A new study suggests that while network defences aren’t totally pointless, they don’t prevent 93 per cent of networks using them from being hacked anyway.
The study is reported in Ars Technica. Its title, “Cybersecurity’s Maginot Line,” is a reference to the French defensive line, considered “impregnable,” that failed to prevent the German invasion of the country in 1940. The line was constructed to withstand a conventional frontal attack but the German Army cheated, instead employing a new style of warfare and going around the defences.
Similarly, says the study by security appliance vendor FireEye and its consulting arm Mandiant, the defence-in-depth model of network defence is becoming outmoded, and susceptible to newer methods of attack.
“Organizations spend more than US$67 billion on IT security. Yet attackers routinely breach those defenses with clever, fast-moving attacks that bypass traditional tools,” the report says. “Like the Maginot Line, the prevailing defense-in-depth security model was conceived to defend against yesterday’s threats. As applied today, it leaves organizations all but defenceless against determined attackers.”
The study, drawn from the experiences of more than 1600 networks over a six-month period, found that 97 per cent of the networks experienced some form of breach despite multiple layers of network and computer security software.
“The CnC [command and control] traffic flowed just about everywhere in the world, according to first-stage CnC connections logged during our tests,” the report says. “The first-stage CnC server doesn’t always point to the source of the attack — many attackers use compromised machines or buy infrastructure in other countries to carry out campaigns. But the number and variety of IP addresses shows the global nature of the problem.”
The data was gathered from network and e-mail monitoring appliances from October 2013 to March of this year. Three -quarters of the networks experienced command-and-control traffic that suggested active security breaches. Higher education networks were the biggest source of botnet traffic.
Each of the networks already had a “defence in depth” with firewalls, intrusion detection and prevention systems, and antivirus applications. Still, the FireEye monitoring appliances detected more than 208,000 malware downloads across the monitored networks, of which 124,000 were unique malware variants.
Each network was subjected to an average of 1.6 exploits and 122 malware incidents during the observation window. Just over one quarter of the monitored networks “experienced events known to be consistent with tools and tactics used by advanced persistent threat (APT) actors” – in other words, these attacks likely originated from state-sponsored organizations or sophisticated criminal networks.