10 Tips for Evolved DefenseThe Hackers' Tactics Are Evolving; So Must Yours
The information security threat landscape has evolved considerably over the past six years, and it's time that organizations' defenses evolve to match them, says Tom Kellermann of Trend Micro.
"Much of the threat landscape today is not about viruses; it's not about worms," Kellermann says. "It's really about targeted attacks that are being leveraged via the web."
Web-based malware, web-injection attacks, attacks on mobile devices - these are among the most common threats today. And they pose significant challenges to individuals as well as organizations.
"If I hack your mobile device or tablet in today's environment, which is actually fairly easy to do, I can actually hack your physical reality," Kellermann says. Once a hacker knows an individual's location, business and contacts, credentials can be stolen, and significant damage can be done.
Because the battlefield has changed, so must organizations' defenses. "We have to stop focusing on building better fortresses in cyberspace," he says. "In fact, we have to focus on building better prisons."
In an interview, Kellermann discusses:
- Today's evolving threat landscape;
- Why defenses have failed to evolve;
- Ten specific steps organizations can follow to respond appropriately to these threats.
Kellermann is responsible for analysis of emerging cybersecurity threats and relevant defensive technologies, strategic partnerships and government affairs. He served as a commissioner on The Commission on Cyber Security for the 44th Presidency and serves on the board of the National Cyber Security Alliance, The International Cyber Security Protection Alliance and the National Board of Information Security Examiners Panel for Penetration Testing. He is a Professor at American University's School of International Service and is a Certified Information Security Manager (CISM).
Formerly holding the position as Chief Technology Officer at AirPatrol Corporation, Kellermann spent five years as Vice President of Security Awareness for Core Security. Previously, he was the Senior Data Risk Management Specialist for the World Bank Treasury Security Team, where he was responsible for internal cyber-intelligence and policy and for advising central banks around the world about their cyber-risk posture and layered security architectures. He co-authored the book "E-safety and Soundness: Securing Finance in a New Age."TOM FIELD: We're going to talk about the evolving threat landscape and defenses, but first I would like to hear a little bit about you and your career as an ethical hacker.
TOM KELLERMANN: I'm a foreign service brat. My father was a U.S. diplomat so I grew up in Latin America without a TV and with a computer, and for the past 26 years I have been working on cybersecurity as an adolescent all the way through to script kiddie to trained ethical hacker. My first job coming out of grad school was the deputy head of security for the World Bank Treasury Security Team where I was responsible for evaluating the security of central banks that connected to the World Bank and IMF.
FIELD: You've got a unique perspective. Give us some insight. How is today's threat landscape evolving?
KELLERMANN: Ever since 2005 there has been a significant uptick in both automation and artificial intelligence and attack code. 2005 was the beginning of the year of intelligence botnets, and as we've seen these botnets grow we've seen a lot of them become facilitated through updatable code that could be provided through the Internet. Much of the threat landscape today is not about viruses; it's not about worms. It's really about targeted attacks that are being leveraged via the web - web-based malware, web injection attacks, as well as attacks on mobile devices that are flourishing right now.
What's interesting about that by the way is in today's landscape, not only are you dealing with specifically targeted attacks against you as an individual or your organization, where they've done enough reconnaissance to understand who you trust, what kind of verbiage you trust, what kind of applications you use, what type of networks you depend upon. But in addition to that, when they hack you in cyberspace, it's far more nefarious in terms of what's possible. What I mean by that is that if I hack your mobile device or your tablet in today's environment, which is actually very easy to do, I can actually hack your physical reality. Because of the fact that device shows me your location, once inside your calendar I can ascertain not only what important meetings you have going on, but whom you're with, and I can turn on the microphone in that setting and get transcripts of those conversations and/or launch Bluetooth through wireless against anyone sitting at that boardroom table.
FIELD: Given these capabilities, how do you see hackers changing their tactics in how they approach their targets?
KELLERMANN: They're very much focused on conducting reconnaissance. What they've seen in the underground themselves is not only the advancement of capabilities but the automation of the weaponry. You have these arms bazaars of individuals who are extremely capable, who don't focus on hacking so much as developing the latest and greatest attack tools for distribution. For example, the Blackhole exploit kit is a great example, or SpyEye, or the evolution of Zeus trojans, where not only are they beginning to attack mobile devices and going after financial transactions, but they automate the transfer and the money laundering of those funds.
Essentially, back in the day you were dealing with one bullet, one-gun weaponry or you're dealing with viruses that would spread widely that inevitably you would identify those signatures and you'd be able to eradicate. In today's environment you hear much about the advanced persistent threats, but those are no longer the monopolies of regimes and governments. There are a multitude of organized crime syndicates and elite hackers who are producing that type of advanced weaponry for sale in the underground. So if you are a Fortune 500 company or you do business with one, you're being targeted at this moment.
