How often do we hear about data breaches? New malware or a variant of old malware, new phishing campaigns? Almost every day. Even giant organizations like Sands Casino Group, Sony Pictures Entertainment, Neimen Marcus and Home Depot were just some of the high profile companies being targeted, compromising personal and confidential data.

Why are hacking groups able to successfully compromise the network and exfiltrate data of organizations including Military, Government, Education, Health, Oil & Energy and many others? Why are attackers successful? Don’t we have strong security strategies? Why do we seem to be one step behind these attackers?

When we face cyber attacks on an on-going basis, doesn’t it seem to say that “Nothing will ever be secure”? Increasing the level of security doesn’t mean it will prevent an attacker from breaking into an organizations network, but it will require more intelligence to do so.

I shared this thought with some security geeks on a forum. The best explanation I got was when a person said, “Much of security is about redirection. The same reason you lock your car doors at night. Sure, they could smash your window but usually they will move on to an easier target”. He explained it well; however it left me with a thought.  What if they are targeting a specific car brand? Then instead of just smashing the window or moving onto an easier target, they’ll use a more intelligent method to unlock the car. Adding more security will make script kiddies/newbie’s redirect to other targets but not the expert ones.

Even though these giants have strong security strategies, the attacker can still break into the network by using a little more intelligence. So what are these organizations missing? Why are attackers able to compromise their network?

The study said that organizations are investing a large percentage of their security budget on threat prevention, other than threat detection, followed by incident response. Prevention methods are not always successful, so instead of investing a large amount of the security budget on prevention, organizations should consider strong detection techniques as well. Prevention may fail to prevent Advanced Persistent Threats (APTs), slow attacks, smart attacks but not the detection method. The probability of detection methods to detect APTs, slow attacks, smart attacks is higher than the prevention method is to stop it. Prevention methods mainly work like a firewall (prevention system) which makes a decision in a fraction of second whether traffic is malicious or not and whether to permit it or block it. However, detection methods concentrate more on detecting the threat or in other words, it works like Anti Virus (detection system) which has time to scan the file, match the signature/hash value with the database and then take the necessary actions.

The attackers were exfiltrating data from these high profile organizations (Sony Pictures Entertainment, Target, Neimen Marcus, Home Depot) for a long period of time but none of their prevention methods were able to stop it from happening.

This also proves that the prevention method will not always be successful in preventing such threats but your detection method can. Hence, organizations should concentrate and invest more on strong detection methods.

The recent attack on Sands casino group by hackers from Iran (Involved in Operation Cleaver), Sony Pictures Entertainment by hackers from North Korea, a new group dubbed Desert Falcons (mostly targeting Middle East region) and many other hacking campaigns which are using a combination of known and customized tools & malware proves that organizations should adopt stronger detection methods rather than continuing to invest in prevention methods.

Organizations should use strong End Point Detection systems, HIDS, NIDS and other detection systems that have the capability to detect not only known threats but threats that are unknown by alerting when a systems behavior becomes abnormal.  SIEM tools are a must and offer a centralized view for monitoring of internal and external threats.

A SIEM has the capability to collect and correlate each and every security event from different log sources throughout an organizations network. Integration of SIEM tools with pattern matching techniques along with Vulnerability Assessment (VA) tools will give an added advantage to detect slow attacks and smart attacks that previously might have gone undetected. Pattern matching has the capability to generate traffic over minutes, hours, days and weeks to match it against normal patterns allowing for the detection of abnormal behavior. Also, VA tools can provide details on the latest vulnerabilities present within your organizations assets and send it to your SIEM tool allowing you to prioritize the events to/from these assets accordingly.

About The Author

Vijay lalwani– Security Analyst at Paladion Network