Large organizations with warehouses of our personal data continue to be breached. What’s going on here—why does this keep happening? In this post, we break down the risk/reward ratio for corporate attackers and what we can do to change it.
As Verizon's Data Breach Investigation Report (DBIR) continues to tell us, the primary motivator for hackers these days is coin, pure and simple. Selling Excel spreadsheets on the black market is extremely lucrative, especially if an attacker can get "fresh" credit card numbers that are likely to still be active. ersonal information like a person's home address and social security number can be even more lucrative, since no one can turn off their social security number like they can a credit card. This gives personal data an extremely long shelf life. Company secrets stolen under the aegis of corporate espionage is another big slice of the reward pie for hackers.
On the risk side, cracking a corporate network doesn’t require a very sophisticated attacker. The fact is, keeping a corporate network secure is hard. These systems, especially if they're international, are complicated. And as with any complicated system, a corporate network is only as secure as its weakest point. It's easy for attackers to move within a network undetected once it has been compromised; even if the weakest point in the system is located in a small remote office, once compromised it can be used as a beachhead to gain access to the critical systems deeper in the network.
It is easy to feel like the attacker is winning when stories of compromise show up in the news on such a regular basis. Even when the consequences are enormous—executives and leaders losing their jobs, millions of people impacted—the bad news just keeps on coming. However, there are steps companies can take to tangibly reduce their attack surface.
First, companies can perform regular vulnerability scans of the assets on their network. Scanners like this can catch known vulnerabilities on their servers (like the vulns exploited by the leaked Shadow Brokers exploits or the Apache Struts vuln, for example) and provide a ranked list to the security and IT teams of which systems on their networks have the most severe vulnerabilities. Teams can also assign a criticality level to their servers, layered on top of the raw list. This way, the list is ordered by a combination of how severe the vulnerability is (for example, whether it gives an attacker admin privileges or the ability to execute arbitrary code within the network) and how critical the box is (e.g., whether an external attacker could use the machine to gain access to the private network, whether it houses highly sensitive data, and so on). Armed with a ranked list, the IT team is able to prioritize and triage which systems can and should get patches first.
Second, companies can hire penetration testers to try hacking into their networks. Pen testers are highly specialized technologists who know as much as real attackers (and often more) about how to crack networks. They will almost always succeed in breaking in—when we analyzed 128 of our pen tests in Q4, our red team was able to reach mission target 80% of the time. When detection evasion was explicitly part of the statement of work, our team still evaded detection 70% of the time. The good news is that, unlike with a malicious adversary, pen testers will give you a nice report at the end detailing how they got in and what you need to do to keep attackers from breaching your network in a similar fashion in the future.
Third, companies can install incident detection and response software, like user behavior analytics systems, to monitor their networks. The sad truth is that even if all known vulnerabilities were patched in a network, and even if there weren't unknown vulnerabilities that attackers were leveraging to crack into networks that would otherwise be thought of as secure, attackers would still be able to gain access. Why? Because of us, the human users of the system. As the preventative barriers to a corporate network are strengthened, attackers turn to forms of social hacking to bypass them. As described in the classic 2012 Wired story about Mat Honan's 'epic' hacking, there are many tools at an attacker's disposal to gain access to a user's password through social trickery. Once an attacker has a username and password, they are able to gain access to a corporate network through an entirely legitimate vector. This is where detection tools come into play: as the attacker behaves in ways that are different than her victim, such as logging into unusual computers on the network, or capturing and using admin credentials, user behavior analytics can detect these deviances from expected behavior and raise alarms to the security team.
Companies that take the security of their networks seriously and not as an assumed truth all know that these tools and others like them are essential to protecting their network environment. Rapid7's Project Sonar takes only two hours to scan the entire public internet. We can no longer hope that attackers won't find the flaws in our network simply due to the immensity of the internet; that is no longer the system in which we operate. Attackers are constantly opportunistically scanning for vulnerabilities to exploit. We must build tools to protect our networks and our sensitive data from compromise. And we must have incident response plans for compromise so that we can contain and expel attackers with minimal impact to our data and systems.
The good news is that by using the information in the above steps, companies can fundamentally alter the risk/reward ratio when it comes to attacking corporate networks. With vulnerability scanners, penetration testing, and incident detection systems, the cost of entry for attackers is driven significantly higher, and the gains to be had even if a network is compromised can be driven down dramatically. While we may need to wait a little longer for the next season of our favorite show (without hackers to offer us stolen episodes ahead of time), we can sleep easier knowing our own networks and corporate data have been given an appropriate level of protection and that their administrators are keep an ever-watchful eye out for compromise.