Looking Ahead: The State of Incident Detection and Response in 2015

2014 brought about a multitude of high-profile breaches, critical vulnerabilities, and newly-discovered threat groups. Has this exposure and awareness changed the way companies are approaching security, incident detection, and containment and response? How will targeted attacks continue to evolve? I sat down with Ryan Kazanciyan, Technical Director at Mandiant, to learn more about what we can expect in 2015.

[JB]

It seemed like each week in 2014 brought about a new, highly-publicized breach. Are organizations doing enough to detect or stop these attacks?

[RK]

There's no question that these well-publicized incidents have led to more leadership scrutiny towards companies' security posture than I've ever seen in the past - especially focusing on the questions "Are we compromised?" and "If we were compromised, how quickly could we contain, respond, and remediate?"

Executing on those concerns often have had mixed results. In my experience, many organizations have scrambled to implement point-solution security technologies where they perceive they have gaps. This approach helps buy some time and coverage, but is not a long-term substitute for making fundamental improvements to their core platforms and architecture. We still regularly encounter companies that have flat internal networks that permit any-to-any traffic; that leverage six-year old Active Directory technology absent of many of the newly-implemented security features; that do not implement key controls, such as application whitelisting, on critical systems like domain controllers.

Without making these improvements, companies can get caught in a cycle of perpetually buying new single-feature security products to chase emerging attack vectors. They also will struggle to tune out the noise that inevitably results when detection and prevention technologies are implemented in an overly-permissive environment.

[JB]

As the retail industry works to secure Point of Sale systems and adopt standards like EMV, how will attacks against this industry and credit card data evolve? What is the next "big thing"?

[RK]

Points of attack will shift to the next-weakest point(s) along the chain of systems and organizations involved in the end-to-end transaction process. If attackers are unable to compromise credentials from PCs to which card terminals are attached, they may expend more effort on the terminal devices themselves. Payment processor networks likely will continue to be popular targets, especially since their compromise can yield a large volume of data from multiple merchants in a short period of time. And there are many other types of financial attacks beyond card data theft, such as issuing fraudulent transactions or redirecting funds to illicit accounts.

Financial cybercrime will never just disappear. But my hope is that over time, adoption of technologies like EMV may reduce the frequency and scale of cardholder data theft incidents.

[JB]

Does the emergence of highly-impactful hacktivism and destructive attacks change the threat landscape?

[RK]

The weaknesses that allow targeted attackers to gain access to an environment, move laterally, and steal data are largely the same as those exploited for defacement or destruction. An attacker's motivations are the distinguishing factor - not vulnerabilities. Over the years, we've often espoused the importance of hitting the remediation "strike zone" in which an organization is best prepared to successfully drive out an attacker, based on understanding the nature and scope of an incident. Differing attacker motivations really emphasizes the need to quickly and accurately assess intrusions, understand TTPs, and implement effective containment measures.

[JB]

Last year also included the release of many "named" vulnerabilities, such as "Heartbleed", that received significant publicity and attention among security professionals. Did the use of these vulnerabilities result in an accompanying increase in the number of successful targeted attacks?

[RK] We certainly conducted investigations in which adversaries took advantage of vulnerabilities like Heartbleed and ShellShock to gain access to victim organizations. For example, back in April 2014 we blogged about attackers using Heartbleed to bypass VPN authentication. But in general, the emergence of these high-profile vulnerabilities did not result in a measurable, commensurate increase in the number of compromised entities - at least within the scope of targeted attacks. The "equation" was already imbalanced: motivated attackers already have a surplus of potential victims susceptible to many readily-exploitable weaknesses.

[JB]

Have attackers adopted more sophisticated techniques to remain undetected in compromised environments? How do you expect these trends to evolve in 2015?

[RK]

We are certainly seeing a continued reduction in intruders' reliance on traditional malware for the post-compromised stages of an attack. One of the most common examples is use of a victim's VPN for remote access in lieu of backdoors, after an attacker has compromised end-user credentials. Four out of the six investigations in which I was directly involved in 2014 included a compromised VPN - I consider that a pretty sobering statistic.

Last year we also saw an increased adoption of built-in Windows mechanisms like Power Shell and Windows Management Instrumentation (WMI) for lateral movement, credential harvesting, and persistence. These aren't new components of Windows, but in the past most attackers largely ignored them in favor of more basic techniques or the use of standalone utilities and malware. Use of WMI and PowerShell can reduce an attacker's need for malicious binaries on disk, and result in a smaller forensic footprint on compromised systems.