Having worked in with the FBI, the Department of Homeland Security and US CERT, Andre McGregor and Chris Hallenbach have been involved in the investigation of countless breaches against a wide variety of different targets.
They spoke at the AISA Conference on the issue of breach fatigue. I caught up with them after their presentation.
“You can get to the point where you’re playing fireman, just going from fire after fire and you just get burnt out. Or, from the user side, you’re inundated with security messaging,” says McGregor.
That level of overload results in people not really knowing what to do about their security. McGregor and Hallenbach have worked with a large number of people and developed a model for dealing with, what they call, breach fatigue.
Their approach involves creating networks of people from different issues who share meaningful information and develop networks that extend beyond their own vertical sectors.
Hallenbach says it’s little surprise there’s fatigue around this. With so many breaches reported, companies see the theft of data as being a regular occurrence. This is what drive them to leave law enforcement and government and take up their current olds at Tanium.
“Instead of going from fire to fire, let’s build fire-resistant material,” says Hallenbach.
McGregor says he has presented to many companies and uses a standard presentation titled “I’ve seen it before”. This is to highlight to the executives and boards he speaks to that, despite their perception that they attacks they’ve suffered are usually categorised as sophisticated and unique, they are usually the same vulnerabilities they’ve seen elsewhere using phishing attacks or breaking into unmatched servers.
“It may have been a sophisticated attacker but it was not a sophisticated attack,” says McGregor.
“It might be new to them but it’s not new to us,” adds Hallenbach.
Although there are some similarities in the tools and methods used by attackers, Hallenbach says the threat actors are often focussed on specific verticals. This is because they need specialised Knowledge in order to not only get into systems but to successfully and stealthily exfitrate stolen data.
One other things they pointed out was the concept of the “dirty pond”. In many cases, when an attack is detected companies focus on responding that threat. However, they say, in many cases a single detection is just the start with many other threat actors laying low and waiting for their optimal moment to attack.
“That was the number one Runkle we had as incident responders,” says McGregor. “We asked for all the data from the victim. And if we didn't see signs of more than one intruder in there we knew we were missing data”.
That’s a nuance that is often missed in security reports. In addition, McGregor says the very vast majority of incidents reported occurred when a previously reported and patched vulnerability was either ignored or misused by the victim.
While some companies try to stay abreast of new vulnerabilities, no one is doing it especially well, they say.
Doing the basics, such as regular and punctual patching and limiting administrative access go a long way to making the threat surface smaller. One of the issues, they say, is companies often don't know what assets they have, making it impossible to know if they’ve been breached.
This is why threat actors don’t always need to use zero day exploits. They can simply walk in the front door.
This often occurs because humans tend to drift away from approved processes designed to put controls in place. This is why automation is crucial. As environments grow in size and complexity, it becomes increasingly difficult for people to keep up. In addition, they can start to short cut processes for expedience.
Similarly, there’s “tool fatigue” says Hallenbach. Many companies invest in tools only to either under-utilise them or lose expertise in how to use them when staff members leave the organisation. Also, there’s siloed data as the tools don't work together, creating blindspots.