Just assume you are compromised and your data is being stolen… there, we said it. A ton of blogs, videos, whitepapers, tech articles, etc. have been written and broadcasted lately surrounding the analysis and details of recent and ongoing APT attacks. When details were released about what exactly some specific APT groups were accomplishing (and to some this was breaking news) SecureState was actually excited about this information being known; the excitement, the buzz, a general thought that things might be changing and awareness (that thing we all keep preaching) might just be on the rise.
What we found remarkably similar, however, with all of this information was the lack of “Next Steps” someone, you specifically, should perform and the continued lack of awareness we keep identifying within organizations even though all this information exists. So, let’s just say this again, “You are compromised and your data is being stolen”. And let me add in this too, “With all this information available we have not seen an increase in awareness and organizations have not increased their vigilance about APT and data-theft.” A cultural and organizational change must occur…
Assumption #1: So You’re Already Compromised
In our previous blogs within the series (here and here), we detailed how current APT attacks are still using the same bait, command and control, and attack vectors they used back in 2005; simply because those techniques work and we (organizations, security community, management, etc.) just haven’t done enough to stop what is working. So, what’s next? At this point I like to bring out some real numbers:
- 91% of incidents SecureState is asked to manage are already months old
- SecureState has identified 71% of organizations learn of an incident from external sources
- 95% of organizations did not know where their sensitive data resides and if it was accessed
- Every investigation SecureState has performed for an organization with over 3,000 end-points was already compromised
For this blog we’ll assume the most important thing for your organization (what keeps you up at night) is your data and how it relates to APT breaches. Below is a real-life conversation I had with a CEO a couple of months ago that I thought would be perfect to integrate:
- CEO: So you’re recommending Data Classification to help protect my data… what is it?
- SecureState: Well, first, can you tell me where your wallet is right now?
- CEO: Yes.
- SecureState: Alright good, do you know where your birth certificate is at home?
- CEO: Yes.
- SecureState: How about your Social Security Card, Tax Records, Health Records?
- CEO: Yes…
- SecureState: And these items are probably in a safe…Okay, clearly this is important information to you. Do you put your junk mail in the safe too, or user manuals for the dish washer?
- CEO: (Starting to understand) No
- SecureState: Okay can you tell me where in your environment you store customer records, proprietary engineering documents, vulnerability reports, etc.?
- CEO: No.
- SecureState: Do we know then that all customer records, proprietary engineering documents, and vulnerability reports are properly protected?
- CEO: No.
….and here’s what the CISO said:
- CISO: We most likely will not implement a Data Classification Program here. That involves too much of a cultural and user change throughout the environment.
- SecureState: Okay, so we must assume sensitive, regulatory and privacy information can, and probably does, exist everywhere?
- CISO: That would be a fair statement.
- SecureState: Therefore, we must attempt to protect everything, everywhere, from anything…a gigantic safe protecting your birth certificate and the junk email…. where did we say that wallet was again?
Assumption #2: Blanket the Entire Organization
Where is your data? Remember, 95% of organizations we investigated did not know the answer, and even worse they didn’t know if proper data controls existed. In an ideal situation, your important data is known (or at least attempted to be identified) contained, audited, protected and heavily monitored. When creating a security program, ideally we begin to identify the most important data, LOCK IT DOWN, PUT CONTROLS AROUND IT, and then build outwards. However, a common theme we notice during consulting engagements is that security teams will run around and try to secure/contain systems and networks that shouldn’t even have valuable data on them, or shouldn’t even be able to touch systems that do have valuable data on them. The solution here should be to get rid of data where it’s not needed and reduce the scope of data. This can be confusing, because it’s aprocess and a program, not a technological solution.
So, here’s the problem: Organizations are stuck in a reactive loop and are afraid of change (specifically security program change that might affect the organization). Organizations continue to react and remediate as best as they can instead of becoming program-driven. Therefore, organizations continue to blanket the entire environment with security controls and technology and hope they will protect important data, instead of choosing to understand and address the impacts. Currently the organizations we investigate have to assume they are compromised but also have to assume sensitive data exists everywhere. Thus they must allocate hours, money, controls and resources across the entire enterprise. This is not only inefficient, but expensive and hard to manage- and simply, it just doesn’t work. I like to also state pointed, yet valid observations, while on engagement:
“So, that lady over there surfing on Facebook has customer records on her computer and she’s also allowed to the finance subset from her workstation; and her only, and last line of defense, is her antivirus”.
