What’s Your Poison?

Written by Kris Harms

A bit ago, (yes, this blog post is coming late, but crime hasn’t taken a day off lately!) I spoke at the Northern Ohio Infragard Chapter meeting regarding the state of incident response. Afterward, I participated in a panel where I got a great question that I wanted to pose to the M-Unition readers. The question (paraphrased of course) is, “What are organizations doing, or not doing, that enable today’s attackers to be so successful at getting in and staying in? ”

I had to think about this one for a minute, but here is what I came up with. The most attacker enabling characteristics I’ve seen within an organization is the sense of entitlement employees have to unfiltered Internet and the unrestricted ability to install third-party software. Combine these two characteristics with the organization’s unwillingness to challenge these “rights” and you have yourself a recipe for a business affecting security incident in the very near future. In addition to that, your remediation will feel like the Detroit Lions 2008 NFL season. (0-16 if you were wondering).

The simple expectation that Facebook, Lady Gaga mp3s and desktop photo software are all acceptable content can have a crushing impact on a security team’s ability to defend the network. This is because the amount of software and network traffic that now needs to be monitored and secured is infinite. Unless you have an infinite security budget (if you do, please call me immediately!), your network is likely not defensible in a cost-effective manner. Disallowing these “rights” will have a significant impact on the number of “drive by” spyware infections, an attacker’s ability to steal data without being detected, and the amount of data a network monitoring team is responsible for reviewing. It will even save you bandwidth, which has a direct cost benefit if you are still on the hook for ROI for your security team. That however, is a conversation for another post.

Does this ring true for everyone else? What is it about your organization that enables an attacker? Culture, politics, still running Windows NT4.0?

Leave a Reply

You must be logged in to post a comment.

Recent Posts

• DLL Search Order Hijacking Revisited
• Find Evil and Solve Crime, Part 1: Focus
• Reversing Malware Command and Control: From Sockets to COM
• The Challenges to Remediating from the APT
• Stuxnet Memory Analysis and IOC creation

Follow us on Twitter

• Mandiant: M's @nickharbour revisits DLL Search Order Hijacking to propose his solution to the problem http://bit.ly/ctmxM7
• Mandiant: The slides and recording are now posted for the Fresh Prints of Mal-ware: 0x1, 0x2, 0x3s of IOC webinar http://bit.ly/dutt9E #m_fp
• Mandiant: Registration now up for M's State of the Hack webinar ft. Josh Corman/@the451group 9/23 @ 2PM EDT http://bit.ly/c08atu #M_SOH

MANDIANT News

• Advanced Persistent Threat – Intelligence Brief
• The State of the Hack - The Advanced Persistent Threat
• The State of the Hack - The Advanced Persistent Threat
• MANDIANT Incident Response Conference (MIRcon)