FIELD: Let's talk about targeted organizations. You've already talked about how the threats and the attackers are evolving. How about the defenses? Are they evolving as well?
KELLERMANN: The first thing we need to appreciate about the defenses is that the defenses have been very much focused on the old-school paradigm of perimeter defense. Much like the city of Constantinople was finally sacked in 1453 by Ottoman Sultan, it really speaks to the reality that warfare has changed essentially and crime has changed, and firewalls, encryption and virus scanners are good and necessary, but they're not impenetrable to the targeted attacks that we see today.
So by understanding that, we also need to appreciate that the cyber kill chain has evolved to include a maintenance phase. What I mean by that is once they infest your network, what they do besides stealing your credentials and having significant lateral movement within your application and your sister and partner networks is that they actually patch the holes that they exploited to get in your system. They actually clean the host that they compromise to make sure no hackers have a footprint, and they've actually shifted their command-and-control to reside within your ecosystem so that you yourself cannot ascertain whether or not there's command-and-control that exists from afar when dealing with a targeted attack.
Given that, the defenses have to change. We have to stop focusing on building greater fortresses in cyber space, but in fact we have to figure out how to build a better prison. How can we increase the level of discomfort to the adversary when they have a footprint within our system to a point where they have to choose between resources, their own time, or giving away their location, i.e. attribution, in order to maintain that persistent presence?
FIELD: Let's talk about this some. We've got organizations today that are investing unprecedented resources in information security. Where do you see their defenses most out of alignment with the changing threat vectors?
KELLERMANN: They're very much focused on perimeter defenses. They're very much focused on compliance exercises. They're not allowing offense to inform defense as was illustrated by the Comprehensive National Cyber Initiative. I think most of these folks, before they begin to invest in these technologies, need to revisit the game of Chess, and they need to really begin to understand that given today's threat landscape, where web-based attacks are significant, wherein mobile users are being heavily targeted, wherein traditional black-listing technologies are insufficient, where as in you move to virtualization and cloud computing, the reality is you have no visibility into virtual machines, and your IPSes are becoming irrelevant if they can't understand how virtual machines react in your environment.
It's fundamental that they focus now on securing their cloud environments, creating strategies to migrate to a layered security framework in the cloud, revisiting how they deal with third-parties that could be the conduits of attacks into their ecosystems, making sure that they go beyond just having MDMs [mobile device managers] in place to secure their mobile devices, and lastly really beginning to do a real evaluation of the specialized threat detection technologies that exists out there, particularly the ones that can offer them customizable sandboxes where and when they have to deal with the targeted attack, can they then not only replicate their environments to see how this would react, but more importantly can they query some sort of global actionable threat in conscience in the process to understand, "Yes, we've seen this type of sniper before. They've used this type of bullet. They usually sit up on this type of birds nest and essentially this is how they operate."
For too long, organizations have been buying technologies that focus on, "Yes, this is the bullet you were shot with. Yes, this is the wound." But it never allows you with great situational awareness to ascertain how that's relevant, how that's part of the larger campaign or cyber kill chain attacks that have been leveraged in the global context. I think it's about that global context and that situational awareness that's fundamental.
FIELD: You work with organizations every day trying to solve these issues. What advice do you offer for how to get started and how to evolve an organization's defenses to match these threats?
KELLERMANN: First and foremost, I would recommend that all organizations do the following things. First, really begin to audit through penetration testing, not a traditional SAS 70 audit, the security of your third-parties to manage service providers and strategic partners that have direct conduits into your ecosystem. That's fundamental.
Second, move away from multi-factor authentication. Move fully to two-factor authentication, especially your systems administrators who are often times targeted as the weak links in your ecosystem.
Third, make sure that your cloud security strategy and mobile security strategy are created in parallel, in conjunction with one another, because they're one in the same. Remember your mobile devices are merely the endpoints of the cloud infrastructure and the VDI infrastructure that you're going to be rolling out in the future. And make sure that when you move to the cloud that you fundamentally appreciate that you can't just migrate to the cloud and depend solely on encryption to protect you. Things like file integrity monitoring, intrusion protection, advanced logging and virtual shielding are a necessity when you migrate to this new fangled web-free environment.
Lastly, really begin to deploy technology like Deep Discovery, which is a new technology we've developed at Trend Micro that allows you specialized threat protection, multiple protocol analysis and evaluation with custom sandboxing, to understand the lateral movements of attackers if they're already inside your network. Let's face it, Shawn Henry, former head of FBI's Cyber Intrusion Division, noted there are two types of organizations in the world. They're the ones that know they have been hit and the ones that just don't know they've been hit. The problem is in today's landscape you really have to assume that the enemy is already inside of your house and you have to focus on marginalizing the presence of that adversary to a point where in you can better fortify your enclave against these types of staged and blended attacks.