Cisco Security Report: Dwell time and encryption security struggles

Cisco Security Report: Dwell time and encryption security struggles

The 2016 Cisco Security Report highlighted the duality of cybersecurity and described a number of issues, including encryption security and dwell time as a constant struggle between threat actors looking for more effective and efficient attack techniques and security providers responding to those changes.

One of the statistics in the report that could have been spun as a net positive for Cisco was that since May, Cisco reduced the median time to detection (or dwell time) of known threats on its networks to 17 hours. However, Jason Brvenik, principal engineer for the Security Business Group at Cisco, noted that this metric was more representative of the “push and pull” between threat actors and security and should be used more as a way to see which side is improving at a given time.

“Our point in talking about time to detection is that it’s a durable metric that organizations can use, establish and measure to help them understand how well they’re doing and what their opportunity is to improve,” Brvenik said. “And, if you don’t start paying attention to time to detection, then the attacker basically has unfettered access until you get that.”

Fred Kost, senior vice president at HyTrust, said that although dwell time is an important security metric, it is reactive and not preventative.

“Time to detection will vary over time as the cat and mouse game plays out between attackers and defenders,” Kost said. “Part of the challenge for enterprises is the improving ability of attackers to remain covert once they have access to the network and servers, driving the need to have better segmentation and controls on what privileges users have, especially as virtualization and cloud makes access to a greater number of systems more likely.”

Brvenik said Cisco has had some success in bringing down dwell time, but that this measurement would ultimately vary.

“I fully expect that [threat actors] are going to recognize the lack of ROI or the reduction of ROI they’re getting and they’re going to come back and try something new,” Brvenik said. “As a defender, you have to be right 100% of the time and the attacker only has to be right once.”

Cisco found this was already true in the evolution of botnets and exploit kits (EK) like Angler. The Security Report showed that attackers using Angler had large scale campaigns with 90,000 targets per server per day, 10% of which were served exploits. Of those served exploits, 40% were compromised and 62% of those were served ransomware. Though only a small fraction paid the ransom (2.9%) and each instance was a few hundred dollars, that still added up to $34 million per ransomware campaign over the course of a year.

Craig Williams, senior technical leader and outreach manager at Cisco, said the advancements seen in how attackers use the Angler EK and botnets can be directly attributed to the security industry getting better at its job. Williams described how five or ten years ago, botnets were simple setups of one server connecting to another, so it was easy to block the host server to take down the botnet. But, attackers have found a way to use Angler to make this much more difficult to stop.

“The way that they set up the network to host these exploits is really intelligently architected around the fact that they want to have the ability to rotate servers as we take them down. You can kind of think of it like a Hydra,” Williams said. “When the customer gets redirected to the Angler exploit kit’s landing page, to them it looks like the front-end proxy server is all there is. But, the reality is that behind the scenes it’s actually being connected to another server hosting the exploit and yet a third server that’s actually continuously pinging it to make sure it’s online. The second it goes down from an abuse ticket or blocked by a good guy, it’ll actually rotate that server out and replace it with another server with a completely different IP address. So, effectively cutting the head off the Hydra, another head pops up in place and takes over. It’s a really unique design and I think it’s one that we’ve seen and will continue to see people evolve to just because it’s a little more efficient way to be a bad guy and that’s just the nature of the game in this day and age.”

Another subject that Cisco found to have both positive and negative consequences was encryption. The report stated that encryption can create security issues for organizations, including a false sense of security. Research found that encrypted traffic, especially HTTPS, crossed a tipping point in 2015 and now more than 50% of bytes transferred were encrypted over the year. But, Brvenik said this is something organizations need to plan for because it means “they’re rapidly losing visibility into some of the threats that can present there.”

Williams noted that while the push towards encryption is good from a privacy standpoint, it will also introduce “significant security issues.” Williams said the biggest misconceptions were that people tend to think if something is encrypted, it is safe, and that more encryption is always better.

“Think about what encryption was designed to be used for — only the sensitive pieces of data. That’s how encryption is intended to be used,” Williams said. “An advertisement from a website is not a sensitive piece of data and it shouldn’t be encrypted. If it is, then you’re effectively hiding any potential attacks from detection systems. So, even if your company has IPS or in-line antivirus, you’re not going to see potential attacks.”

Brvenik said the loss of visibility will have cascading impacts and organizations need to plan security strategies now.

“The impact of a lack of visibility in one layer will affect others. There are solutions that can move to the endpoint; there are solutions that can move to decapsulation; there are a lot of approaches there,” Brvenik said. “The point is — they need to start thinking about it now because they’re going to find themselves in a situation where it’s too late.”

Gur Shatz, co-founder and chief technology officer of Cato Networks, said enterprises need to be careful about how they plan security strategies because dealing with encrypted data can be resource-intensive.

“Encrypted traffic requires decryption before it can be analyzed. This is a CPU-intensive process, and could add latency,” Shatz said. “Ideally, you want to decrypt once, and do all the threat detection (multiple layers) on the decrypted traffic. When using point solutions, each one will need to decrypt the traffic separately, potentially slowing down traffic. On the flip side, some enterprises will want to choose and integrate best-of-breed point solutions, because they believe they can get better detection.”

Jeff Schilling, CSO for Armor, said the latency issue could force difficult decisions.

“More complex encryption algorithms are harder to decrypt for Layer 7 inspection, looking for common web OWASP top ten application attacks. This is driving the web industry to look to CDN application inspection architectures, which can inject latency, which many of our customers can’t tolerate,” Schilling said. “We have to ask ourselves, which problem has more risk? Threat actors decrypting data or launching application layer attacks? I think there is more risk in the latter.”

One attack vector that Cisco said was being overlooked was in malicious browser extensions. Cisco’s research found that more than 85% of organizations encounter malicious extensions in the browser, which can lead to leaked data, stolen account credentials, and even attackers installing malicious software on a victim’s computer.

Williams said this is especially dangerous because the browser is the largest attack surface in an organization. But, Williams also said that this should be a very easy problem to fix, because although internal Web apps may need a specific plugin or browser version, the tools exist to secure the enterprise environment.

“The reality is in this day and age there are so many different types of browsers out there and so many different ways to install those, that you can easily have a secured browser for the Internet and another browser you use because you have to have a specific plugin or a specific variant,” Williams said. “You can determine this from the network. There is no reason companies should allow insecure browsers to access the Internet anymore. We have the technology. We have solutions that can filter out vulnerable browsers and just prevent them from connecting out.”

Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, said enterprises should have strong policies about what browser extensions can be installed by employees.

“Browser extensions often leak data about their presence, people’s web-surfing habits, and other system level information. Sometimes this can be fairly innocuous (for instance anonymized metadata about usage) and sometimes it can be incredibly dangerous, like full URL paths of internal sensitive devices,” Hansen said. “In general, people really shouldn’t be installing their own browser extensions – that should be for IT to vet and do for them to ensure they aren’t inadvertently installing something malicious.”