An IR Plea: Time for IT and InfoSec to Get on the Same Page

Earlier in my career in incident response, a colleague once decided (without prior approval) to test the security of a web-facing server owned by the company we worked for, and successfully executed a simple SQL injection attack. While not the best way to go about it - he really should have asked for permission - it was a prototypical “white hat” mission designed to find unknown holes in the network’s defense.

When he later informed IT how easy it was to access supposedly secure company records, the powers that be were not amused. He thought they would have thanked him, but the IT folks actually pushed hard to have him fired and or at least prosecuted.  They were angry and embarrassed and were in no mood to understand how this faux “attack” might have actually helped make the company more secure.

My friend’s job was only saved when a subsequent forensic investigation, performed in response to his ‘test’, discovered that at least a couple of external bad actors had previously used similar techniques to penetrate the organization’s security and access the company’s data.

Organizational Disconnects

In a perfect world, the IT and Information Security sides of the house should be able to work hand-in-glove with each other to address security challenges while serving the needs of the business. There’s too much at stake binding them together - in theory. But conflicting priorities often get in the way of collaboration and the interaction can quickly turn rancorous.

While IT is focused on performance, reliability, and uptime, InfoSec is largely about locking down data and making sure that only a select number of authorized people can get their hands on closely-held information. These goals can sometimes be at cross purposes, and properly integrating solid security can cause delays in IT projects.  In organizations with collaborative cultures, that seeming contradiction gets worked out. The two teams understand that if they’re not thinking about security, it raises the risk for everyone in the company (not to mention making the job of Incident Response that much more challenging.) 

However, when they instead wind up working at cross-purposes, InfoSec can forget about ever getting IT’s cooperation or agreement to hew to commonsense security guidelines. More likely, IT will just decide to go off on its own, leaving InfoSec in the dark about what they’re up to. The upshot: The two sides will be left to duke it out until someone higher up in the organization intervenes and imposes a cease-fire.

These organizational disconnects are widespread and getting more common at exactly the wrong time.

Run Silent, Run Deep

As security practitioners know, we’re in a constant arms race with cyber criminals who are now able to make use of increasingly sophisticated techniques to target their victims. What more, the bad guys keep shifting their penetration methods, adapting their attacks to counter new defenses that pop up.

As Symantec has documented elsewhere, many cyber criminals are making use of more unobtrusive techniques designed to stay under the radar. It’s the very opposite of ransomware. These attackers don’t want to draw attention. They seek to steal data through so-called “living off the land” tactics where they make use of tools already installed on targeted computers or run simple scripts and shellcode directly in memory.

Many months can go by before you even discover their presence in your environment - if they get noticed at all. It’s a brilliantly simple strategy where attackers are essentially hiding in plain sight by passing themselves off as legitimate, normal traffic. So, while everyone is looking for some proverbial big scary guy wearing a trench coat, it’s actually the (proverbial) receptionist carrying out the robbery.

The Challenge for Incident Response

An easy first step would be to encourage active logging and auditing of administrative activity, especially when it comes to monitoring PowerShell, now a favorite target for attackers. But unless you have a strong working relationship established, expect pushback from the IT side questioning why you want to audit them and poke around their systems. Again, a lot of ego flavors the conversation, and everything hinges on having a decent-enough relationship with the IT folks to get them on board.

I’ve also found that a lot of IT folks sometimes discount security protocols that the InfoSec team has put in place for a reason. But when IT is in a rush to finish a project and get something out the door, they may toss those security measures by the wayside and ask forgiveness later.

Unfortunately, that can result in serious mistakes and misconfigurations. I’ve seen easily-avoidable mistakes, like an active directory server winding up being internet-facing and later getting compromised. Somebody was in a hurry and just screwed up.

It’s also another reason why IT and InfoSec need to get on the same page. Even in the best of worlds, effective prevention, detection, and response to malicious actors is challenging. But any rift between these two key departments holds back effective responses to attacks and makes it painfully easy for cyber criminals to help themselves to a big payday.