By Gary Warner, Guest Contributor

As we continue to watch more major retail chains reveal deep security breaches, it really begs the question “Why are we so bad at detecting network intruders? ” Part of the problem is that these events are especially elusive and not what traditional security tools are designed to detect. Another part of the problem is that, as security professionals, we have very short memories and do a poor job of sharing what happens behind the scenes of these data breaches.

It may seem unconscionable that a company such as Target would not notice as criminal intruders abscond with more than 100 million credit cards, but, unfortunately, the fact of an undetected intruder is commonplace. Mandiant’s M-Trends 2013 report revealed that the average time from initial intrusion to discovery of a breach was 243 days. Verizon’s 2013 Data Breach Investigations Report examined 621 data breaches and concluded that 70% of the time an external party had to notify the breached company of the event. Even in large organizations, log analysis and network intrusion detection systems, commonly marketed security tools, only discovered 4% of the breaches each. The leading method for discovering a breach is common point of purchase (CPP) analysis. When a group of credit cards is found in the underground, analysts will review transactions with credit card issuers to determine if a single brand or store was the origin of the data. This is how the Target, Neiman Marcus, and Michael’s point-of-sale (POS) breaches were uncovered.

Phishing on the Rise

Of the breaches that were discovered internally, none were detected by anti-virus. In fact, the most common discovery method was a report by an alert user. Four percent of all data breaches and 9% of data breaches in large organizations were discovered by an internal user reporting suspicious activity. What kind of suspicious activity? Between 2011 and 2012, social engineering, largely in the form of tailored email phishing, quadrupled as a point of origin for breaches. Recent examples of this type of breach include the late January 2013 phishing attacks against CNN and Microsoft by the Syrian Electronic Army. Phishing emails imitating Turner and CNN password reset requests led to CNN’s Twitter, Facebook, and blog sites being compromised. Phishing emails sent to Microsoft investigators led to the theft of sensitive data about on-going investigations. Customized phishing attacks are behind the initial point of entry in a growing number of data breaches.

While both the social (via phishing) and physical (via POS and ATM smash-and-grab) vectors are increasing greatly, malware is still a more prominent initial attack vector, usually through an employee opening a malicious email attachment. The infected computer then becomes the foothold in the network that is established as the base of operations for the hacker’s internal network reconnaissance. As Malcovery routinely demonstrates with Today’s Top Threat reports, anti-virus software is very good at telling you about the attacks that the criminals were using yesterday but not at detecting or preventing the new attack today.

Short Memories and Breaches Past

As any good penetration tester will tell you, there is a well-recognized sequence of operations involved in taking control of a network, as follows: External Recon – Attack – Internal Recon – Expand – Dominate – Exfiltrate. Reading through related court cases and investigators’ reports of previous cases shows the model in action. Heartland Payments—and most of 17 other data breaches executed by a group of eastern European hackers led by Vladimir Drinkman from 2005 to 2012—began with an SQL injection attack that allowed them to plant remote control software on an internal network asset. They used the “old school ” External Recon technique of SQL injection in their breaches at places such as NASDAQ, 7-Eleven, JCPenney, Hannaford Brothers, JetBlue, and Heartland Payment Systems. Today’s External Recon is far more likely to involve identifying the email addresses of key IT and management personnel and targeting them with phishing and malware-laden email messages.

The Attack would then consist of causing either the SQL server or the employee workstation to download additional tools and software and to establish communications with the hacker. Internal Recon, often involving a password dumping and cracking utility, is used to identify administrative accounts, while a port scanner is used to search the network for databases and POS terminal devices. Often configurations, inventories of accounts, and database structures are exfiltrated at this point to enable customized tools to be developed by the hacker. Once prepared, the hacker Expands by installing his customized POS malware and scripts to begin dumping data from POS terminals and databases. If successful, the Dominate phase begins, where data is gathered to a central storage point and then Exfiltrated to the criminal’s external storage servers. Once this data capturing and exporting begins, it can continue for many months before discovery.

A Better Way

As discussed in the Malcovery Security white paper, Special Report: Lessons Learned from the Target Breach, network defenders must look at their networks in a different way. Users are our best security tool. Encourage them to report anything unusual, including breaches of their personal accounts on any computer where they may also access work resources. Use threat intelligence approaches, such as Malcovery’s Today’s Top Threats or Internet Identity’s DNS Firewall, to find new malware rather than relying on outdated anti-virus models. Many of the tools used in the Internal Recon, Expand, Dominate, and Exfiltrate phases of the attack will not sound security alarms, but they will appear out of place. Configuration control is critical. Servers should not be accessing external Internet pages. Administrative Tools such as database and password dumping tools should not be on your network unless central IT authorized them to be. Activity of any administrator level accounts should be logged and audited. Unauthorized programs identified with network security tools such as Tripwire and Bit9 should be checked thoroughly to see if they are “out of place, ” not just scanned to see if they are malware.

Editor’s Note: Gary Warner is the Chief Technologist at Malcovery Systems, and can be reached at gar@malcovery.com.