Lessons Learned From The White House Data Breach
As some of the details of the recently disclosed data breach of a White House network become clear and some of the finger pointing dissipates, there should be a sobering reflection on what this may mean to companies and organizations.
- Network intrusions cannot be perfectly prevented.
Whether you are the White House, a large health care provider, a major retailer or a bank, if a cybercriminal wants to get into your network badly enough (and has the time and resources), they will eventually succeed. A targeted attacker has unlimited opportunities to try to breach a network. It only takes one mishap on the part of a defender to allow a successful breach. Perimeter security and company practices could be 99% effective, but in the 1% fraction they are not, the persistent attacker can get in.
- Once inside the network, the attacker is unfamiliar with their new environment.
They must explore the network to understand topology, find resources and seek new points of control and begin to create favorable conditions to steal assets or affect their desired outcome. This process takes time, and it involves behaviors that can be detected with the right technology and know-how.
- Most security infrastructure is built to stop the initial intrusion attempt.
But once an attacker has circumvented those systems they are generally incapable of detecting their activities.
- Traditional Indicators of Compromise (IOC)-based detection often fails to find attacker malware or static fingerprints.
If this is the case, finding an active breach must involve having an accurate baseline of network activity and then constantly evaluate current traffic against the baseline. This network knowledge must be tied to endpoint intelligence to have a highly accurate and actionable view of a breach in process. It must start with the network and then be augmented with the endpoint.
- Targeted breaches cannot be fully prevented. But they can be detected and stopped before theft or damage ensues using Active Breach Detection.