Defending Against an OPM-Style Cyber Attack
Author Chris Stoneff recently posted a great article on INFOSEC Institute: The Seven Steps of a Successful Cyber Attack. Stoneff makes some great points that I wanted to share as well as provide some additional insights and recommendations.
Stoneff states, “Almost every network is vulnerable to cyber attacks. According to Mandiant, 97% of organizations have already been breached at least once. And perimeter security tools, like next generation firewalls, offer little real protection against advanced, targeted attacks.” Add insider threats from privileged users and contractors to this and if you have legacy mainframe systems, you potentially have greater risk.
According to the article, there are usually seven steps to the advanced/insider threat attack:
- Reconnaissance (identify a vulnerable target and explore the best ways to exploit it)
- Scanning (the next step is to identify a weak point that allows the attackers to gain access)
- Access and Escalation (the next step in the cyber attack is to gain access and then escalate)
- Exfiltration (attackers can now access systems with an organization’s most sensitive data – and extract it at will)
- Sustainment (with the elevated privileges that were acquired earlier, dependence on a single access point is no longer necessary… the attackers can come and go as they please)
- Assault (potential damage to sensitive data by the attacker)
- Obfuscation (Trail obfuscation covers a variety of techniques and tools including log cleaners, spoofing, misinformation, backbone hopping, zombie accounts, Trojan commands, and more)
Stoneff’s sage advice; “The key to blocking a cyber-attack is controlling privileged access. Each step beyond number three in the process described above requires privileged credentials to succeed… If you have the ability to control privileged access, a cyber attack can be significantly mitigated.”
If this is the case, how do we manage and control privilege user access?
Defend with AppGate
AppGate is an integrated security gateway that provides application and service-specific authentication and authorization for controlling access inside and from outside the perimeter. We control privileged access from the beginning to detect anomalies in a user’s digital identity and block access if something is out of context.
How? AppGate’s context-aware architecture enables access to be granted based on any number and combination of user-specific variables, including location, time of day, device, security posture, and role. Firewall rules are not written once and saved forever, but are created and enforced when access is requested. This provides a secure, encrypted, service-specific connection to each individual app or service rather than open access to an entire network segment. AppGate also provides exhaustive documentary evidence of access to systems and documents for compliance auditors.
Powerful rules and roles management provides administrators with precise control over which network resources each user can access and under what circumstances. End points can be measured, so for example, only corporate owned machines can connect to particular applications. Services that the user is not authorized to use are effectively made invisible, thus making it impossible for them to see or attack other corporate assets (this includes legacy systems that may not have fully encrypted data). The result? Even if an attacker passes the system of checks and gains access into the system, the damage he or she can do is greatly diminished.
In addition, AppGate can automatically configure machines that have never connected to the network before. So if an external trader or supplier uses a different PC, the client is provisioned and configured without having to wait for an administrator’s input.