Assumption #3: You’ll Understand This and Might Even Agree With It
Step 1: Find Your Data– Data Discovery
Find your data within the organization through Data Discovery. Data Discovery is the identification and auditing of sensitive or regulatory data. This data can be stored in shared drives, databases, removable media, container files such as ZIP/RAR files, mobile devices, emails, encrypted volumes, or in other similar data storage types and locations. Identifying, auditing, and protecting specific types of confidential information are important components of proper preparation and are also requirements within industry related standards and regulations such as PCI, PHI, and HIPAA. This assessment should consist of inspecting and auditing systems, devices, and applications for indications of storage, transmission, or access to sensitive or regulatory data through comprehensive scans and validation. The organization should also ensure discovery includes the security controls and need-to-know access controls that surround critical business operations and processes. By performing a Data Discovery assessment the organization provides the first step to building a secure environment around sensitive data sets.
Step 2: Discovery Leads to Classification
Begin to educate the organization about data sets. The organization should group, categorize and identify data sets discovered, and begin an awareness program about these data sets. If the organization knows where their data resides, they can begin to categorize data assets based on nominal values according to sensitivity – this is Data Classification. A company should adopt a common set of terms and relationships between those terms in order to clearly communicate and begin to classify data types. By classifying data, the company can prepare generally to identify what the risk and impact of a potential incident or data breach would be based upon what type of data is involved, and what controls should be implemented to prevent access. Together, data classification and level of access drive the business impact, which will determine the response, escalation and notifications of incidents, and should determine the security controls required for the data types. Security controls describe what could be implemented around specific data types. The policies that address data classifications should define general security controls for the access, sharing, storage and destruction of specific data types. The level of security control is proportional to the impact level when data is accessed. For example, if confidential data requires strict security controls, unauthorized access or disruption to that data would dictate a higher impact and quick resolution.
Step 3: Classification Leads to Data Controls
Begin to reduce the scope and attack surface area of the organization. The organization should now begin to reduce data sets, locations, need-to-know, access, and properly segment and protect that data. The process in theory is simple so far: find data and classify the data. Now the data needs to be protected. Data is a critical asset of your organization, your business partners, and your customers. All individuals employed by your organization should be responsible for protecting the confidentiality, integrity, and availability of the data generated, accessed, modified, transmitted, stored and/or used by your organization. Therefore, after classifying and labeling an information asset, the next step is to apply the proper security controls or protective measures to guard the confidentiality of the asset. The overall data classification framework should include data protection controls for Information Sharing, Storage, and Destruction.
Assumption #4: You Probably Will Not Implement Data Classification
Classifying data not only makes good sense, but it defines data protection requirements, specific to data sensitivity. Once the organization knows which data needs the most protection, they can properly allocate funds and resources to defend those assets, thereby reducing the scope, time, effort and resources needed to protect what’s truly important. Employing a proper data classification scheme is cost effective, as it allows a business to focus on protecting its higher risk data assets. Currently, however, businesses that do not have a data classification system must treat all data as highly confidential, and blanket the entire organization with the highest level of protection and controls (if they want to be “safe”). We know, however, this rarely happens. SecureState consistently sees large gaps in security controls around data sets, and we discover data sets on systems without a need to store or process that data. More importantly, SecureState also observes that companies just don’t have the resources to allocate a blanketed approach to security. Here is the bottom line:
- Security, Response, and Data Classification and Controls should take a program-level approach: the problem, however, is that program-level approaches take a cultural and environmental change.
- Next, most organizations say something similar to, “If we STARTED off with data classification at the start of our business, this could be feasible”.
During our investigations and security assessments, we continue to identify most organizations are stuck in the “Patch/Discovery Process”: Many identified security tasks and recommendations in the organization could really equate to a necessity for a managed security program: currently, two options exist; the first is happening, the second is just a nice concept:
- First, the organization can continue to react and remediate (the patch/ discovery process) …or
- Second, the organization can change philosophy, and yes culture, to be program-driven
Most organizations we investigate have to attempt to blanket the entire organization, and not only assume anything could be compromised, but have to assume sensitive data exists everywhere. Therefore controls, costs and resources must be allocated across the enterprise. As long as we (again, organizations, security community, management, etc.) continue with this mindset and philosophy, we’ll (SecureState and others) continue to keep writing about APT’s and why they work… cause they ain’t broke….
For more information on SecureState’s Data Discovery process and APT analysis and methodologies take a look at the following posts:
Data Discovery Part 1
Data Discovery Part 2
Data Discovery Part 3
APT Threat Assessment Part 1
APT Threat Assessment Part 2
APT Threat Assessment Part 3
- Network Products Guide Best Blog 2013 Winner