Attacks Usually Detected By ‘Gut Feel’, Expert Warns

The usual anti-virus, firewalls and IDS tools are being increasingly bypassed, a security expert warns

Computer attacks are mostly spotted by accident and the usual security tools are no longer enough, a security expert has warned.

The warning comes from Steve Armstrong, founder and director at Digital Security Ltd and former head of penetration testing at the UK Royal Air Force.

Armstrong made the comments ahead of the Sans London 2011 security training event.

Detection Problem

Amstrong believes that many system administrators still do not have the skills needed to spot a well executed, persistent hack.

“We work with a growing number of organisations that simply don’t realise that they have been the victim of a well orchestrated and persistent attack,” he said. “We go in, look at the logs and can quickly see clear evidence of the problem, but there has either been a failure to spot it or not enough resource assigned to look for the evidence.”

And it seems that system admins cannot blame their tools, as according to Armstrong out of the last 20 security incidents he and his team have investigated, he estimates that 95 percent of them had clear evidence that had gone unnoticed.

“In many cases, it is often an admin who has a ‘gut feeling’ that calls us in but when we start digging, the full extent of the breach is normally far worse than initially suspected,” Amstrong said.

Armstrong believes that the issue is down to sophistication on the part of the hacker and an over reliance on security tools.

Security Tool Reliance

“The IT vendors keep on telling us how great the tools to spot problems are but they are certainly not fool proof. They can also be circumvented by criminals who know what they are doing,” he said.

Unfortunately it seems that the hacker has the advantage at the moment, leaving security vendors and system admins to play catch up.

Armstrong said he will demonstrate at the Sans London event how a simple modification of a known item of malware package, can defeat up-to-date anti-virus protection software

“The days when a hacker would wander blindly around systems are gone,” Armstrong warned, “Now, the goal is to get in and stay in, undetected, for as long as possible. This is the issue that is causing the most problems but getting the least headlines.”

Long Term Attacks

Armstrong admits the headline grabbing attacks from the likes of Anonymous and Lulzsec have led to an increase in demand for security tools, training and penetration testing, but these are distracting system admins from the real dangers.

“…it might be news worthy but some would argue that it distracts attention away from more insidious and organised hacks against US defence contractors and security tools suppliers like RSA.” he warned. “A hacktivist hitting your site with a denial of service attack may well just be a distraction to get something more dangerous onto a critical server somewhere else.”

Indeed in June Northrop Grumman said it had been repelling advanced threats seeking sensitive data for several years. Lockheed Martin has also detected attempts on its network.

Armstrong’s warnings come as other research points to the increasingly dangerous threat landscape. The latest quarterly report from Cisco for example warned that malware is increasingly being used for advanced persistent attacks against enterprise systems.

Other research, this time from HP, found that despite widespread awareness amongst IT professionals, cyberattacks are increasingly plaguing businesses and government institutions, resulting in significant financial impacts.