Skip to main content
July 14, 2015

Anatomy of a Breach: Preparing for the Inevitable

Anatomy of a Breach: Preparing for the InevitableAttacks have reached a level of both inevitability and sophistication that legacy security solutions simply can't handle, meaning application security has never been as important as it is right now. Preventing a breach begins with understanding how nefarious attackers are getting in, comprehending the cyber kill chain and its ramifications, and then preparing each stage in this chain for an eventual attack.

Understandingthe Cyber Kill Chain

"Cyber kill chain" is a term coined by defense firm Lockheed Martin in an attempt to define the methods and steps modern threat actors were utilizing when breaking into business and government networks. While not a comprehensive look at every possible attack, the kill chain does provide understanding of the potential weak points in almost every network.

The chain typically begins with "Reconnaissance," where, over a period of days, weeks or months, attackers will gather information regarding their target (or targets). The attackers will then move to "Weaponization," where they couple an exploit and a backdoor into a payload. Then, within a matter of seconds, the attack goes through the next three stages where it is delivered to the victim, an exploit is utilized to run the malicious code and the malware gets fully installed.

Finally, the attackers use a command-and-control module to manage the malware from afar, then manually remove data or destroy information, depending on their motives.

TheInevitabilityof Attacks

While the cyber kill chain doesn't cover every potential threat, such as malicious insiders or remote access attacks, understanding it can provide CISOs with an overview of where they need to bolster defenses.

According to research from Forrester, global cyber incidents increased to over 42 million in 2014, up significantly from the year before. More troubling is the fact that very few affected targets recognize they have been breached, instead learning about the problem after the fact when their information is exposed or when their vulnerability is made public.

Enterprise CISOs have to accept that they will be the targets of attacks in the near future. The days of building a strong perimeter and hoping attackers look elsewhere for weaker targets are gone. With the market for stolen information as big as it is, attackers are now taking the time required to find a way into even the tightest perimeters, and then exploiting vulnerabilities within applications to complete their goals.

Planning forFailurethe Right Way

The inevitability of a breach means CISOs have to focus on the two most important areas when it comes to network defenses: application security and incident response. This focus will not only make it less likely that a significant breach will occur, but it will enable organizations to properly discover and neutralize nefarious attackers that have footholds in the system.

Incident response is highlighted in Forrester's "Planning for Failure" whitepaper, which describes this area as one of the most overlooked within the world of information security. Without a defined response process, valuable time can be wasted during the discovery of a breach, or even worse, signs can be missed that allow attackers to go unnoticed. The recommendations for incident response include defining an overall plan, creating robust policies and developing a cross-functional team, but it zeroes in on the importance of testing.

As detailed in the whitepaper, no matter what else they do, enterprises that don't test their systems and applications cannot be properly prepared for an attack.

The application layer is truly the new perimeter, and CISOs have to understand the risks they face when they don't properly test and monitor their applications. The entire second half of the cyber kill chain focuses on exploiting vulnerabilities within the IT infrastructure, which are now almost always vulnerabilities within individual applications. Proper application security not only prevents intruders from gaining ground within the system, but it can also prevent one failure from cascading into a situation where the attack gains complete control of the system.

Given the complexity of modern applications — and the fact that most enterprises utilize a significant number of third-party applications and component libraries to augment their own internal development efforts— CISOs have to invest in robust application testing and monitoring solutions and develop sophisticated application security programs. These solutions can inject security into the earliest parts of the development process, and scan existing applications using multiple parameters to ensure they are safe against all major known vulnerabilities and built to withstand emerging vulnerabilities as well.

With attacks being inevitable, CISOs have to invest the time and resources required to fully understand the threats they face, and then take action to best prepare their systems for attacks.

Want to learn more? Check out Forrester's whitepaper here.

Photo Source: Flickr

Related Content

Shawn Drew has spent the last five years helping businesses understand the difference that technology can make for their internal processes, external connections, and bottom line. He specializes in all things cloud computing and security, and hopes to impart some knowledge on how the two can be combined to enhance the inherent benefits of each. His work has been published on the websites and blogs of a number of technology industry leaders, such as IBM, Veracode and Boundary.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.