ACT LIKE YOU’VE BEEN HACKED

In the first half of 2020, IT teams around the globe rapidly responded to unprecedented change, threw the rule book out the window (in many cases), and found innovative and in some cases unorthodox ways to keep the business running while transitioning into some ill-defined “new normal”. This upheaval created opportunities that cyber criminals were eager to exploit. Now that the initial chaotic wave of change has passed, it may be time for us to retrieve the rule book from the shrubbery outside and re-visit our security posture. How? One way is to act like you’ve been hacked.

First, let’s be very clear, we’re not suggesting that you:

1. Run around screaming, “AAUGH, we’ve been hacked!”
2. Put on a black hoodie, grab the latest Kali Linux distro, practice your sinister laugh and start plotting your revenge

While those things sound fun, we’re referring to something a bit less dramatic and quite a bit more practical…

We’re talking about a mindset and mental exercise wherein we carefully think through, plan, and document how we’ll respond when a breach occurs. Sound rather basic and obvious? It certainly is, but how much has changed since you last put plans in place to detect and respond to threats? Where are the corporate crown jewels; the informational resources that you’re most concerned with? How can those resources be accessed remotely? What’s the path(s) that an attacker would take to access them? If none of those things have changed in the last six months then you may be fine but for many of us, the way we access protected information has changed now that we’re working from home which, in turn, has potentially opened up new ways for the bad guys to access that data as well.

Is this whole exercise really necessary? Yes! There is an abundance of indisputable proof that:

1. The volume of attacks is on the rise
2. New types of exploits are appearing at an unprecedented rate
3. Breach life cycle time (dwell time) is ponderously high which means…
4. …the associated breach cost is mildly terrifying, and,
5. our current defenses simply aren’t keeping up

That last claim demands some pie-chart style proof, don’t you think?

Source: Mandiant Security Effectiveness Report 2020

So, we’re missing more than half of the attacks. Yikes. Here’s the good news. For many of us, we have the data sources we need, but we may need to re-evaluate which specific data sources on our network we’re going to listen to and how to best leverage them to the fullest extent possible. What and where are those data sources?

Flow data (NetFlow, IPFIX, etc.) and enriched flow

If you just let out a small, derisive snort, that’s understandable. Many people still think of flow data as a very rudimentary form of telemetry that essentially just counts stuff. But flow has the potential to be a wonderfully rich data source and widely available early-warning indicator if it is collected from the right locations and analyzed properly. Many modern flow-enabled devices now enhance those basic counts and amounts by providing deeper visibility into the traffic that is traversing the network. VIAVI Solutions takes flow to the next level by integrating flow data with other data sources including device data, user authentication information, even converting syslog messages into flow records. These enriched flow records can then be analyzed for suspicious behavior patterns including the ability to ascertain when a device or group of devices is acting out of character, or profile. In our, act like you’ve been hacked exercise, this data source is well-suited for augmenting other means of threat detection if it is leveraged properly.

Packets

Since the dawn of LAN, packets have been our friend. They remain the ultimate source of truth and proof. Imagine that two companies have experienced a breach. Company A acknowledges the breach and announces that it is conducting an investigation in order to determine the scope and impact. Company B acknowledges the breach, explains the cause and mitigation and also details exactly what information was compromised and the steps that have been taken to notify and provide aid to those who were affected. Both companies will have to weather the storm of bad publicity, but which one is more likely to ride it out and which one is more likely to see potentially irreparable harm done to their company and brand reputation? Unlike device logs, the packets can’t be erased from the wire. They have the potential to provide the court-admissible, forensic level visibility needed to understand and document what intellectual property, trade secrets, customer data, or payment info was compromised. The question is, are you collecting the right packets from the right locations? Act like you’ve been hacked – are the packet brokers configured correctly, are the stream to disk platforms keeping up and ensuring that you have the evidence you’ll need when you need it? You can’t analyze what you don’t capture (and you can’t get it back once it’s gone) so this is an important point to ponder.

Most NetOps teams have access to flow and packet data. Now is the time to ensure that those data sources are being leveraged as effectively as possible and that all involved parties have access to that information. In VIAVI Solutions’ 2020 State of the Network Annual Global Survey, respondents indicated that the amount of time spent resolving security issues during a typical week has grown from “up to 25 percent” last year to more than 35 percent. NetOps has the data, the act like you’ve been hacked exercise should ensure that SecOps also has access to the information they need when the inevitable breach occurs.

The bad guys will find a way in. If you don’t believe that, go watch the Italian Job, or any/all of the “Ocean’s” films. If anyone asks what you’re doing just tell them it’s okay, the blog told you to… When you’re done, act like you’ve been hacked, preach like you’ve been breached, get the team together, and reassess your state of readiness.

For more on this topic, you may enjoy listening to this SANS Institute webinar.