As many security professionals know, timing is everything when it comes to detecting and responding to security threats. This is what Rich Costanzo from FireEye said during his presentation at the AusCERT 2014 event, and gave examples that show how crucial timing is.
With Costanzo's presentation on "CyberSecurity: The Final Frontier”, he used a Star Trek episode about time travel to picture the effect time has on security.
Costanzo also quoted Symantec’s senior vice president for Information Security, Brian Dye, who recently said "antivirus is dead”. Only about 45 per cent of cyberattacks are prevented by up to date anti-virus software, he said.
Time to detect
According to FireEye’s research, most threats are active for on average 229 days before detection. For example, the Ephemeral Hydra attack used compromised websites to attack vulnerable systems and exfiltrate data.
Ephemeral Hydra uses a ROP (Return Oriented Programming) chain to create a piece of malware on the infected client. That malware, which s contracted on the infected machine from the chain, uses the mscvrt.dll to download additional code into memory that could commence Command and Control communications to exfiltrate data.
The challenge with Ephemeral Hydra is that the malware only exists in memory, he said. If the infected system is powered down or restarted the malware disappears. Given that many systems are restarted more often than the 228 day average detection, it’s possible that many organisations infected by Ephemeral Hydra are never aware of the problem.
Clandestine Fox is an Internet Explorer Zero-Day that was first identified in April this year. The process from detection to confirmation and informing Microsoft was less than 24 hours. Although there was a technology aspect, Costanzo emphasised that the getting people to communicate was the critical element.
One of the elegant things about this attack was the way infected websites were used to deliver and activate the malicious payload, he said. Rather than being dependent on a single piece of malware on the website, Clandestine Fox uses a combination of Flash and Java Script to attack a vulnerability in Internet Explorer.
How threats propagate
Costanzo had a very strong message for anyone still running Windows XP – upgrade.
With Clandestine Fox, the time it took between detection and its arrival in Australia was less than three days. As it specifically attacked Windows, it was aided by the similarities between different versions of Windows.
According to data he presented, Costanzo claimed that 92 per cent of the threats that affect Windows are cross platform for different Windows versions. However, Windows XP, as the oldest version of Windows in wide use, lacks many of the security controls added to later versions. What this means is that if a malware developer can create an attack for a recent versions of Windows, they can distribute a simplified version to Windows XP.
Time to respond
Being able to quickly detect and respond to an attack is critical, said Costanzo.
“You want to prevent theft of your assets and IP. You want to prevent the cost of your response, disruption to your business and the reputational risk."
He said in order to optimise the time to respond to a threat, you need three separate elements: people, process and technology. There’s no single silver bullet; you need all of these, according to Costanzo.
The trouble is that the number of different threats and attackers is so large that it’s becoming impossible to manually process all of the data that is coming in and make effective decisions in timeframes that protect the business. Costanzo’s answer is to automate as much as possible up to a decision point.
While remediation might take several hours or days, Costanzo said that a world-class security response is one hour from detection to response initiation.
A word of warning
Costanzo told the audience, “We are falling behind as a country against these sorts of threats."
Companies are getting better at the detection and knowing what threats are out there, but there’s less clarity and understanding about how to best respond, he said.
He said the security community in Australia needs to rise up and do better against the new wave of threats.