​When you can't outspend an attacker what do you do?

Organisations cannot thwart every possible attack levelled against devices in their network but they can still contain a threat before it causes serious damage.

When the US National Security Agency (NSA) -- or for that matter any nation’s spy agency -- has the resources to obliterate your defences, what are your choices? Roll over and quit? Hack them back? Or spend more on securing a porous perimeter?

Upstart vulnerability broker Zerodium last month awarded $1 million to an unnamed group who discovered a remote exploit in iOS 9.1 that it will likely sell to clients who want to use it. The company won't report the bug to Apple, which would fix it and thus ruin the asset.

That's not comforting for individuals and organisations since there is security product on the market that can reliably protect against those threats.

“There’s no way that security companies can somehow develop something that protects against everything because attackers have access to vulnerabilities that we don’t even know about,” Mark Schloesser, a security research for Rapid7 told CSO Australia.

“If you’re facing those actors, it’s game over.”

However that doesn’t mean, as Cisco stated in its 2014 annual security report, that every organisation should “assume they’ve been hacked”.

According to Schloesser, a better assumption is that you will eventually be compromised. The question then is what do you do next.

Attacks are measured by impact to the victim and impact is largely shaped by how long it takes to discover a breach has occurred and what the attackers have done in that time. Catch it early and no matter how sophisticated the attack was, the damage can be minimised. A study by security firm FireEye found the average time before a breach was detected in 2014 was 205 days and that was down by 24 days in the previous year.

So, in Schloesser’s view, attackers aren’t necessarily already inside, but they will eventually be and when they are, regardless if its a criminal group of a spy agency, they’ll typically attempt to achieve similar goals.

“After being infected, and [sophisticated attackers] are in your organisation, some of the interaction and lateral movement they do is what normal cybercriminals will do. They will try to expand their access to maybe the more valuable systems and that is something that’s very hard to hide,” he said.

“They can try to hide and do it over months instead of in short time frame but after all they need to do network connections to these particular assets and that’s stuff that’s particularly hard to hide.”

Antivirus and other protective systems are necessary, but he argues it’s impossible to engineer a defence system that will stop every threat.

“We’re not saying protection is useless but there are ways around it.”

Application whitelisting could provide an effective response when limited to high value assets, such as database system or an Active Directory controller. Whitelisting was ranked as a top four mitigation strategy by Australia’s Department of Defence, but Schloesser said the industry has largely abandoned whitelisting because it’s too unwieldy across a large fleet of desktops.

Not so long from now PCs and servers however will be just a few of many more other “things” — such as thermostats, locks, vehicles, white goods, TVs and so on — in the home and enterprise that could be exploited by hackers.

Analyst firm Gartner forecasted there will be 4.9 billion connected things this year and 25 billion by 2020. While there will be more connected consumer devices, the firm predicts huge uptake in business and government too, particularly utilities due to efficiencies offered by smart meters.

Schloesser has also been involved in an ongoing scan of the internet, probing for vulnerabilities in embedded devices. The project, which has run since 2013, searches for everything from remote administration tools for gas pumps and point of sale machines to remote video devices.

“Pretty much everything that we looked at as a device everything fell apart. We didn’t see an embedded device that’s been used in the wild that was completely configured in a good way and didn’t have vulnerabilities. All of it has remotely exploitable vulnerabilities and it’s just nobody has looked at it or just the bad guys have.”

In a business context, the problem securing these devices comes down to features, such as remote management, without any way to enforce security on them. One example is serial port enabled devices that typically connect to a modem.

Administrators that manage computing infrastructure for distributed offices or say, petrol stations or point of sale systems, often prefer to do the job remotely.

“So they put these serial servers to the switch or router and then can access it from home. But the default configuration for those devices are unauthenticated, unprotected and a large proportion of people who use them don’t take the steps to secure it,” said Schloesser.

“We saw so many odd devices that were available on the public internet where there was no authentication because they expect that you are local with physical access. But by connecting to the serial port server it suddenly becomes accessible over the internet,” he added.

While they’re not technically vulnerabilities in the product, manufacturers could require users to set a username and password before the device can be activated.

“Some people would turn it off because it’s a hassle but that would be so much less of a problem than what they have to do now, which is to actively make it secure,” he said.