drive and form a new business. The attacker waited until a contractor’s previous engagement was coming up for
renewal and then remarketed to the
contractor under the new business
In this attack, the techniques were
very simple. To protect your business,
you need to keep a close view of the
people in the organization, their motivation and interests, make sure they
are satisfied in what they do, and minimize the risk of them doing something criminal and damaging. The focus needs to move from being almost
completely technological to a balance
of social and technical.
BoRG: A common delusion among
high-tech companies is that their information has a limited shelf life because they are generating so much
new information all the time. This
leads to the conclusion that it doesn’t
matter if people steal information because it’s almost immediately obsolete. From an economic standpoint
this is just wrong.
noRTon: Let’s presume that we can
never keep these people out. How do
we deal with that?
CLaRK: This whole issue of information theft really isn’t very new. These
issues have been in play for hundreds
of years. In our time, some things have
changed, most notably pace and data
volume stolen. The time necessary
to undertake a successful attack has
been reduced, and the volume of data
that can be taken has dramatically increased.
CREEGER: Can we learn from other
fields and experiences? On a previous
security panel people talked about addressing the risk of malware infection
along the same lines as public health.
They said that malware attacks are
like the flu. You are never going eradicate it and must live with some ongoing percentage of infections. It will be
a different flu every year, and you can
minimize your infection risk by implementing certain hygiene protocols.
CLaRK: Many people design systems
on the assumption they will always
work perfectly. Often, auditing features are minimal, sometimes added
as a later feature. We need to architect systems on the assumption that
breaches will occur, so the functions
needed for a proper response are read-
SCo T T BoRG
There are five steps
to follow to carry
out a successful
find the target;
penetrate it; co-opt
it; conceal what
you have done long
enough for it to
have an effect; and
do something that
can’t be reversed.
ily available when it happens.
BianCo: You should assume all preventative controls will fail. While you
still need prevention, you should put
your new efforts into detection and
response—both in mechanisms and
personnel. When prevention fails, if
you can’t detect failure, you have a very
CLaRK: In individual applications,
we can quickly focus on technical
detection without looking at read-
ily available metadata—that includes
other systems—that would dramati-
cally improve detection. For example:
“Did person A log onto a network? If
yes, where was person A when he or
she logged on? Does that match what
the physical-access-control log re-
There is a very real danger that
many vendors will provide a good but
narrow view of your network and miss
the larger context that states, for ex-
ample, that a user was not supposed
to be able to log in from an undeter-
mined physical location.
At Detica we have found real value
in mining substantial levels of contextual data that corroborate not just
what’s happening in the network but
what was happening with the individuals that access the network at that
point in time. People should not be
lulled into a sense of false security because they have purchased a specific
niche security product.
CREEGER: Are you saying that we have
to start building a huge metadata infrastructure to determine if one event
is consistent within a greater context?
Who is going to write all these consistency rules that will flag events out of
sync with expectations? Who is going
to run all these services and on what
platforms? How do we architect cost-effective solutions that expend additional cycles to monitor, audit, and
determine to the second, third, fourth
level whether the person’s actually doing what’s expected?
BoRG: What you are describing as a
problem is a huge opportunity. There
are five steps you have to follow to carry
out a successful cyber attack: find the
target; penetrate it; co-opt it; conceal
what you have done long enough for
it to have an effect; and do something
that can’t be reversed. Each of these is
an opportunity to stop an attacker.