0xfeedface Tech musings and rants

Medium- and large-size businesses everywhere are victims of countless hacking attempts. Attacks come from those that are curiously, chaotically, and financially motivated. As a security analyst for a successful company which grosses millions of dollars in profit, it is my job to ensure the security and integrity of the network. The company deals with retaining sensitive data for longer periods of time. Thus, preventative measures and proper response measures play a vital role in every aspect of the company.

We recently had a surprise penetration test. No one in the company (not even me) except the president of the company knew about the penetration test. The test was twofold: to find potential vulnerabilities in our web-based product and to see how the security team (mainly just me) handles a hack attempt. The security analyst started out with Nikto, generating thousands upon thousands of 404 errors. We first caught wind of the penetration test because of how loud Nikto is. We quickly firewalled that IP. The attacker then used a proxy and continued attacking. He was able to find valid login credentials after a few brute force attempts. We then learned something really important: our intrusion detection methods weren't up to par.

We rely on error emails (404 and 500/503) to tell us when an intrusion occurs. After monitoring emails for a while, we only know a handful of things: the IP, the date/time of the attack, and what types of attacks. We don't know if the attacker was successful. After a few hours of research, I was able to gather that the attacker successfully logged in. It really should not have taken hours just to find out if he logged in.

It was on that day that I fully realized just how important detection is as a method of protection. Instead of looking at data for hours and guessing potential outcomes, proper detection and logging allows the security team to make accurate, timely decisions. Even now, a few days later, I don't know what the attacker accomplished. Without an audit trail, there's no way for me to tell what happened or how. Intelligent detection should be a part of every company's security plan. Without it, time is wasted and the chance of being fully compromised is much greater.

So, to sum up, make detection a part of your security plan. Detection allows your IT department to know what's going on and what actions to take in an efficient, affordable manner. If intrusion detection and logging is not a part of your security strategy, you'll end up doing what I did: spent hours just trying to figure out whether the attacker successfully logged in.