Only in the computer security world would I get taken to task for saying the defenses you apply should be directly related to the threats you face. That’s exactly what happened after I posted “The No. 1 problem with computer security” last week.
Several readers wrote to tell me how stupid I was for not including their pet threat defense project. Others wrote to say I did not sufficiently appreciate the threat of pass-the-hash attacks. Still others maintained I shouldn’t be proclaiming anything when many companies don’t have firewalls or up-to-date antivirus software, and so on.
Well, I don't lack for appreciation of any particular threat. As I said, each company should measure its own risks and respond accordingly.
If not having a firewall, for example, is one of the leading causes for exploitation at your company, then you should be on it, although I doubt a missing firewall is the root cause of your problems. Traditional firewalls only help when a service you are running is either unpatched or misconfigured -- if you have those problems, a firewall won't save you.
How do I know? Because most of the world has firewalls, and those companies are as exploited as the companies that lack them, because firewalls don’t stop many threats these days.
That’s the heart of my recommendations: Most companies do not look at the exploits that are most successful against them before they choose their security defenses.
The pass-the-hash obsession
Yes, I worry about pass-the-hash attacks, but they’re seldom used to break into a company.
Pass-the-hash attacks start by somehow convincing someone at the targeted company to provide logon credentials (through social engineering or a phishing attack) or through malicious software (via social engineering, unpatched software, and so on). In almost all pass-the-hash attacks, bad guys got past those supposedly secure firewalls by tricking users into doing something they shouldn’t do or by taking advantage of an insecure computer.
With any defense plan, I’m more worried about initial exploit techniques than what attackers did after they got inside. If you don’t fix how the bad guy got inside your environment, none of the defenses you muster to fight their individual attack methods will work in the long run.
Pass-the-hash/credential theft defenses illustrate my point. All vendors are starting to do a far better job at preventing all credential theft defenses, or at least they give customers a chance to implement better defenses. There are built-in features and third-party products that can substantially reduce your risk that an attacker inside of your defenses will be able to harvest all the credential hashes that they like.
Let’s imagine for a moment that every customer in the world suddenly stopped all pass-the-hash attacks. They all went away -- stopped cold! Would that make every network administrator breathe a sigh of relief? I hope not. A successful pass-the-hash attack means the attackers bypassed every defense you had and ended up with the most elevated credentials in your network.
Signs of weakness
If you stop pass-the-hash attacks, attackers will simply install a keylogger or backdoor Trojan program or execute some other nastiness that will compromise you. The problem was never pass-the-hash attacks. The problem was you allowed the bad guy to get your most elevated credentials and use them with no authorization.
Let me put it in another way: Like the vendor Red Canary states, detecting relatively nonmalicious adware and pest software is as important as detecting regular malware. Why? Because both adware and malware get into your system the same way using the same methods. When your computers are compromised by adware, it means there are holes in your defenses. Adware infections should be a wake-up call.
In most cases, defenders worry too much about what the attackers did after they broke and too little about how they broke in the first place.
If attackers break into my house again and again because I’ve left my front door unlocked, perhaps I should lock my front door. I shouldn’t breathe a sigh of relief because they only stole food out of the refrigerator or played video games. Leaving the front door unlocked will only invite those thieves or others to come into my house and do even more damage. That’s essentially what most of us do when we fail to base security defenses on data about successful attacks.
Setting the baseline
In my perfect world, a computer security defense plan starts with a clear understanding of how badness breaks into the organization. It describes the attackers, what they’re hoping to accomplish, the assets they breach, and the overall risk to the organization. The risk evaluation part would include past historical evidence of successful attacks and assess the most likely threats in the future.
This is similar to the report that the Joint Chiefs of Staff give to the President every year. It isolates the most likely threats facing the nation, the gaps, and the targets for training and deploying future resources. Everyone understands which threats are biggest, then comes together to fight them. These annual reports drive military budgets, open and close military bases, lead to new weaponry purchases, and put the kibosh on some projects.
Likewise, a security defense plan should always begin by clearly communicating the biggest risks and most successful exploits used against the company. Then the selected defenses should clearly state how much risk they would mitigate if deployed. For example:
- “If we better patch Oracle Java, it would mitigate 62 percent of successful exploits against us.”
- “If we tripled our efforts in to better educate users, we could significantly reduce the risk of socially engineered attacks.”
- “If we implemented a two-factor authentication-only strategy, it would eliminate the risk of spear-phishing credentials, which would mitigate 27 percent of our highest risk compromises”
If defenders were honest with themselves and looked at that data, they might see that “longer password” or “new network intrusion detection system” doesn’t give them as much value as they thought. On the other hand, longer and more complex passwords might be tremendously effective. The whole idea of data-driven defense is that your actual attack data drives decision making.
Trust evidence, not your gut
“Gut feelings” -- and guesses about which cool new technology might save your organization -- need to be fact-checked against the actual data. Most of us live in a world where we implement dozens of new security defenses each year. Management must be wondering: Why hasn’t all that money and resources resulted in fewer successful attacks?
I have the answer: Most computer security defenders are taking their best guess rather than using the data that they could glean within their own organizations. It’s time to change that and make collecting and analyzing security data a first principle. In a few years, I’m hoping people will laugh to think we ever did it any other way.