From my years of working in various cyber-security roles in the military and in government agencies, one staggering statistic stood out: the offensive hacking teams that I was involved in tracking had a 100% success rate when it came to network penetration. It’s unbelievable, but true: no matter how well an organization defends itself, there will always be vulnerabilities.
In 2014, we experienced some of the largest cyber-attacks to date - successful breaches among well respected and highly protected organizations. Looking back at 2014’s mega breaches: from Home Depot to the Sony breach, it is clear that determined hackers will find their way into a network. It is time to accept the fact that network penetration is inevitable. 2015 must be a year of change: organizations must assume that their networks have been or will be breached and focus on identifying attackers that are already in their environment.
The JPMorgan Breach Example: There’s No Magic Shield
After news of the JPMorgan breach was released, it was widely published that the hackers were able to access JPMorgan’s internal server due to the fact that two-factor authenticationwas not enabled. Although two-factor authentication could have prevented hackers from utilizing that breach method, it would have ultimately failed to stop hackers from penetrating the network.
The JPMorgan internal breach was possible because attackers got ahold of a private certificate of a website building company, Simmco Data Systems, which allowed attackers to hack 420,000 websites it had created, one of which was JPMorgan’s Corporate Challenge website. The initial Corporate Challenge website hack alone wouldn’t have given the hackers access to JPMorgan’s internal site, but because many JPMC employees used their internal login credentials to access the Corporate Challenge site (a site for charity race events), the hackers could successfully penetrate JPMorgan’s internal network. Although this penetration payload would have failed if two-factor authentication was implemented, the hackers would have undoubtedly employed another feasible method if their initial attempt failed.
For example: the hackers already had the credentials of JPMC employees who accessed the Corporate Challenge site along with information about charity races they had previously participated in. A Spear Phishing campaign could have given the hackers access as well. Who wouldn’t open an email sent directly to them referencing specific, personal information about their previous activities? Remember only one employee needs to fall.
The recent media debate claiming that the JPMorgan breach could have been prevented by proper implementation of two-factor authentication clearly demonstrates that the public is still searching for a magic shield that can prevent hackers from successfully penetrating a corporate network. In reality, however, there is no unbreakable system. Professional cyber criminals have the time and the financial means to deploy many different methods until they break the defender’s shield.
Shifting to a Post-Penetration Security Approach
While network penetration may be inevitable, it is important to understand that cyber criminals take their time before performing the majority of damage. In fact, to evade detection, attackers move slowly within the network and perform minimal actions per day. This gives security teams an opportunity to detect them early on and reduce the scope and cost of a breach.
In the case of the JPMorgan breach, it took between two to four months for the breach to be discovered. This detection delay yielded the largest US banking breach to date; the hackers got ahold of 83 million accounts and eventually gained high-level access to 90 different servers. Even if the initial penetration was impossible to detect, many of these hackers’ activities could have been identified by closely monitoring the environment to reveal anomalies and by linking together events that may seem benign but together form a clear picture of malicious activity.
When coming to the realization that network penetration is inevitable, security teams must adopt a post-breach mentality and develop their capabilities accordingly. Improving network and endpoint visibility will enable organizations to better identify irregularities and malicious activity. Hackers might have reigned supreme in 2014, but this year, we can apply our hard earned lessons. Security budgets are sure to go up, and automated solutions that can help organizations better detect and respond to malicious intruders are rapidly maturing. We might not be able to keep determined cyber criminals from getting in, but we can get much, much better at finding and containing them once they are. Hopefully, 2015 will be the year the good guys level the playing field and defend against sophisticated attacks with equally sophisticated detection and response.
