Sourcefire Corporate Blog

08 Nov 2012


Targeted Attacks, Incident Response and Monday Morning Quarterbacks

posted by Dr. Zulfikar Ramzan

The November 5th hacking spree that has made news this week is another in a long string of reminders that keep security people on a heightened sense of alert. These targeted attacks are a nefarious problem that, quite rightfully so, keep our customers up at night, as they know that they must confront any post-attack incident response.

Historically, many in the security industry have taken on an intriguing view of such attacks. For example, in the aftermath of the Aurora/Hydraq malware that targeted specific organizations, numerous vendors announced that their technologies would have put the kibosh on these attacks. When Stuxnet, Duqu, and Flame were respectively gaining mindshare, many hands went up with a similar story of "we would have protected you against that." And yet the fact that targeted threats continue to be an issue should be proof that these vendors' claims are specious at best. Ultimately, it's the cybersecurity equivalent of Monday morning quarterbacking.  I too can predict yesterday's winning lottery numbers (and the winner of Tuesday's Presidential election) with 100 percent accuracy!

On the one hand, many organizations are worried that they will be targeted with the exact same attacks. That's simply not the case. Unless you're harboring Iranian nuclear war secrets, your likelihood of being infected with Flame are close to nil. On the other hand, if you do have any information assets worth stealing, there's a very good chance attackers will target you. More so, the underlying attacks will be crafted to get past your specific defenses.

Unfortunately, many traditional vendors in the security industry have inculcated in peoples' minds the idea that all of their eggs should be in the "prevention" basket. That's largely because many of the traditional technologies are focused on the prevention of threats. Back when cyber-threats were far less complex and far more infrequent, a prevention-only strategy would have been reasonable.

In today's environment that is no longer the case.  The fact that the attacks this week were successful means that they evaded all the detection put in place to prevent them.  Whether we like it or not, success in evading defenses is inevitable.  Being able to react quickly to shut attacks down and prevent their spread is as important as prevention.  Prevention is certainly an important cornerstone, but your security technology stack should include incident response capabilities for handling what happens assuming attacks get through – since it is a virtual certainty that they will. It's important to know in advance what questions you will need answers to in the event of an outbreak and then ensure that you already have the plumbing in place to answer those questions. For example, organizations need to think about their capabilities in areas like network forensics, network incident response, and also malware incident response.

As we've blogged about previously, the importance of post-compromise scenarios was a central tenet in our thinking when we designed FireAMP to protect our customers from advanced malware problems.

I can't predict tomorrow's lottery numbers with 100 percent accuracy, but I can say with certainty that tomorrow's attackers will be that much more wily and that much more tenacious.

Labels:

advanced malware protection anti-malware advanced persistent threats fireamp


comments powered by Disqus