SAS: Learn from your Attackers

Monday, February 4, 2013 @ 07:02 PM gHale

By Gregory Hale
The most cost effective way to manage security is to not build defenses to keep attackers out, but rather, build defenses that once they are in, they can’t get out with what they were looking for.

“I am not going to worry about getting into the network; that is not the thing,” said Steve Adegbite, director of cyber security strategies at Lockheed Martin, at the Kaspersky Lab Security Analyst Summit (SAS) in Puerto Rico Monday. “They are getting into your network to steal data, the goal is to not allow the attackers get out.”

SAS: Keeping an Eye on Mobile Devices
DDoS Attacks Steady; Others on Rise
Users a Top Security Threat
Targeted Vulnerabilities 2 Years Old
Cyber Report: Attack Intensity on Rise

“The investment to stop people from coming in is way too high,” Adegbite said. “The cost of not letting people out is a lot less.”

A huge defense contractor, Lockheed Martin is in a state of attack every day, so they have to have a solid defense plan and make sure everyone stays on track. “We do get targeted every day,” Adegbite said. “How can you produce security for the front door, when it doesn’t have a lock?”

“We wanted to understand what was good traffic coming in and what kind of traffic was going out,” he said.

Knowing they need a plan they came up with a plan that actually thinks about the main thought process a hacker would go through. He called it the Cyber Kill Chain.

It had seven steps to look for: Reconnaissance, weaponization, delivery, exploration, installation, command and control, act on objectives.

The goal, Adegbite said, was to not allow the attacker to get through step seven, which is the act on objectives. If they got to that step and achieve it, they win.

“Attackers are quiet and stealthy,” Adegbite said. “The key goal is to not let them get to Step Seven. It doesn’t matter what they do until they get to that step. If we can stop them at Step two then we are better off.”

In quite a few cases, if a company does find an attack ongoing, they want to get the bad guys out as soon as possible. That just isn’t the case, Adegbite said. Instead of closing the door and shutting the attackers out, Lockheed’s team would monitor attackers’ activities to see what they were doing, where they were going and what tactics they used. That helped educate them and gave some context for future attacks.

That actually happened at Lockheed when an attacker did get in and the company was able to watch them and learn from them.

Lockheed’s security team saw the attackers were trying and failing to access various resources. They were able to monitor the attackers and then shut the attack down, before the attackers were able to pilfer any vital information. Preventing attackers from getting anything useful off a network is far more important than trying to prevent every attacker from getting in, he said.

“Take the attack and route it to an area to learn from it,” Adegbite said. “Then apply the defenses to your security program.”

Leave a Reply

You must be logged in to post a comment.