Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link:

Contents of this Issue


Page 16 of 53

resident in networks for long periods of time—often without detec‐ tion. Hacker Dwell Time The time between infection and detection is often called hacker dwell time. Looking at nearly every data breach in the past few years, the victims have unequivocally stated that the attack and the associated loss of data originally took place months, if not years, before it was detected. In most cases, organizations detect a breach only after third parties began to observe and report on questionable activity indicating a data breach had taken place. Another observation to note is that most historical breaches hap‐ pened because of an attacker bypassing or defeating one line of defense. For example, after an attacker gains a foothold in an orga‐ nization directly through the border firewall (normally by way of phishing attack), the attacker next begins to operate covertly within the internal network, looking like any other legitimate user. Attack‐ ers attempt to capture login credentials to critical systems or find ways of exploiting internal systems to get closer to the data they're looking to steal. Suppose, for example, an intrusion prevention systems (IPS) deployed as an independent line of defense downstream of the fire‐ wall detects an exploit or piece of malware coming from the same IP address on the internet. Does the IPS make a call to the firewall instructing it to begin blocking the source IP address of the mali‐ cious traffic upstream? Today, the answer is no. There is no con‐ struct in place for these lines of defense to be integrated, and they have no ability to share internal threat intelligence and put it into action. Another example of the lack of integrated lines of defense is as follows: If an internal user computer was just infected with ransomware and, by some chance, security personnel were made aware of the initial infection via a log or alert, can recursive DNS help eliminate the spread of the infection elsewhere in the network? Yes, it can. Because a recursive DNS server can block a user trying to access a specific domain, did the ransomware-related log or alert trigger an automated change to an organization's recursive DNS servers to Integration Is What's Missing with This Approach | 7

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth