Targeted Attacks and Common Defenses

Targeted attacks have been around for a while now but only recntly come to public light.  We've seen Titan Rain in 2003, Hydraq in 2009, Stuxnet in 2010 and more.  A lot of people talk about who the bad actors are as if that's going to help solve the problem.  The issue we need to focus on is not asmuch as who's doing it rather how do we stop it.  Not a lot of people are talking about that so I thought I would.  I've been talking about these defenses with peers for over 4 years now and they seem to have worked fairly well.

1) Block all dynamic DNS requests.  A large portion, over 90%, of the malware attacks are using dynamic DNS to stage and relay the attacks.  In addition they have little to no business impact to blocking.

2) Implement a NAC solution.  Most companies have little to no control over what the users plug into their networks.  This has been a significant issue for a long time.  We can't ensure the protection of the device if we don't control the device.

3) Identify key data points.  The attacks are going after two things.  Intellectual Property or PII.  Understanding where the data is and ensuring proper identity and authentication is key.  Ensuring basics such as logging and patch management is also key.

4) Data Egress.  In all cases the attacker is taking the data (email, files, etc), compressing them and sending them out to drop sites on the Internet.  By implementing a Data Loss Prevention (DLP) and a Proxy (Bluecoat or Symantec Web Gateway) you can dramatically drop data loss.  Blocking all FTP, RAR, or unauthorized encrypted outbound traffic would help significantly.  At a simple level, blocking specific content is still good via a DLP solution.

5) Educate the users.  Most users still will click on anthing they are given.  Information Security organizations do very poorly in truly educating the users on safe computing.

6) Implement a proper log collection and correllation tool.  Most companies that have been attacked were not able to find all compromised systems or couldn't get the data without many weeks going by because they didn't have a SSIM in place.  Quick identification and remediation is key in the future of security.

There are more but these should help a lot