Blog: How Tos

How do you know that you aren’t compromised?

Jamie Riden 28 Aug 2015

compromised

Seriously. You have antivirus software and Windows Software Update Server and you get pen tests and so you probably know if there’s any issues in the externally facing infrastructure and applications as far as they’ve been tested. But there are a lot of different routes into an organisation, such as VPN or other administrative remote access – like how your support team connects in out of hours – or even straight in by delivering trojaned Word documents over email.

You don’t know what you don’t know

The question I’d like you to think about is “if I were compromised, would I even know?” Do you have a Security Operations Centre? Do you collect logs in a central location and look for anomalies? Do you run integrity monitoring software like Tripwire or Splunk on critical servers? Do you have people who proactively go looking for evidence of possible compromise?

Toolkit

I used to look after security at a university, which is probably the worst case scenario in that you have responsibility but very little actual power to enforce standards. Therefore it was extremely important to know exactly what was going on for all network traffic. For me this was Snort, Argus and a few other key tools – like top 10 traffic sources – running on a SPAN port on the core router – a good introduction is Bejtlich’s Practice of Network Security Monitoring.

Endpoint choices

These days you have lots of endpoint security agents which should help you, and properly sophisticated filters like FireEye. There are other players like DarkTrace that uses a maths engine to produce real time alerts. Another product, Lastline seems to do a similar job but not quite in real time. However if you want something I always like to present two options – the first and most expensive one is your wish list, and the second one is what you’d settle for, so go for it. Ask for a trial from a couple of vendors and see how you get on.

Time

But the main point is, attackers generally need at least a few days to poke around the network and find the juicy data. So if you can pick up an intrusion in a matter of hours and shut it down in another few you will be ahead of the game. The jargon is the “time to detect/recover”.

I know of cases where an attacker has had free rein for several months or more – this is just not acceptable, and you will be at least embarrassed and possibly worse if it should happen on your watch.

Advice

  • Tend towards mild paranoia
  • Are your systems fragile, in that the failure of one aspect will be catastrophic? If so, introduce redundancy.
  • Deploy your own honeypots.
  • Employ someone smart to look for evidence of intrusion. They don’t have to spend all their time on this; five hours a week would be a good place to start for an SME, an enterprise should spend a lot more. This includes very large data flows outbound!
  • Sell it to your board as similar to insurance – we pay X every year, but it helps to protect us from a small possibility of a huge liability.
  • Off the shelf can be good but it is rarely a perfect fit for any particular organisation – so it has to be plumbed into existing systems. Hence the need for a smart person as mentioned above.
  • Two factor authentication for all administration interfaces.