by John Worrall
“A determined attacker can easily slide through your perimeter defenses—we need a new approach.”
I hear that sentence a lot these days. In fact, I’ve been hearing it off and on for close to ten years now. Driven by growth in the mobile workforce and expansion of outsourced business partnerships, the cry, “perimeter security is dead…we need a new model,” continues to gain in popularity. Yet in spite of all this talk, out of the $32B security products market last year, (my estimate, but it’s close enough for this discussion), the vast majority of security funding is still spent on perimeter defense. Investment in actual data protection, monitoring and forensics tools, however, pales in comparison.
This past week, with the news cycle instigated by Mandiant’s APT1 report, the focus has again fixated on perimeter security and how organizations should prevent the initial breach.. For example, Network World took email vendors to task for not doing enough to prevent phishing, while on NPR’s All Things Considered, the infatuation with perimeter security was so overt that the only questions on tactics directed to Mandiant CEO Kevin Mandia were those that focused on how an attacker could be so successful merely by spear-phishing.
If you read through the Mandiant report, however, you’ll notice that in addition to phishing, it also covers other critical components of a successful attack. It’s a worthwhile read on backdoors, covert communications, privilege escalation, internal reconnaissance, lateral movement and maintaining presence.
Ultimately, phishing attacks are only the beginning of an advanced threat attack. Think of the home security analogy. A burglar may have gotten in your front door, but he hasn’t stolen anything yet. He still needs to search the house to find where you hid the silver and jewelry. He needs to pick the lock on the closet or crack the wall safe. Then he needs to collect all of the loot and head out the backdoor.
This is why I firmly believe the initial quote at the top of this post. Just like you would do by storing valuables in a safe at your own home, you should assume that there are already attackers inside your network. After all, a determined attacker will get in. Every time. But if you are proactive, and take an inside out approach to your organization’s security, you CAN lockdown the (privileged) pathways to the most sensitive information—which effectively disrupts the cyber attack.
But you need to take that approach. So what’s your plan?