Happy Near Miss Day! In 1989 an asteroid roughly the size of a mountain came within 500,000 miles of colliding with Earth. Geophysicists estimate that the impact of that asteroid—had it actually collided with Earth—would have released energy equivalent to the explosion of a 600-megaton nuclear bomb. Astronomers didn’t discover the asteroid—or evidence of how close the near miss was—until nine days after the asteroid has passed.
Just as we did not know about the potential doom of the asteroid until after it was too late, many organizations are already compromised and simply haven’t discovered it yet. The average time it takes to detect a breach after attackers have infiltrated a network is somewhere in the 200 days range. That is an exceptionally long time to be oblivious about a threat that already exists inside your network.
In the movie Armageddon, there is a great line from Billy Bob Thornton’s character who explains why NASA wasn’t able to detect a massive asteroid on a collision course with earth. His character explains to the President that although NASA’s collision budget is $1 million, it only allows the organization to track 3 percent of the sky. He apologizes, saying “Begging your pardon sir, but it’s a big-ass sky.”
“Security is the same way—despite budgets that seem overly sufficient from the outside, things will occasionally slip through and cause damage…some of it catastrophic,” explains Michael Patterson, VP of Strategy for Rook Security. “This often has less to do with the proficiency of individuals working in security and more to do with the attack surface and attack volume most organizations have to deal with each day in relation to their budget. Much like exploring and accounting for every potential threat in the universe, it’s a daunting task. Some firms unfortunately experience the same fate as the dinosaurs and go extinct due to a direct hit.”
In honor of Near Miss Day, I have reached out to security experts to talk about the concept of a “near miss” as it relates to network and data security.
1. Don’t Miss Changing Default Passwords
There are a lot of moving parts involved in most IT projects. Unfortunately, during initial setup, many projects focus on getting the solution running versus following best practices for security. This includes hardening the solution, removing or disabling unnecessary accounts, and even changing all default passwords.
Morey Haber, VP of Technology for BeyondTrust, says, “Everything from SNMP, default administrator, databases, to proprietary management tools may require password changes. These represent a simple near miss factor that any hacker could use to compromise a system with relative ease. In order to prevent this near miss, build into your project plans the security steps necessary to identify all default credentials, regardless of service or user, and plan changes at least twice during the deployment.”
2. Have You Missed Critical Security Updates?
The vast majority of regulatory initiatives require critical security patches to be deployed within 30 days. In addition, it is a well-established fact that the vast majority of breaches use existing vulnerabilities and exploits to compromise environments versus zero day threats. These two facts place a virtual bullseye on corporate assets making them an easy target for attackers.
“Hackers leverage off-the-shelf tools, downloadable exploitable scripts, social engineering, and other established attack vectors and tools to make those bullseyes easy to compromise,” warns Haber. “The longer you wait to patch critical vulnerabilities across desktops and servers, the larger and easier the bullseye is to hit. Especially with something like spear phishing attacks.”
3. Close Doesn’t Count When Protecting Data
Dr. Chase Cunningham, Director of Cyber Threat Research for Armor, stresses that organizations should focus on protecting data. “While many companies are cruising along happily making money and operating as usual, there are asteroids hurtling towards them in cyberspace hell bent on causing destruction. Just as with NASA trying to observe the entire sky looking for dangerous Near-Earth objects, most companies are looking through the blackness trying to dial in on the one small moving particle of their network that might indicate malicious activity; all the while the bad guys are siphoning out corporate IP and information just outside the scope of the good guys’ viewfinder.”
More often than not it is not because companies aren’t trying to do the right thing and it is certainly not for a lack of spending or technology. The near misses in detection happen simply because it is too broad of a space to cover an entire network comprehensively. Cunningham suggests that companies should be dialing that viewfinder into the 1 to 2 percent of the network where their data lies—the stuff the bad guys are actually after.
4. Be Careful Who You Trust
Former President Ronald Reagan was coached to use the Russian proverb, "Trust, but verify” in his relations with the country. You should apply this simple strategy for security as well.
A general rule of thumb is, "Don’t turn on anything you don’t understand.” Malicious actors know that companies allow encrypted traffic in and out every day, so they encrypt their own command-and-control traffic making it harder for network security add-on technology to see it and flag it for human attention and remediation. Stan Black, CSO of Citrix, declares, “We obviously want the mouse trap to snap on their fingers before they can get out with any potentially harmful data. It’s important to go back periodically and check on active security features and policies to make sure you’ve got the right access, rights, rules and trust in place--they’re easier to enable than to revoke and SecOps teams have real threats to manage instead of monitoring how many people are sharing credentials.”
5. Avoid a Near Miss With Effective Authentication
If you look back at most of the major breaches in the past couple years, the attackers gained access and exfiltrated sensitive data using compromised credentials. Regardless of how the bad guys acquire the passwords, the reality is that—at the point of attack—the bad guy is often, for all intents and purposes, recognized as an authorized and legitimate user on your network.
Travis Greene, Identity Solutions Strategist at Micro Focus, notes that strong and multi-factor authentication techniques have progressed in convenience and simplicity to be more on par with the ubiquitous password, but that still may not be enough. “No matter how good your defenses, there are too many attackers and too many vulnerabilities to assume that you’re invincible. So there needs to be an investment in processes and technology to detect and disrupt attackers to minimize the exploit window. Security analytics is a rising method for identifying abnormal behavior and elevating it out of the galaxy of information that leaves most of us feeling lost in space.”
6. Detect the ‘Near Miss’ Before It’s Too Late
Organizations need to implement a threat hunting strategy that enables faster detection of attacker activity within the environment, thus reducing the attacker dwell time—the time the attacker spends undetected on your network—and avoiding potential data breaches.
Avoid a ‘near miss” by implementing a threat hunting strategy in your organization, proclaims Ravi Devireddy, co-founder and CTO of E8 Security. “Threat hunting is the practice of proactive, aggressive, and methodical discovery and pursuit of both known threats based on indicators of compromise (IoCs) and detection of unknown malicious behaviors within the organization. The goal of threat hunting is not about detecting malware, but more about identifying attacker presence, behaviors and movements and containing that activity as quickly as possible.”
It may not be glamorous work, but it’s effective. Rook Security’s Patterson sums up, “The best way to prevent near misses and direct hits from happening is by being as proactive as possible in your monitoring and security programs. Like searching for asteroids in the dark expanse of space, it’s often long stretches of fruitless searching followed by blips of exhilarating success.”
