The April 7, 2014 NY Times article, “Hackers Lurking in Vents and Soda Machines,” surely raised the hackles of enterprise security teams worldwide. Just when you think you’ve battened down the hatches, you hear cybercriminals used a Chinese restaurant’s website as a watering hole to hack into an oil company’s network. And we already learned weeks ago that Target was breached using stolen credentials from their HVAC provider.
Third party breaches aren’t new, but they’re certainly on the rise. A 2013 report estimates that 63% of data breaches are linked to a business partner’s network. As enterprise security programs get more robust, it’s easier for attackers to access a trusted neighbor’s network, which typically has more security deficiencies. Once inside, attackers can springboard into the network of the targeted enterprise.
Here are some real-world examples that we’ve seen at Damballa.
- BYOD. At a large bank, we found 50% of their contractors’ laptops were infected and actively communicating with malware.
- Trusted Neighbor. A large energy company was infected from a local deli’s online ordering system. We discovered that attackers embedded their exploit in a JPG image. Employees who placed orders from the corporate network were infected.
- Non-Windows OS (yes, Mac’s do get infected). We discovered Domain Generating Algorithm (DGA) C&C activity in a University research organization that used mostly Mac devices. A few weeks after our discovery, the malware was labeled “Flashback.”
Plugging the Leaks
Shutting down your partner eco-system probably isn’t an option. So what should you do?
First, conduct a security and risk audit of your network to help uncover vulnerabilities like sketchy third-party access. Next, consider how prepared you are to detect infections that bypass your prevention controls. Finally, have an active, well-rehearsed incident response plan in place so you can take immediate action to prevent damage.
The Target breach illuminated just how difficult this process can be. Their security team was blasted by the media for supposedly failing to take action. In their defense, Target’s prevention technology issued alerts, not proof of infection. As I wrote in a March 14 blog post, an alert by itself only tells you that unusual activity was observed. You have to corroborate the information from an alert with other data to get proof of an infection. It’s a time-consuming, resource-intensive process.
Consider this: According to Damballa’s enterprise data from Q1 2014, an average customer’s network generates an aggregate average of more than 10,000 events daily, which yields 97 active infections. Can you imagine if you got 10,000 alerts versus proof of 97 actual infections? Damballa correlates network activity through multiple detection techniques and boils down events to identify actual infections. Once the compromise is confirmed, we provide responders with indisputable evidence and risk rankings so they can prioritize their remediation.
No doubt it’s difficult for security teams to keep their heads above water when dealing with so many alerts from different attack vectors and surfaces. Do everything you can to guard your perimeter and be prepared to detect and respond to carefully-crafted attacks designed to evade the fortress walls.