Attackers are in the network, now what?

If attackers are inside the network, can disguise themselves and get close to sensitive corporate data, how can data be defended?

This article can also be found in the Premium Editorial Download: Computer Weekly: The internet of things – the devices are taking over

A growing number of security experts say the traditional model of a secure network perimeter is no longer meaningful and that companies should assume outsiders are already on the corporate network.

Adversaries have shown in recent months that they are quite capable of stealing credentials to authenticate and access systems containing sensitive data.

It is now only reasonable to assume that attackers are inside your network, that they can disguise themselves, and they can get close to sensitive information.

But what does this mean in terms of a defence strategy? How can organisations defend against malicious insiders and outsiders who have wormed their way inside the corporate network?

For a start, industry experts recommend doing whatever is possible to slow down attackers to buy time to identify potentially malicious behaviour and respond to it.

It is essential to have the necessary monitoring systems and risk assessment systems in place that can identify and respond to suspicious behaviour or at least alert the IT security team.

It is particularly important to have controls in place to restrict and monitor access to important data systems by privileged users.

Because these users typically have almost unfettered access to the network and connected systems, attackers either solicit or coerce their co-operation or target their user credentials.

Once an attacker is able to steal privileged user credentials, they are free to access and exfiltrate a company’s most sensitive data, unless the company has put in the necessary controls.

But relatively few organisations have begun implementing such controls, and recent events have shown that even the US National Security Agency (NSA) was unable to stop whistleblower Edward Snowden.

If there had been controls in place, Snowden is less likely to have been able to access and make copies of all the sensitive information he is now publishing.

Unsupervised access

No bank would allow a cleaning crew unsupervised access to the bank’s safety deposit boxes, yet many companies allow system administrators unfettered access to all their data, said Alan Kessler, CEO at data security firm Vormetric.

In the face of sophisticated adversaries either masquerading as authorised insiders or controlling insiders with privileged access, he says companies can secure their data only by adopting a strategy that aims at reducing the attack surface wherever possible.

An essential element is a security intelligence capability to detect suspicious behaviour quickly and respond before it is too late.

This includes the ability to control and monitor access to data to make it as difficult as possible for adversaries to masquerade as authorised users and access data without detection.

A fine-grained access control mechanism means privileged users can access only the systems and data relevant to their job. It also means they can perform only authorised actions on data.

Blocking any privileged users from issuing commands to switch user identity will effectively block system administrators from masquerading as database users to access sensitive data, said Kessler.

Any attempts by system admins to switch identity should also be logged and fed through to the risk management and security system for analysis and correlation.

Cipher text encryption

Another way of ensuring data security is to enforce cipher text encryption on all data copied or moved from databases so that even if unauthorised users access the data, any information that is copied or moved will be rendered unintelligible.

But how can companies ensure data is secure when there is an increasing need to share data with partners and suppliers?

By applying role-based firewalls to data, said Kessler, it is still possible for several departments of a bank, for example, to contribute data for analysis on how best to market new products without each of the contributors having access to the data from other contributors.

The same approach can enable companies to take advantage of the economies of scale in using consolidated datacentres or cloud-based storage by ensuring that only authorised users have access to data under a specific set of conditions.

Extremely sensitive data, for example, may be accessed only during office hours from a company PC, or may be accessed after hours only from a specific laptop via a VPN (virtual private network) that uses multi-factor authentication.

Companies can put complex rule sets around data access without affecting productivity by making the decision-making process completely invisible to users and ensuring there is no performance impact on data systems.

Data firewalls can be tailored to the type of information an organisation is trying to protect. Unpublished quarterly financial results data, for example, is extremely confidential.

But organisations can reduce the likelihood of unauthorised access to extremely low levels by ensuring that such data can be accessed only by the chief financial officer (CFO) from a specific location, in a specific time period on a specific day.

Even if the CFO’s credentials are stolen, attackers will be unable to access the data because they are not using an authorised machine in an authorised location at an authorised time.

“Companies need to assume that credentials can be compromised because in just about all the recent high-profile data breach incidents, credentials were compromised at some point,” said Kessler.

By looking at how users are authenticating, what machines they are using, where they are located and the time of day, risk management systems are able to flag suspicious behaviour.

“We have to assume that attackers are extremely smart and sophisticated and change our data protection strategies accordingly, putting controls right on top of sensitive data,” said Kessler.

Such capabilities, however, need to be implemented in such a way that that they are simple to deploy, they are invisible to the user, system performance is not affected and controls are strong.

Read more on Hackers and cybercrime prevention