Failing to Treat the Disease

When you work in cyber security there are signs of hackers you see everyday.  It is easy to brush these off and act like whatever symptom you see wrong as nothing special.  Just an aberration.  After all, many people will always look for the easiest path.  So if someone notices a failed login attempt on a server, they may think it was a fluke and never investigate the issue.

Failing to follow any of the breadcrumbs you find is a the most dangerous path of all.  If you are going to work in cyber security you need to assume there are no coincidences, no aberrations, and no isolated events.

Treating the Symptoms

A recent occurence is an excellent analogy for what I am trying to illustrate.

In a recent conversation I had with a client, we were discussing the increased amount of SPAM messages that were being received by this organization.  The SPAM provider was blocking all of the unwanted emails as they were reported, but the client remained frustrated.  The provider would block things that were reported but not doing anything to reduce the amount of SPAM getting through in the first place.  Who has time to report everyone?  The provider should have been researching how these things were getting through.  The provider would not fix the root of the issue, the disease of SPAM, they kept treating the symptoms (the individual SPAM messages).

This is a common practice in the technology space (and I suspect other industries as well).  As soon as the client started telling me about their issue I could tell immediately what the real issue was, the increased SPAM and they couldn't care less about the individual messages.  From their perspective there is no point in blocking a message since SPAM is rarely repeated.  Fix the issue!

In cyber security detection the exact same thing happens.  Firms will react when they know a breach occurs, but not look at the issues along the way.

Get Above the Symptom

History shows us that when an attack occurs, the attackers are in the system for months or years prior to being detected.  This is happening at large organizations, ones with teams of people, and they are routinely successful.  The reason is simple, no one is looking at the trail of evidence being left.  If they would even detect part of what was really happening they would be able to stop the attack.

Attacking and stealing money or data from an organization is a systematic process involving several isolated attacks used to gather information.

An attacker may send a spear-phishing email to a target company and try and solicit a password, then they may attempt to get software installed, then they may attempt to gain access, followed by trying to get administrative credentials, then work on getting a key logger installed, then use that data to get additional access...

There is no single event that will ever occur that will cause an attack to be successful.  Attackers will work and work and work to get access and what they want from a company.

Look at your cyber security team and see what trails they are currently following.  If they say everything looks good then odds are they are missing the underlying disease. There is no way an attack is not being attempted on your company right now.