South Korea Cyber Attacks: Incident Response or Proactive Monitoring?
March 27, 2013 Leave a comment
Last week’s malware attacks against several South Korean banks and television networks have left security experts questioning how malware continues to penetrate these “well-protected” networks. The problem is, how do we define “well protected?” Incident response teams such as those used in the recent attacks on the NYT/WSJ are part of the solution and no one is saying they don’t do good work, but tracking the source retroactively has become a tool that enterprises are solely falling back on. As stated accurately in this Network World article around the S. Korea attacks, “companies need to constantly examine hardware and software audit logs to track information that has left the network to look for abnormalities”. Constant and proactive monitoring on the end-point is what is lacking in each of these recent attacks.
A recent Threatpost article discussed the specific Wiper malware that was used in the attack. While Wiper malware is nothing new, it is very advanced in that it wipes any trace of itself from the infected computer, leaving incident response teams almost no way of detecting it. By the time incident response arrived, the entire network was shut down, when in reality, if a proactive monitoring tool was used, the malware would have been detected and potentially remediated. Once again, these attacks underline the importance of using analytics-based, constant monitoring as a necessity to help mitigate similar cyber threats… not to mention the millions of dollars spent on incident response.
As with many of these high-scale attacks the causes are unknown. In this particular case, experts speculate that an offline extraction attack was used. Offline attacks are less common recently, as many of the major breaches use tools like spear-phishing emails to break into networks. The criminal networks have an insider and undercover plan that is rarely detected until the attack has finished. There is no silver bullet here, but the first step should always be detection, in real time, not after the fact. Why are these attacks still successful? With the most sophisticated technology in the US, most malware can be detected in less than 15 seconds, yet we still rely on incident response teams to come in hours and days after the attack. The bottom line: we should look to proactive endpoint protection, not retroactive scrambling.
Till next time,
John Prisco, President & CEO






