We come at last to the long-term breach, the cruel offspring of patient hackers and targeted attacks that can make your stomach as queasy as the first drop on a roller coaster. “How long?” It’s likely one of the first thoughts to dart through your mind when you hear the word “breach.” Chances are, if you’re asking that question, it’s not going to be good news. It could be weeks, months or, in some cases, even years.
Just this year we saw a three-year-long breach of defense contractor QinetiQ that “compromised most if not all of the company’s research.” Data equal to hundreds of millions of pages was stolen, including information about the U.S. Army’s combat Apache and Blackhawk helicopters. Or it could be something less malicious. Take Facebook. They inadvertently exposed six million users’ phone numbers and email addresses to unauthorized users though a technical glitch, essentially committing a year-long data breach against itself.
It’s one of the top concerns of businesses, and rightly so.
“Their biggest concern is the dwell time, detecting the threat soon enough before it has time to propagate across the network, establish more of a beachhead, additional resilient points,” said Sean Bodmer, chief researcher, counter-exploit intelligence at CounterTack. “That period of catching the threat soon enough before it has time to dwell, that is one of the biggest things they all talk about.”
Trending the Wrong Way
Browse through the cybersecurity bible – the 2013 Data Breach Investigations Report – and deep into the madness, you’ll see this crooked, Joker-esque smile staring back at you. It’s a simple line graph of the breaches that remain undiscovered for months or more, and, as you’ll notice, it’s going the wrong way. Why so serious? The bad guys are edging ahead.
From Verizon’s 2013 DBIR: “But in all seriousness – something has to be done. If not the most, this must be one of the most important challenges to the security industry.”
The goals and methodology have certainly changed when it comes to hackers. The value of intellectual property is immense, and there’s a noticeable shift underway towards stealing that property. Break in; then sit there waiting. It’s patient and targeted – and it works. Of the breaches analyzed in Verizon’s report, 66 percent took “months or more to discover.”
“In the digital world, there’s not even the evidence that things are missing. You may have something stolen, but it’s still there,” said Nathan McNeill, co-founder and chief strategy officer for Bomgar. “If they take a bulldozer to your website and start scrawling all over everything, then you’re likely to call the police early. If they’re using legitimate channels or legitimate remote-access channels, you’re not likely to call the police very soon because it’s not obvious that you’ve experienced a breach. So oftentimes these things can go on for months without people really realizing that stuff is being taken from them.”
It’s not blatant. It’s subtle. So subtle that 70 percent of those breaches weren’t discovered by those being attacked but by an external party.
“Some of the times they just don’t have the technology to know that it happened. It’s not necessarily you didn’t have the right policies, it’s having the right technologies in place,” said Tsion Gonen, chief strategy officer at SafeNet. “I would say the biggest problem today is probably not awareness – because the awareness due to everything that has happened the last three of four years is so high. It’s mostly around, okay, now that I’m aware, how do I split my budget and resources?”
That’s a question with expensive consequences. Cyber-attacks burn money with every tick of the clock: each day, each week, each month. The average time to resolve a cyber-attack is 24 days, according to a study done by Ponemon Institute and sponsored by HP. The average costs during that time: $591,780. That’s $24,475 each day.
Cat and Mouse Game
“I think the attacks of last year are easily avoidable today. The problem is that the attacks of today – the real ones – are not easily avoidable today with the technology of today,” Gonen said. “This fight or this chase is not a stand-still one, right? The attacks change all the time.”
Take the shift in focus towards behavioral technologies: establish what’s normal and then alert for any abnormalities. This technology isn’t even mature, said Gonen, but already he’s seen four or five types of malware that use that same strength: seek out what’s normal, then don’t disrupt it. “So where do you go from there, right?” he asks. “This fight is not about being able to completely keep them out. It’s about delaying them, making it harder, making it more expensive, force them to move to the next technology.”
But that upward trend of time to discover a breach continues. Imagine another situation like QinetiQ: three years of investments in research not just gone but handed over to your competitor. In this match, it’s becoming clear who is the cat and who is the mouse, nibbling at the cheese and oblivious to the fact that all the while it’s in a poison trap.
“I believe people are still trying to fight this battle of defense, and it’s a losing game,” said Dan Ford, the chief security officer at Fixmo. “The goals should be changing more to a detection. We know that the bad guys are going to get in, and we should do everything we can to try to prevent that, but we should be focusing more of our efforts on our ability to detect when a compromise has occurred and shorten that window. And that’s something that’s very challenging.”
So the cat and mouse game continues. You can’t stop a determined actor, not completely. The business world has come to that realization. Occasionally, bad things will happen despite your best intentions. Even if you’ve cut through the confusion, set up a solid defense against basic attacks, and moved onto a philosophy of getting breached securely, minimizing the damage is simply a goal to strive towards, not an end game. When all else fails and the business still catches on fire, there’s often one saving grace: at least you have insurance – the final part in this series.