The attackers are not choosy, though the sponsored ones are targeted but again not choosy. They target an enterprise, a system and then steal whatever they can. The data analysis is more of an offline task. Yes, some may keep their footprint low, and therefore steal slowly and in small amounts. They will steal it all, eventually.
When we hush hush about being defensive in a reactive approach, there are various SIEM and Forensics tools at our disposal. These tools are not shelf trained i.e. they are not your plug and play devices. You have to train them, teach them, give them the visibility of your network, system and logs.
SIEM and Forensics tools have their IQ (investors’ quotient) – the more you invest in training them, the better they will in response times & quality.
You’ll have to write rules/ filters/ monitors (whatever you want to call) to make them understand your architecture and data flows. And, to initiate such exercise you need people who have seen the other side, who have been fighting with the dark forces.
Focus on the kind of expertise you are employing and they will puppeteer your tools in the right direction.
With hundreds of security conferences happening around us, I wonder – how many of them talk about defensive security as a holistic approach. Security guys, no offense, but of all the conferences I have attended (including the 1337 ones) , most of them have been driven by hack to win, or concentrated to pwn the system/ network/ or browsers. At any day, we are talking 75% times on the next gen attacks on the forefront, and taking the defensive technologies as by-products or side effects. we yell out a bug, and someone somewhere attempts to fix it. I agree we trigger the evolution, but we do not contribute to any development.
How many of “hall of fame” ethical hackers or bug finders have submitted a patch themselves?
I empathize with the developers, who at every step get to know why their application is piece of junk, and they are the ones that take the heat – through business deadlines and security assessments. On the contrary, we as security people, wonderfully dodge the bullet stating no body can be 100% sure, we only check the attacks we now know; no insurance or guarantee. This is a false sense of security to the enterprise that they have been tested (but may not be thoroughly)
I have been in this industry long enough to understand where the golden eggs are. There are handful of companies that do red team assessments – thoroughly & sincerely. And more often the enterprise themselves do not allow comprehensive tests across all verticals.
Who do you want to knock down the front door? A responsible security guy, or a cyber attacker who will show no mercy.
Even one loophole is enough. An attacker is like Octopus Houdini – they will find the track, and the hole. All we can do is make it difficult, tiring and unworthy of the efforts. Also, in the worst case scenario of a breach – why didn’t the systems trigger a response. Why can’t a good log monitoring system find the anomaly.
We have to be on our toes – 24×7 else, the next time you call a 2 min break, the attacker calls it his triumph.
So, buckle up, they are on your way!