BAE Systems: Detection and response are the backbone of an effective defense strategy.
After a slew of breaches of high-profile corporates and banks, including customers of the widely used SWIFT messaging network, the business community has largely accepted that at some point cyber-attacks will be successful. Despite this inevitability, what can companies?
Colin McKinty, vice president of cyber security strategy for the Americas at BAE Systems, the defense, security and aerospace company, noted that detection and response are the backbone of an effective defense strategy. In mid-July, SWIFT appointed BAE Systems to its customer security intelligence team, to support and investigate incidents within customer network environments. Mr. McKinty recently spoke to iTreasurer about how organizations can go about detecting breaches of their networks and effectively and efficiently responding to mitigate and contain potential damage.
iTreasurer: When does detection begin?
Colin McKinty: It’s key to understand the different stages of an attack, from initial infection to the various steps an attacker must take to be successful: first breaching the network, then installing some form of malware, exploiting a vulnerability to get what the attacker is looking for, perhaps harvesting credentials to enter protected areas, setting up some form of command and control so they can externally manage the attack, and finally taking action.
All those pieces give the business defenders an opportunity to discover the cyber-attack. We don’t want to rely on discovering a fraudulent transaction or data extrication while in its in progress; we want to catch them as early in the cycle as possible, and that’s the goal of detection.
iT: What happens if the attack is detected while it’s in progress?
McKinty: That’s where we move from detection to an efficient and effective response. It’s critical to understand what is going on holistically. One of the worst things a company can do is panic, because it can show its hand to the attackers. For example, an attacker may have planted malware that is sending data to a certain website, but the attacker may have other extrication routes in place and use those to extract large volumes of data more quickly, now that he or she has been found out.
iT: So how does one stop an attack without showing one’s hand?
CM: Preparation. One key element is having an incident response framework, a tried and tested plan for how to pursue the investigation and who is responsible for different aspects of it. It’s important to make sure the plan is tried and tested.
Through the development of the plan, one of the first things that becomes apparent is the need for the right type of data. When a company initially sees unusual activity and starts investigating it, if it doesn’t collect the right type of data from its network and end points, it makes pursuing the investigation really difficult. So the incident response plan essentially backtracks, following the thread of the attack back hopefully to the initial network breach and delivery of the malware. When the company follows that analytical thread, it can get a holistic view of what’s going on and avoid showing its cards prematurely, but that’s very hard to do without the right data, tools, and people already in place.
iT: Where does the data come from?
CM: The network and end points; information about what’s going on inside an organization’s IT systems. So email traffic, http records, events on individual machines—delving into that information is where we find the clues. Some industries have regulatory requirements to retain that data.
iT: And the tools?
CM: There’s a whole range of tools available; it’s all about exploiting the data. There are tools to help the company’s incident response team to do forensic analysis on a certain machine, or to help deal with large volumes of data and actually use it.
iT: How does Big Data fit into this?
CM: For forensic work, it’s less about big data and more about understanding the end points and information they hold, and providing an interface into that complex world. Forensic teams can get an image of a disk from an infected computer, and they peel through all the different programs, files, and everything else on the machine to look for signs, such how people have moved around the network or changed files, that might indicate a breach. Big data is very important for exploiting logs from networks and end-points that can generate high volumes of data.
iT: Once a company has detected an attack and figured out what’s going on, what is the next step.
CM: Response and remediation. Now the company must stop any additional damage … any more data or funds leaving the network, or damage to the network or endpoints. The incident response plan should cover steps to block extrication routes, shut down the attacker’s command and control abilities, and re-image individual machines to remove malware—basically the cleanup stage.
iT: How does a company block the extrication routes?
CM: It depends on what it has detected. If a transaction involves a bank, it takes us more into the world of fraud; so far we’ve been talking about cyber security, which is more on the IT side.
On the IT side, a company could write in rules on its network firewalls to block traffic to problematic websites, or it might block certain email addresses, or other routes to communicate with parties outside the network—rules to block the known command-and-control paths and data extrication routes.
iT: What about mitigating an attacker’s command-and-control functionality?
CM: If they find it’s originating from one machine, they can take that machine offline and then re-image it. Some will just take the computer’s disk and put a brand new image on it.
iT: What does re-imaging do?
CM: Sizable organizations will often have a software image for each off their end-points. So rather than having to reinstall each piece of software on every machine, the IT department can simply put the image on the new computer. So with an infected machine, rather than trying to clean it up, once they’ve done the forensic analysis and collected all the necessary information, they can simply wipe the disk clean and put on a brand new image. However, users have to remove personal data, because all the files will be erased. All this detail comes into the incident response framework.
iT: Taking a step back, how does a company detect whether its network has been infected with malware?
CM: Security Information and Event Management (SIEM) technology has evolved to become a good data aggregator, and it’s also good at applying correlation rules and signatures, to detect previously seen threats.
The challenge today is that there are many attacks we don’t yet know about, and this is where big data comes into it. We need to look across large volumes of data over extended periods of time, and run more sophisticated algorithms across the data to uncover those unknown attacks. This is the world of behavior analytics, anomaly detection, and machine learning—they all come under the umbrella of analytics. Organizations that are maturing and recognize they have a good approach in terms of rules and signatures are now moving to leverage big data and analytics for security purposes.
iT: How do fraud and big data differ from risk and fraud platforms, which have been around for a while?
CM: SIEM and big data for security focus more on how users are interacting with the network and the machines, and how machines are talking to other machines. Fraud systems, instead, are looking at actual customer transactions—the movement of money between accounts, and information at that level.
What’s interesting and what we’re seeing now is that, as the cyber threat factor increases, these two worlds are beginning to intersect, which is often described as cyber enabled fraud.
iT: Thank you for your time and insight.