Man with Tablet Covering Face

You don’t have to be a chief information security officer (CISO) to fear having accounts compromised; however, being a CISO takes worry to another level altogether.

How do you sort through all the log information that applications, networks and people are generating on a daily basis? Do you even track all your personal logins? Imagine doing this for a major enterprise!

Hackers, for the most part, are not spending a lot of time “guessing” your corporate passwords. They simply do not invest that much time on their targets; instead, they automate using your compromised passwords to find where they can gain access to your system.

Other areas that interest hacktivists or cybercriminals are phishing scams, Trojan horses and using open Wi-Fi services, to name a few.

Security professionals spend a lot of time not only defending the perimeter, but also monitoring systems that are communicating outbound, as the majority of this traffic is allowed and the majority of this traffic is OK. However, masquerading as “OK” traffic could be your latest financial projections, tunneled out using DNS.

Information Overload

Imagine how much information is being captured in logs and flow statistics when an average datacenter captures and stores terabytes of information daily. This information needs to be reviewed, correlated and acted upon in real-time, and is the primary basis of the threat analytics and log processing industry.

As reported by Infoblox, nearly half of enterprise networks show evidence of DNS tunneling. You would be right to assume that stuffing DNS would surely cause an alert, however, tools also provide the ability to use “low-bandwidth” mode to avoid generic detection.

The highly advanced Project Sauron, is capable of using ICMP, UDP, TCP, DNS, SMTP and HTTP to execute its attack.


Yeah, it gets worse: this malware can bypass air gaps—the developers know Windows intimately—cloaking itself using common files you would expect; attacking domain servers using a sophisticated engine that allows writing of customer malicious scripts to operate the overall malware platform.

As CISOs start their day, they not only need to be looking out for the threats highlighted above, but also reports, audits and updates concerning new or developing events. They are faced with assessing what is good from what is bad; sometimes it’s a hunch, sometimes it’s clarity of knowing your baseline and measuring against that.

What if you do not have a baseline? What if your baseline was not accurate? In some cases, your data is telling you the truth, since it has not interpreted the threat correctly and your dashboard looks great!

For that reason, cybersecurity today is very similar to the Schrödinger’s Cat experiment. However, I would assert that the cat is your data, the poison flask is your current unknown security threats and the radioactive source is the uncertainty of your security protections.


Credit: Robert Couse-Baker/Flickr, CC BY-SA

Your data today is both compromised and secure, and only when you look at your data (sometimes months later), it becomes one or the other. That is why CISOs today are very nervous. They are entangled in a quantum superposition of cyber states of their data being simultaneously secure and compromised.

Complexity is a Threat to Security, Especially if Integrated Afterward

Today’s threats require security from the architectural start, not as an afterthought or by bolting on a new agent to answer a narrow question.

Such as the malware example highlighted against Windows, what access do these tools have, i.e., SIEM, Network Management, Log Analyzer, to your critical data? Would they be able to see larger DNS packets going to a myriad of hosts or domains that might appear similar to good ones?

How has your threat surface increased or decreased using these new tools? When you build systems with a security mindset, you can anticipate how you can develop greater insights to your application or traffic without having to increase your costs or complexity.

In environments where you are using tools to monitor Active Directory Domain Servers or your log servers, what are you using to monitor the monitoring tools?

Are logs signed at the source and maintained in a tamper-resistant manner? Can log or event information be manipulated by an attacker, covering the indicators of an attack or breach?

Threat analytics to protect your Active Directory should include the ability to:

  • Audit Active Directory authentication protocols without adding complex infrastructure or analytics tools to the environment
  • Easily identify common Active Directory problems such as reuse of service accounts and identify suspicious login behaviors
  • Provide an effective audit trail for your existing third-party tools and traffic history for Active Directory Domain Controllers to aid in security audits and incident response
  • Provide a common platform for audit and analytics of all Active Directory domain controllers and critical services within your organization
  • Enhance compliance reporting through the use of tamper-resistant event logging and correlation

When deploying your critical applications, an initial threat assessment should be inclusive of the hardware that the application or services will be running on.

Ask yourself:

  • Is the BIOS and firmware secure?
  • Is the OS and hypervisor secure?
  • Can I determine if any of the hardware components have been tampered with?
  • What is the threat surface of the platform that I have to manage?
  • How is it managed?

Once these initial questions have been answered, then you need to examine if your solution has built-in capabilities to determine if the administrative domain is healthy and within expected baselines. For example, will you be able to see in real-time the actual threat surface of the application? How are the traffic or administrative insights provided?

Ultimately, we want the CISO to be a successful career field in the years to come, where they no longer have to toss and turn all night over quantum superposition of cyber states. There are many ways to skin the cat; unfortunately, there are many wrong ways.

If you could not answer the questions in this post, then there is more that can be done to secure your applications. As we have seen, the notion of being air gapped is no longer immune to compromise, nor is it a reality in hybrid enterprises.

-Kim Ringeisen, Skyport Systems Customer Success