Verzion published a great report that summarizes their experiences from investaging 500 different intrusions during the last couple of years.

As this report covers cases between 2004 and 2007, an alternate method was necessary to compile statistics on
historical cases. Two primary methods were employed to collect the data presented in this report. Case files and
notes, being the most objective source of information, were the preferred method and were referenced if within
retention limits. Even when original reports were available, interviews with case investigators provided a wealth of
supplemental data and insight for this study and were absolutely crucial when the former sources were unavailable.

The report shed light on how security incidents is actually conducted. Here’s some conclusions:

• Incidents usually happens from the outside (73%), not the inside. Customers should be worried about their partners since they are one of the most frequent sources of attacks. Of all internal parties, IT-admins and ordinary employees are the most scary. Everyone is possibly malicous. Monitor your assets independent of whom the source is.
• Incidents happens equally often at small, medium and large size companies. Anyone with valuables are of interest. Security is important for all sizes.
• Incidents are results of hacking, but not all incororates malicious code or exploit vulnerabilities. Exploiting errors of various kinds are almost always a part of the success. Configuration management, system hardening and security monitoring is important since they are not focused on vulnerabilities and exploits.
• Incidents are usually results from exploiting the application layer, OS and sometimes a back-door. Attacks often exploits known vulnerabilities. Typical intrusion detection have problems with the application layer. Security monitoring shouldn’t be limited to the network layer.  
• Incidents usually requires little effort and have low difficulty (52%). Some incidents required a sophisticated hacker. Problem is, are the sophisticated incidents even detected as of today? They might not be in the report?
• Incidents are usually oportunistic, but sometimes targeted. This means that attackers seek vulnerable parties, not vulnerabilities at perticular parties. Or are incidents that are targeted yet undetected and not in the report?
• Remote Access systems and Web Applications are the primary entry points and attack paths. Limit their exposure by system hardening and segmentation and monitor the paths that are left exposed.
• Information is usually compromised in online, stored form, not from End user devices. Payment and PII-information are the types of information most frequently compromised. Control and monitor the assets.
• It usually takes an hacker minutes or hours to compromise a system, not seconds or days. We have time to detect them and respond to them. We don’t have to prevent them in real time (which rarely works), we have plenty of time to detect and respond to them.
• Incidents usually remains undetected for months.
• It usually takes the targeted company weeks to respond to the incident.
• Companies usually get to know of the incidents through third parties, or by an employee but not by their equipment. This means that few parties does detection right. I suspect most companies focus on technology that does prevention, then when they fail they get penetrated and have no idea about it.

A very good report.

I often think we are too fucused on discussing and evaluating functionallity of perticular technology and tool, and as such forget to more fundamentaly assess the amount and type of security functionally a specific solution provides. Below are some notes, thoughts and discussions on security controls.

Preventive controls reduce exposure. These are the controls that reduces attack surface and possible vulnerabilities. System hardening (e.g. disabling services and applications) and segmentation (e.g. using router or firewall ACL:s) are example of preventive controls. Preventive controls acts before the attack by disallowing or making interactions with the target impossible. Preventive control are the most cost effective of all controls.

Deterrent controls reduce the likelihood of an attack. These are the controls or mechanisms that somehow makes the act of exploiting the target more difficult or unattractive, but not impossible. An example of a deterrent control are anything that actively discourages a party to commit something malicious, e.g. awareness and accountability efforts. I argue that an IPS is an deterrent control, because the asset remains vulnerable and can still be exploited. It only reduces likelyhood, not possibility. Deterrent controls may act before the attack when they aim to discourage, but also during the when the control actively try to deterr an ongoing attack.

Corrective controls reduces impact. Examples are systems that try to mimimise the damage from a situation. Examples are systems that quarantines systems, users or applications when certain conditions apply to them, or anti-virus systems that automatically tries to remove malware infected items that allready have precense on the system. Incident response and forensics is also a corrective control. Corrective controls act during or after an attack.

Detective controls discover security issues and conserns. Detective controls creates visibility and reduces uncertainty.  Examples of detective controls is performing log analysis and deploying sensors that actively looks for indications of attacks, and vulnerability assessment solutions that bring insight into where vulnerabilites are present. Detective controls are necessary for deterrent and corrective controls to work. I believe this control is best implemented by performing security monitoring.

I believe these are good components of a defense in depth strategy, together with the ordinary network, host and application idea. I also think this captures the importance of monitoring and response, and the problem of determining the value of deterrent controls.