Timing is everything when it comes to security threats: FireEye's Rich Costanzo

As many security professionals know, timing is everything when it comes to detecting and responding to security threats. This is what Rich Costanzo from FireEye said during his presentation at the AusCERT 2014 event, and gave examples that show how crucial timing is.

With Costanzo's presentation on "CyberSecurity: The Final Frontier”, he used a Star Trek episode about time travel to picture the effect time has on security.

Costanzo also quoted Symantec’s senior vice president for Information Security, Brian Dye, who recently said "antivirus is dead”. Only about 45 per cent of cyberattacks are prevented by up to date anti-virus software, he said.

Time to detect

According to FireEye’s research, most threats are active for on average 229 days before detection. For example, the Ephemeral Hydra attack used compromised websites to attack vulnerable systems and exfiltrate data.

Ephemeral Hydra uses a ROP (Return Oriented Programming) chain to create a piece of malware on the infected client. That malware, which s contracted on the infected machine from the chain, uses the mscvrt.dll to download additional code into memory that could commence Command and Control communications to exfiltrate data.

The challenge with Ephemeral Hydra is that the malware only exists in memory, he said. If the infected system is powered down or restarted the malware disappears. Given that many systems are restarted more often than the 228 day average detection, it’s possible that many organisations infected by Ephemeral Hydra are never aware of the problem.

Clandestine Fox is an Internet Explorer Zero-Day that was first identified in April this year. The process from detection to confirmation and informing Microsoft was less than 24 hours. Although there was a technology aspect, Costanzo emphasised that the getting people to communicate was the critical element.

One of the elegant things about this attack was the way infected websites were used to deliver and activate the malicious payload, he said. Rather than being dependent on a single piece of malware on the website, Clandestine Fox uses a combination of Flash and Java Script to attack a vulnerability in Internet Explorer.

How threats propagate

Costanzo had a very strong message for anyone still running Windows XP – upgrade.

With Clandestine Fox, the time it took between detection and its arrival in Australia was less than three days. As it specifically attacked Windows, it was aided by the similarities between different versions of Windows.

According to data he presented, Costanzo claimed that 92 per cent of the threats that affect Windows are cross platform for different Windows versions. However, Windows XP, as the oldest version of Windows in wide use, lacks many of the security controls added to later versions. What this means is that if a malware developer can create an attack for a recent versions of Windows, they can distribute a simplified version to Windows XP.

Time to respond

Being able to quickly detect and respond to an attack is critical, said Costanzo.

“You want to prevent theft of your assets and IP. You want to prevent the cost of your response, disruption to your business and the reputational risk."

He said in order to optimise the time to respond to a threat, you need three separate elements: people, process and technology. There’s no single silver bullet; you need all of these, according to Costanzo.

The trouble is that the number of different threats and attackers is so large that it’s becoming impossible to manually process all of the data that is coming in and make effective decisions in timeframes that protect the business. Costanzo’s answer is to automate as much as possible up to a decision point.

While remediation might take several hours or days, Costanzo said that a world-class security response is one hour from detection to response initiation.

A word of warning

Costanzo told the audience, “We are falling behind as a country against these sorts of threats."

Companies are getting better at the detection and knowing what threats are out there, but there’s less clarity and understanding about how to best respond, he said.

He said the security community in Australia needs to rise up and do better against the new wave of threats.

Join the CSO newsletter!

Error: Please check your email address.

Tags time to resolutionsecuritytime to detect

More about CyberSecurityFireEyeMicrosoftSymantecTrek

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place