The Verizon 2014 Data Breach Investigations Report (DBIR) included a broad range of security incidents for the “Crimeware” category that basically included any malware-related events that didn’t appear to be a POS attack or espionage.
With over 12,000 incidents, the Crimeware category was the second largest group behind human mistakes in the “Miscellaneous Errors” section affecting mostly servers.
The report notes that based on the fast discovery of these types of incidents it’s possible that many crimeware attacks were thwarted by AV and IPS. This would support the theme of AV and IDS being very effective but not bullet proof security controls.
Servers Protected by AV and IPs Were Breached? Inconceivable!
However, as the report points out, focusing solely on prevention with IDS and AV isn’t enough—you need to improve detection and response as well by deploying a system that can monitor configuration change like a Security Configuration Management (SCM) solution.
The Battle of Wits Has Begun
“Unlike iocane powder, many of the vectors and persistence methods used by crimeware can be easily detected by watching key indicators on systems” – Verizon 2014 DBIR
A good SCM solution can detect changes to key indicators for the most common server attack vectors: local firewall configurations, scheduled tasks, startup tasks and more. Because these items should rarely change, it’s important to be immediately alerted when they do.
There’s a Shortage of Perfect audit Trails in this World, It Would Be a Pity to Damage Yours…
It’s interesting that many of the incidents were not investigated. The report mentions that the most common response is to remediate and move on instead of performing a forensic investigation.
However, if the hacker covered their footsteps by deleting logs and audit trail you’ll never get this chance. This is another area where an SCM solution can help by protecting the audit trail so that if an attack succeeds, forensic data is available.
Is Your AV Mostly Dead?
As far as AV goes, it’s only effective if it’s installed, up to date, and actually running on the machines it needs to protect. SCM can help ensure a successful AV program by making sure it’s actually doing its job.
The Miracle Pill
To learn more about how a SCM solution can help you better detect and respond to crimeware incidents, check out the Cybercrime Controls included with the Tripwire Enterprise SCM solution. If you’re an existing Tripwire Enterprise customer you can download the controls for free from the Tripwire Customer Center.
Have fun storming the castle!
- DBIR 2014: Point-of-Sale Attack Trends
- Verizon 2014 DBIR: Hide Your Servers and Call the Cops
- Verizon DBIR: The Hackers are Winning
- Verizon DBIR: 2013 Data Breach Review
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock