

‘We Assume the Bad Thing Has Already Happened’ - ddeck
http://www.bloomberg.com/news/features/2015-06-19/emc-is-caught-in-the-crosshairs-of-a-cyberwar-that-never-ends

======
serf
de-facto-cybercriminal-youth-with-hood-and-covered-face.jpg is turning into a
comic relief element for me with every one of these cyber-security articles.

------
applecore
Off-topic: That is some great visual storytelling.

~~~
vermooten
Agreed! It is a work of beauty, sadly it dwarfed the content.

~~~
cholantesh
I found it a bit busy, personally. Much like "What is Code?", I am certain it
would devour a phone's resources within minutes.

------
themeek
This is the future (but really just one small step) of defensive measures that
need to be taken against computer network exploitation.

There is essentially no computer network that can not be breached by dedicated
and patient (and especially funded) hackers. With increasing importance it is
crucial to merely assume that your network has been compromised and work on
continual investigation for evidence of full compromise. Assume breach
methodology also calls for better credential management: most networks - once
on the inside - are very 'flat' in the sense that it's only a couple hops from
any user to a network superuser.

This is the reason, for example, why Google's internal corporate network is
now internet accessible (corp.google.com). Google has taken the stance that
they can not rely on a network perimeter to keep adversaries out and are
proving it by not relying on that perimeter for security.

Assumed breach philosophy dictates that detection (e.g. by finding anomolous
activity, and alerting on signatures) and response/recovery (e.g. isolation of
machines, rolling credentials en masse, forensics to determine scope of
compromise) are at least as important as prevention.

Another layer of protection is the cloud where scaled efforts can be made to
provide security. Here patches, access controls, isolation, logging and audits
can be performed more cheaply by the provider than it can be done as a sum
over all individual corporations. Of course, the hypervisor and virtual
networking themselves provide a strong security container.

Many of these cloud providers and large US industries (finance, energy) rest
on top of segmented parts of the US's DISN (the Defense Information Systems
Network) where the DoD can monitor the periphery for cyberattacks and alert
companies.

This is one example of data sharing - another large investment being made by
the US to secure its cyberspace. Corporations can buy services from Mandiant,
Fireeye and a number of other private parties for real-time information about
threat intelligence (exploit/behavioral signitures and hacking group MOs).
While expensive, these subscriptions can pay for themselves if they prevent or
mitigate costs associated with a large breach.

Data sharing is also done between companies on legal agreement. Large
companies form networks on threat intelligence - sharing information about
malware signatures, activity, source IPs and account names of malignant
activity. This is a cheaper option, though the intelligence is less 'curated'.

Finally, the US provides threat intelligence to onboarded corporations using
formats like STIX and TAXI. At the speed of computer networking detection
capabilities for tooling and tactics of adversaries can be proliferated cross
industry so that, even if a breach is successful, if it is detected the cost
for attacking other corporations is raised - malware must be recompiled, etc.

Computer intrusion is a cat and mouse game and none of these things, even
their sum together, will stop successful breaches. They are, however, cheap
means that increase the cost and required sophistication of attackers.
Attackers continue to grow in sophistication and today, still outpace all
layered defenses.

