Lieberman: Mandiant and Verizon wrong on unstoppable threats

Mandiant, Verizon and other cyber-forensics firms profit from so-called unstoppable threats

Credit: Thinkstock

Mandiant, Verizon and other cyber-forensics firms are profiting from so-called unstoppable threats like zero-day exploits and advanced persistent attacks, according to a new report from Lieberman Software.

"They want to come in after the attack and charge money and clean up the mess after it's happened," said Phil Lieberman, president at Lieberman Software.

But they're not explaining how to mitigate against these attacks, he said. "They're not providing any guidance."

While it may be difficult to keep out attackers with zero-day exploits or who are backed by foreign nations or large criminal groups, that doesn't mean that there's nothing that companies can do, said Lieberman.

"There's a saying, 'Better light a candle than curse the darkness'," he said.

"Their reports are cursing the darkness. They describe how people get into an environment, and they say that that's the reality. Our position is that you can set up your shop so that the attack doesn't yield anything."

In particular, there are two major steps enterprises can take to significantly minimize the damage caused by an incursion.

The most important thing, Lieberman said, companies shouldn't be leaving their keys lying around.

[ ALSO ON CSO: Are some reading the Verizon breach report’s mobile section all wrong? ]

"If someone breaks into your house, and you have the keys to the Porche and the Mercedes sitting on the kitchen counter, they'll steal your cars," he said.

In enterprise terms, this means changing operations so that there are no credentials sitting on machines, waiting to be stolen.

"And don't use master-key identities like root or administrator," he said. "Using a high-powered account is very convenient. But it can be picked up by an intruder, and now you've given them a master key to the entire company."

Instead, he said, companies should be losing lower-powered accounts, with limited scope. In particular, local users shouldn't be administrators of their own machines.

"The actual attacks analyzed by Mandiant and Verizon were dependent on something really stupid that companies do which is really unbelievable," said Lieberman.

"They allow users to be part of a group called administrators. If you just change your environment so you don't have users running as local administrator, most of the problem goes away because you can't run the exfiltration. You can't run the tools to get the data out of the machine."

Without local credentials, it's much more difficult for attackers to run Mimikatz, WCE, Metasploit and other tools that allow them to steal passwords and other information and send it back home.

The Lieberman report also suggests eliminating shared accounts, using temporary escalation of privilege, time-based and incident-based password changes, and using proxied access to eliminate the disclosure of user accounts and passwords.

The report also recommended the use of enterprise password management tools. Which happens to be what the company sells.

This story, "Lieberman: Mandiant and Verizon wrong on unstoppable threats" was originally published by CSO.