One of the many problems I see with computer security today is that computer network defenders don't have offensive training and hacking experience. When Incident Responders don't have solid knowledge of offensive tactics, tools and methodologies, they become a liability with limited analytical value during a network breach investigation.

I see computer network defense a lot like playing defense in American Football. The very best defensive players on the football field work hard to read the offense and deduce their course of action before the ball is snapped. This wisdom only comes from years of experience or it can come from playing both offense and defense. Physical abilities alone will not make a professional football player; it's the situational awareness and dynamic on the fly thinking that's needed to become a professional player in the NFL and also to become a professional network defender.

The type of Cyber Security Expertise I'm talking about can only be gained by extensive knowledge and training in both offensive and defensive methodologies and capabilities. This doesn't mean that your entire Incident Response team needs the ability to identify zero day vulnerabilities and code exploits. However, they should have working knowledge of hacker methodology from reconnaissance, planning the initial attack(s), lateral movement and data discovery, entrenchment and persistence, command and control, etc. Being able to think like the adversary enables IR Teams to recognize telltale signs of compromise far more rapidly than those that do not which can make all the difference in mitigating loss to the business or organization.

The phrase "Train like You Fight" has been used successfully for decades by the military in prepping soldiers for battle. It's since morphed to become "Train like You Fight" because you will "Fight like You Trained" when bullets start flying. This is true of Network Intrusions and Incident Response work as well. Stress levels are very high during network intrusions; people get emotional and make bad decisions. This is why testing your incident response teams can pay off big-time when the big one hits. Seasoned incident response professionals will be grace under pressure.

Every year the military and other government agencies will hold "Red Team/Blue Team" exercises to test each other's cyber security posture for detecting and responding to computer attacks. This concept involves cyber warriors (contractors and active duty soldiers) training in "real world conditions" or "simulations" of the battlefield. Special Operations Forces are well known for recreating simulations of an entire village to scale including the buildings, streets, communications towers, power generation stations, and other objects that can become both asset and liability under different scenarios.

A tremendous amount of time, money and human energy go into these battle plans, preparations and contingencies. These real-world exercises provide invaluable insight and metrics which help senior leaders to make more informed decisions and accomplish their mission. Most soldiers will tell you that playbooks go out the window when "bullets are flying". Likewise, this is true during a large scale network intrusion. I've seen grown men cry after losing control of their network to hackers. When it comes down to it, the best incident response teams in the world will tell you it's all in the preparation and practicing… 90% preparation and 10% execution. Are you prepared?

- Rich Cummings

Today industry professionals need to understand that it's not a question if an organization will be breached, but when it will be breached. Based on my experience in the field, response time to contain the breach is critical. How quickly and effectively can an organization's IR team detect the intrusion, perform post exploitation analysis, determine the scope of breach, and remediate across 100,000 machines? Do they have the proper tools, training and authorization to make this happen quickly? The answer is probably no.

4 Disgraceful Information Security Facts

Fact 1: Most Common Breach Discovery Method is by a 3rd Party: According to the Verizon 2011 Data Breach Investigative Report, 86% of all data breaches are discovered by 3rd-parties and not an organization's computer security controls or personnel.

Opportunity 1: Spotlight On Threat Intelligence: Today organizations can't afford to wait until they hear from the FBI or another third-party that they have been breached. Instead, companies increasingly realize that they need to collect and analyze their own threat intelligence so they can respond faster and more cost-effectively.

One of the more common responses I hear from senior executives after their organization has been breached is, "What can we do or what product can we buy to prevent this from happening again?" Unfortunately nobody likes the answer - "There is no such product or silver bullet solution to prevent these attacks from succeeding 100% of the time". This is usually where the disconnect starts to happen between the analysts with "boots on the ground" in the fight and the C-Suite executives who want to spend their security budgets on traditional security solutions.

