The initial compromise is only a fraction of a hacker’s attack cycle

ITProPortal spoke to Simon Edwards, senior security consultant at Damballa, about a how businesses have to get used to the idea that their data isn't safe, and move forward into an assumption of imminent security breaches.

What does the typical attack on a business look like?

If we look at the lifecycle of an attack against a business, the initial compromise is often an infected document or something within a browser; it's something that's very small. It tends to be something very small: an exploit code or a dropper.

Once the malware has decided it's in an environment it wants to be in, it's going to connect to a command and control server and start pulling down the really malicious stuff. That malicious code will lock itself onto a benign process and typically after that everything goes crypto and becomes difficult for even deep packet inspection to pick up.

None of this really happens without the command & control server so what we focus on is finding where those command control channels are and pin pointing where we think machines are infected.

Does there need to be a change in the CISO mind set, a shift from attempting to block all initial compromise attempts?

I've worked in deep packet inspection in one form or another for the best part of 20 years now and we've always been looking for the initial exploit but because the initial exploit can vary so much and that isn't actually the malware that's infected the machine.

A lot of companies are waking up to the fact that exploits are going to happen no matter how good your defences are so shouldn't the focus be on finding the infected machines quickly and deal with it rather than trying to swot every fly that comes over the wall.

So we're talking about an assumption of compromise?

From a host perspective I think you have to have the mind-set where you realise that these machines are going to get infected and make sure you do something about it.

But some businesses need to keep sensitive customer data on their systems. How can they make sure that data isn't compromised?

Obviously that's a very difficult question to answer. Where you keep your data makes a difference. We're seeing a large malware sample that are very deliberately looking for the security systems that are protecting the data, whether it be host based IDS or safe boot. We've seen a couple of samples come through recently where the malware's looking to find if extra security has been placed on top of that workstation to determine if that is a better target than say "Grandma's kitchen computer" or something.

So they are getting much, much, much more intelligent. We've seen an inductor control system, a SCADA based exploit that we're tracking now called "the dragonfly" which deliberately looks for industrial security systems and when it finds them it makes a record of what it's found and sends that data to the malware author, then goes silent and just beacons and it's just waiting for the next thing to come down.

It's like the hacker's trying to establish a beachhead and then they're selling those details off to someone else who'll come along and do some damage. There are a lot of threat actors involved. Whoever's gaining the initial exploit is quickly selling on those details to someone else who can use it for whatever nefarious deeds they want to.

Business leaders get a lot of conflicting advice. Can you provide any clear guideline for what they should be doing in the future?

Security is always about process. I think one of the most important things isn't that a company just spends money on hardware and software but that it looks at the overall process involved so when you do find a compromised machine what do you do then?

If you're a government or an aerospace company or something you can probably afford to call in an instant response team to try and work out what the compromise was, but 80 to 90 per cent of companies are just going to wipe the machine and start again.

So what companies need to do is decide what to do when they find an infected machine and to understand that machines are going to get compromised.

You've seen a lot of security solutions in your time. In your experience, what do the successful ones have in common?

You've got to make sure various different teams in an organisation are working together and they're not just going to be technical teams, they're going to be PR, HR and things.

So it's all about understanding the overall process and when one the tech teams realise something is wrong the rest of the organisation knows how to deal with it. Having a good CISO is going to help do that by having a proper management person implement that.

What else should business leaders know?

We've talked about what happens after the initial exploit, establishing contact with command and control servers and using very sophisticated ways of communicating with them. These C&C servers may communicate for hours and then flip off which makes them difficult to track down.

When these C&C servers do become known there's a big rush to sinkhole them and take them down. We saw that a few weeks ago when Microsoft went in, shall we say, heavy handed, and took down an entire ISP (internet service provider) for using dynamic IP addressing, they took the whole lot down.

We've got to be careful in the way we react to this so that we're not being completely draconian about it but that we do catch these C&C servers and stop them.