Preparing for Intrusion

“Prepare for an intrusion before it happens to minimize damage.”

About ten years ago I boldly told several hundred C* executives that their networks were infected with rootkits.  Some balked, some said I was arrogant, others that I was an blowhard (should I run for President? :)), and some were concerned.  About six months later no one questioned what I had said – it was true.  I could easily predict it because I had been dealing with emergent kernel level rootkits for months in the worlds largest and most well defended networks.  I could see that it was pandemic in nature and therefore highly likely to impact every single organization at the conference for which I was a keynote.  The same can be said today of the likelihood of an intrusion from eCrime, targeted and espionage based attacks, and hacktivists.

Before I speak further on this subject let’s make sure we are talking about the same things:

  • Events          Observed change from normal behavior
  • Alert             Notification of an event
  • Incident      Event that involves disruption of business and/or loss
  • Intrusion    Unauthorized access

It’s important to differentiate between events, alerts, and incidents as some lump them all together.  Anyone that has every run a SIEM knows that is not the case!  Some define incidents as human caused and malicious.  I’m using a more generic definition discussing risk, which is a combination of likelihood and severity for an asset at risk.  For example, an earthquake can cause disruption to business and is an incident – it’s not cyber and it’s not human caused.  Play with the definitions as you like, but you should see where I’m coming from now.

Studies show that the average intrusion exists within a network for around six months before it is discovered.  Let’s personalize that thought…if I live in my home and know that it’s a) likely someone will break into my home even with some good defenses and b) be living in my freakin’ home without my knowledge for six month I start to consider an action plan.  For my own personal safety I guard my home with a shotgun three nights a week, and I’ll let you guess which three.  On a more serious note, if external defenses fail and I have an intruder on the inside what is my game plan?  Go grab a snickers bar and whack them over the head, or have a loaded gun in a safe in my bedroom?  Very quickly, if you take time to think about it, you can construct a plan that will work for you albeit access to phones, locking doors internally, internal security system, evacuation plan, personal arms or whatever; also to start to check where they might be hiding if indeed they are likely to be in your home.

If you work within an organization that has a network of computers you are HIGHLY likely to not only have events and alerts but also multiple incidents in the coming year.  Some of those will be undetected for months.  Meanwhile remote malicious actors, many of whom are financially or nation/state espionage motivated, doing whatever they please.  And what do they do?  They perform reconnaissance on the host, nearby hosts, and your network; lateral movement, exfiltration of sensitive data; install additional malware and payloads to meet their needs…What happens if you assume they are already in and you want to MINIMIZE THE DAMAGE of an intrusion?  Take for example a ransomware intrusion that crawls through your network encrypting files and demanding payment to decrypt your own files.  If you performed network segementation and added controls over accounts with write access to network shares you’d be much more well protected against such a threat when it does strike.  Also, do you have any proactive and active monitoring of your network for intruders or unauthorized access?  It’s easy to have a policy against wifi but if you’re not looking for rogue wifi hotspots and devices within your environment you’ll be shocked when you do.

Planning ahead is something that doesn’t come natural to most.  Recognizing the accepted risk of your current risk exposure and current threats is also something that most don’t see accurately or want to think about.  Ignorance, denial, other priorities…call it what you will but when you are in the middle of a hair fire and get yourself fired incident and you haven’t planned ahead you’ll wish you had.  Think about it, today, and act on it.