Many companies that are proud of their ability to identify and clean machines infected with malware are missing a trick and creating a false sense of security, says a veteran security expert.
“Many IT security teams are failing to think about how threats work,” said Rodney Joffe, senior technologist at communications and analysis firm Neustar.
The typical approach in many firms is to simply disinfect machines without looking at what happened from the moment of infection, he told Computer Weekly.
However, Joffe points out that in many of the so-called advanced persistent threat (APT) attacks his company is seeing, attackers are getting into organisations at a low level by targeting a receptionist’s machine, for example.
Once inside the network, attackers use the initial target “merely as a stepping stone” to move up the hierarchy until they reach their real target.
According to Joffe, many IT security teams are failing to recognise that while a receptionist’s machine has no value, it is in a direct path to the company executives.
“They don’t even begin to understand the importance of doing forensics, to track down infections as they move within corporate networks to machines that hold sensitive data,” he said.
Read more about APTs
- Privileged accounts key to most APT attacks, says Cyber-Ark
- AT&T takes APTs seriously
- Half of UK networks vulnerable to APTs
- APTs: Are they really a concern for all businesses?
- Hardening the network against targeted APT attacks
- Surviving cyberwar: Preparing for APTs, Stuxnet malware-style attacks
- Boost advanced persistent threat (APT) security levels in six steps
- Confusion over APT attacks leads to misguided security effort
A failure to track infections means that by the time data breaches are discovered, attackers have had access to the corporate network for months and even years without being detected.
Organisations within the public sector and defence industry are typically the best at coping with attacks that appear to be low level, but are in fact highly targeted at key information assets.
“These organisations cope with these attacks by building a group that is tasked with forensics and threat analysis to understand the motivations of attackers and trace where infections have gone or are trying to go,” said Joffe.
Threat analysts are no longer confined to anti-virus companies, but are becoming increasingly common in organisations that really understand the threat and the risk, he said.
“These organisations are hiring or training people to work through the process, understand the infection point as the starting point, not the end point; and then they trace all the internal contacts that occurred between that system and the rest of the company to its logical conclusion,” said Joffe.
The importance of this approach, he said, is underlined by cases where the theft of intellectual property that started with a single low-level compromise, has had a financial impact of hundreds of millions of dollars as happened with US chemical firm DuPont two and a half years ago.
Cyber security has become a top priority for governments, particularly in the UK and the US, where they recognise the potential threat of intellectual property theft on the economy, said Joffe.
“Companies need to understand what attackers are really targeting and realise that just because they are not aware of anything, it does not mean it is not happening,” he said.