Jeffrey Tricoli, first joined the Federal Bureau of Investigation (FBI) in 1998 and has first hand experience seeing how cyber-crime and hackers have evolved their techniques. Tricoli is currently is the Section Chief for the Cyber-Division at the FBI and delivered a keynote on how to profile modern cyber-adversaries at the infosecurity North America conference on Oct. 5.
In an interview with eWEEK, Tricoli said that in recent years there has been a rapid proliferation in professional grade hacking tools that have taken aim at an increasingly large attack surface.
“Companies need to evaluate what the most important assets are inside the organization and identify where there is risk,” Tricoli said. “Companies tend to undervalue the information that they have, so they can put the proper security in place to protect the valuable information.”
Tricoli added that many times in investigations what he has come across is that the breached organizations were just not protecting the information that should have been protected. The human being is still the primary method by which attackers are able to initially gain access to a network, according to Tricoli. He added that once an attacker has a set of user credentials, that have been stolen or harvested in another attack, the attacker will pivot to gain additional access.
“The lack of of having a baseline within the organization for what is normal for all users is common,” Tricoli said.
Additionally Tricoli said that not all organizations have a layered defense that should include a baseline for user behavior, an intrusion prevention system and heuristics for anomalous actions. By not having multiple layers in place, attacker are able to more easily steal information from a company.
“Organizations need to layer defences in front of the things they need to protect,” Tricoli said.
Beyond just having a layered defence in place to protect assets from an attack, having tools in place to help make it easier for investigators to determine what happened if an attack did occur is equally important. Understanding all the data collection points and logs that are generated by a company is another critical aspect that Tricoli said he has seen lacking at many companies.
“Often we’ll be on an investigation scene and the lack of a centralized capability to investigate and do incident response causes all sorts of delays,” Tricoli said.
Log files and the use of a Security Information and Event Management (SIEM) technology helps, though Tricoli added there is also more that is required. An understanding of the overall network topology as well as user management are critical aspects that can help an investigation, he said.
Attribution
As opposed to an enterprise that just should be protecting users and blocking attacks, the FBI is tasked with helping to identify and attribute attacks. Tricoli said that attribution has become increasingly difficult in recent years.
“We’re now seeing attackers employ active measures against forensic analysis,” Tricoli said. “Adversaries are taking active measures to obfuscate their identity.”
When the FBI is able to make a positive attribution on the source of an attack, there are multiple actions that can occur. Tricoli said that the FBI has spent a lot of time in recent years expanding the bureau’s global reach and now has 72 international offices, officially referred to as legal attaches offices, that are embedded in U.S. Embassies abroad.
“In those international offices we have partnerships with law enforcement and intelligence agencies to work to either take sites down or gather evidence for further attribution and to aid the legal process,” Tricoli said.
Overall, Tricoli emphasized that both attribution and defending against modern cyber-threats is not about a single technology or process.
“There is no one technology, software or hardware that solves the cyber-security problem,” Tricoli said. “In every instance I’ve seen it’s layered defenses in depth and you have to have a security mindset from end-to-end.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.