High-profile attacks highlight need for defenses against targeted threats
Attacks against RSA, Lockheed Martin, Oak Ridge show focus needed on network monitoring, outbound filtering, whitelisting
Computerworld - The recent spate of successful cyberattacks against high-profile organizations has focused fresh attention on the need for enterprises to implement new defenses against targeted threats.
Last week, the International Monetary Fund joined the list when it admitted to a similar intrusion. An anonymous IMF source quoted in a story in The New York Times described the incident as a "very major breach" that likely resulted from so-called spear phishing.
All of the recent incidents have appear to be very targeted and persistent attacks carried out by adversaries using a combination of social engineering techniques and sophisticated malware programs.
Dealing with such threats requires companies to look beyond security strategies that are focused purely on dealing with traditional network threats, analysts say. Increasingly, companies also need to focus on approaches such as continuous monitoring of networks, databases, applications and users; outbound traffic filtering; and whitelisting.
"Time and again, as details of these attacks are made clear, we find that attackers are not behaving like stereotypical burglars -- smashing a window, grabbing what they want, then walking off with a big bag marked 'swag' while the alarms ring," said Mike Lloyd, chief scientist at RedSeal Systems.
Gartner analyst John Pescatore said that instead, "a common thread through many damaging incidents is targeted executables getting installed on critical servers or high-value employee PCs."
The goal behind many of these attacks is to surreptitiously establish a persistent point of presence inside a network and use that to snoop on an organization and steal information.
One way of dealing with such threats is to constantly monitor for configuration changes on important assets, Pescatore said. Network forensics and database activity monitoring products such as those from FireEye and Damballa are useful in detecting and blocking targeted threats which conventional signature-based tools let through, he said.
Moving to application-aware firewalls that can limit unknown application traffic over Port 80 is another step forward in protection, Pescatore said.
The key thing to remember, though, is that monitoring alone is not a panacea, he added. "For most of these incidents, monitoring the right things is more important than how often you check. And protecting the right things is even more important than monitoring," Pescatore said.
Continuous network monitoring using intrusion detection systems alone is "useless" against targeted attacks, said Richard Stiennon, an analyst at IT-Harvest. "Attackers may still engage in old-fashioned network scanning and attempts to exploit vulnerabilities, but most of the successful attacks recently have involved custom Trojans delivered by socially enriched emails," he said.
- Hackers steal user data from the European Central Bank website, demand money
- Arrests made after international cyber-ring targets StubHub
- SQL injection flaw opens door for Wall Street Journal database hack
- Goodwill Industries probes possible payment card breach
- Aloha point-of-sale terminal, sold on eBay, yields security surprises
- The biggest data breaches of 2014 (so far)
- Blue Shield discloses 18,000 doctors' Social Security numbers
- PF Chang's says breach was 'highly sophisticated criminal operation'
- Breaches exposed 1 in 7 US debit cards in 2013
- New malware program targets banking data
- Aberdeen: Securing the Evolving Datacenter This report highlights ways security technologies and services are evolving to provide the visibility and control needed to deploy workloads flexibly in the...
- Evolving Your Data Center? Evolve Your Data Center Security Your datacenter is evolving - your datacenter security should be evolving, too. Key security technologies and services are being adapted by leading solution...
- Agile Masking Transforms Data Security Most data masking products can create masked data copies but not distribute or update them, resulting in projects that fail to live up...
- Step Out of the Bull's-Eye Learn about the evolution of targeted attacks, the latest in security intelligence, and strategic steps to keep your business safe.
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!