The cyber-attack life cycle

“An ounce of prevention is worth a pound of cure.”

Coined by famous US statesman and inventor Benjamin Franklin back in 1736, the phrase has been applicable to so many aspects of life and business. The phrase has even served the IT security industry well for a quarter of a century but it rings true no longer.

As our protection methods and defences constantly improve and reach new heights, hackers are digging deep and using advanced malware, targeted attacks and new attack vectors to try to circumvent existing protection methods. These attacks are so stealthy that many security professionals struggle to determine if they even have an advanced malware problem. These malicious threats hone in on their victims, disguise themselves to evade defenses, can lie dormant for extensive periods and then launch their attacks at any time. Given this new level of sophistication, malware outbreaks are inevitable.

Once you do identify malware on your network, there remain a lot of unknowns, for example:  How did the malware get in? How extensive is the outbreak? How does the malware behave? What is needed to recover? How can the outbreak be stopped?

To answer these questions and mitigate the impact of a breach, you need to dedicate adequate resources to defenses that address the full attack continuum – before it begins, during the time it is in progress and even after it starts damaging systems. When defending attacks, security professionals should be mindful of best practice at each of these phases and how layers of security infrastructure must work together for better protection.

Before an attack

It's pretty simple. You can't protect what you can't see. Or, put another way, you need to know what's on your network in order to defend it – devices, operating systems, services, applications, users, content and potential vulnerabilities. Being able to establish a baseline of information is a critical first step in defending your organisation from attack. Implementing access control over applications and users is also important in this phase. Minimising the attack surface through intelligent and granular controls reduces your organisation's vulnerability to attackers taking advantage of today's many attack vectors to glean information and penetrate networks. But building pre-emptive defences alone is no longer enough.

During an attack

To combat today's increasingly sophisticated malware, you need the best threat detection possible. To help assess security effectiveness and performance levels, third-party tests of IT security solutions in real-world environments can help you separate reality from hype. Once you can detect a file as malware you can block it. And because malware changes so quickly, having the ability to learn and update detection information based on evolving threat intelligence is critical to maintaining security effectiveness. Still, given the nature of malware today, the best threat detection alone isn't sufficient to protect your environment.

After an attack

Once advanced malware enters your network it's safe to assume it will attempt to infect other systems. At this point, marginalising the impact of an attack becomes the end game. You need to take a proactive stance to understand the scope of the damage, contain the event, remediate it and bring operations back to normal. Technologies that provide continuous analysis so that you can take informed protection measures, and even retroactively quarantine files that may have passed through unnoticed but are now identified as malicious, can help you stem the damage and remediate.

Franklin's words of wisdom put us on the right path. But when it comes to the challenge of defending our networks today, security professionals must be prepared to effectively detect and cure an attack the day prevention strategies inevitably fall short

Chris Wood is the regional director for Sourcefire's Australia & New Zealand division.