SHIMEL: Disconnecting from the network certainly isn't a long-term solution. Adam, what can Kevin do short of disconnecting?
O'DONNELL: Depending upon the asset you're trying to protect, disconnecting from the network can be a reasonable solution for a specific instance. If you are protecting the nation's nuclear assets, it makes sense. But obviously not everyone can go about that. If Kevin had tools on hand that allowed him to say, "OK, this attack happened, can I identify every single place this person went, every single system the person touched, and scope the problem?" And then respond within that scope, he might have been able to react without having to take the network offline. Tools that gave visibility into what the attacker did after the attack happened would be critical for that situation.
SHIMEL: OK. That brings up another thing that I'd like to throw at Richard. I've heard this discussed as the positive security model versus the reactive model. But to me it boils down to this nugget: the realization that we may not be able to stop everything that gets in. Part of the security practitioner's role is to understand when something happens, figure out how it happened and prevent it from causing any more harm. Richard, what do you think about that?
STIENNON: A lot people who have been under the sorts of attacks Kevin describes are saying you can't stop everything so our only hope is to detect and get them before they exfiltrate the data. And I've come around to that. It flies in the face of traditional "stop everything, be preventive and not reactive," but it's a new level of reactive. This isn't coming in Monday morning and looking at your IDS logs and going, "Oh, no." This is eyes-on-the-screen-100%-of-the time going, "Whoops, somebody just opened an attachment and infected his machine and a remote-access Trojan has been downloaded and it's starting to scan my network." Or, "Oops, the guy already jumped to the active directory server and is consuming all of my identities, we have to do something now."
And if you haven't caught it by then -- by then it might be all over the place -- it's either shut off the network and cut yourself off or find every little bit and segment of the code left behind. You've got to be able to find them all, shut them down and clean them up before you turn your network back on.
KERR: Let me build on that. With us, once they got in and got some credentials they moved from that box to a server, and then across to another, and as they did they kept gathering credentials, and eventually they got our domain credentials, which at that point is pretty much game over. And because they were moving across our network, they were touching quite a few boxes -- somewhere in the low hundreds -- and they created so many back doors that every time we closed one they opened another. And that's when we realized we couldn't stop this from happening and couldn't stop the data from moving off.
Sign up for Computerworld eNewsletters.