytics. These serve as a good business case for leaving the task to professionals instead of trying to turn your shrinking in-house IT department into a forensic task force.
As I mentioned in my last post, the purpose of the GDPR is not to see you fail, but to help your company become better equipped to handle the eventual breach. And if you are one of those unfortunate companies who is startled by the unpleasant surprise of having been breached, it is important to know that there is help available. Don’t panic. Plus, for those of you who don’t want to let the criminal attackers be the first to test your defenses, be sure to hire an elite team of ethical hackers to highlight where your gaps are.
In my next post I’ll discuss the difference in how opportunistic attackers, or common criminals, behave within your networks versus persistent, targeted attackers – and sometimes, they even work together.
Erka Koivunen is a former head of the Computer Emergency Response Team (CERT) in Finland, and joined F-Secure in 2015 as a Cyber Security Advisor. Companies, governments, and a variety of other organizations consult with Erka extensively on everything from risk assessment to incident response, and he has testified as an expert witness for the EU, Finnish, and British Parliaments.
Banner image courtesy of Daniel Lobo, flickr.com