We security professionals need to do a better job educating C-level executives about the advanced unknown threats out there. My impression is that many security analysts, midmanagers and senior leaders do not have access to the current and relevant threat intelligence needed to help them understand what their organizations are up against each day and night. Today it's imperative to understand the motives, means, and capabilities of attackers targeting your business in the cyber domain. This intelligence is very often the missing link CISO's & CIOs need to more effectively make business decisions; allocate budgets, and appropriately apply security resources.

Fact 2: Point of Entry to Compromise Statistics Reveal Risk Exposure: According to the Verizon 2011 Data Breach Investigative Report, 53% of the investigated intrusions took days, weeks, and months of continued remote access before exfiltrating any information or files.

Opportunity 2: Build Your IR Team for Success: The attackers took a significant amount of time before stealing any information, for what reason? We can only speculate it might have taken the attackers this long to locate the targeted information and accomplish their mission. Key Point: Understanding and exploiting the adversary's timeline above can tip the scales on whether the CISO has a job or not after the incident investigation is completed. This type of intelligence is critical to mitigating overall exposure and loss during a breach.

Based on statistics, your internal security teams have a small window of opportunity to detect and remediate most breaches before real damage occurs. However, this requires having the right Incident Response team, tools and processes in place to investigate all machines in the enterprise at the push of a button.

This requires "Forensic-Level See and Search across All Workstations and Servers"

• Random Access Memory (low level diagnostic)
• Physical Disk (low level diagnostic)
• Live Operating System (high level diagnostic)
• Registry
• Log Files

Fact 3: Compromise to Discovery takes too long: According to the Verizon 2011 Data Breach Investigative Report, it took 91% of the organizations days, weeks or months to discover the compromise.

Opportunity 3: Look Into Behavioral Malware Detection to complement existing Antivirus: This metric highlights the challenges enterprises are facing detecting unknown malware or targeted threats. Signatures can only detect and block against known threats. By using behavioral-analysis tools to detect unknown threats like Digital DNA, organizations can gain critical visibility into an attacker's intentions and actions which help identify zero day malware and advanced threats during Incident Response. Behavioral Detection can often see and identify unknown or new malware that has slipped by traditional protections and defenses.

Fact 4: Discovery to Containment Statistics Are Abysmal: According to the Verizon 2011 Data Breach Investigative Report, 87% of investigated intrusions took days, weeks and months to contain the breach.

Opportunity 4: Build Enterprise Incident Response Architecture: When one compromised workstation or server is found, most organizations don't have the proper security tools and training to perform post exploitation analysis and extract the threat intelligence and metadata from the compromised hosts - this data is often needed to accurately determine the magnitude and scope of the network intrusion.

Security Posture Questions All Organizations Should Be Prepared To Answer:

1. What tools and processes do you have in place to investigate security events?
1. How long does it take?
2. Does the solution scale?
2. Does my IR Team have tools to forensically see & search in parallel 10,000's of machines - physical memory, physical disks, Live Operating System, Registry, behavioral detection?
3. How long does it take to investigate a high priority IDS Alert Blocked "Machine sending 1GB rar file to known bad IP address" to confirm if the attack was successful or not?
1. This should be less than an hour
4. What is the time it takes your info-sec team to remotely triage a host from an IDS alert to confirm whether the attack was successful or not?
5. Once a breach has been confirmed on one workstation or server, how long does it take your info-sec team to perform post exploitation analysis and extract meaningful threat intelligence from the host?

Conclusion

The computer security industry thus far has mostly been made up by security assessment, protection, and detection solutions. Most large organizations have purchased and deployed all of them into their networks. Yet network intrusions are at an all time high. If you're looking to dramatically improve your security posture, stop investing in protection solutions and instead spend your money on technologies and training to help your staff perform enterprise incident response investigations - ultimately every organizations' computers will be compromised by malware, whether it's targeted or opportunistic. Enterprise solutions such as HBGary Active Defense can quickly and cost-effectively reduce risk to your organization. How you respond and how long it takes is critical to minimizing your loss and maybe even saving your job.

-- Rich Cummings