Ira Winkler and Ari Treu Gomes have defined eight rules to help classify cyberattacks. They call them “Irari” rules, a contraction of their first names. Furthermore, each rule is actually a recommendation for improving enterprises’ security defenses.
I agree that the victims of cyberattacks too often classify their breaches to which they were subject as “sophisticated” when they were anything but. On the other hand, Ira and Ari have gone too far for the following reasons:
- No organization I am aware of has the resources to fully support all eight recommendations. So how do you prioritize? Risk management you say?
- The technology simply does not yet exist to successfully implement some of the recommendations.
There is good news though. During the last few years, largely due to the success of companies like Palo Alto Networks and FireEye, there has been a tremendous surge in well-funded innovative technical security controls that make many of the Irari recommendations feasible. By innovative, I mean (1) security efficacious, (2) enable process improvement, (3) low risk of negatively impacting business processes.
Here are the eight Irari rules and my comments:
The malware used should have been detected. Keeping your anti-virus up-to-date seems reasonable. However, you should not be too satisfied because signature-based anti-virus is a very low bar. In a variation on HD Moore’s Law, any attacker can buy software to modify her malware to bypass anti-virus products. I recommend starting the process of adding a non-signature based endpoint prevention solution and replacing “paid-for” A/V with Microsoft’s free tools.
The attack exploited vulnerabilities where patches were available. This is a tough one. First, is it really possible to patch every vulnerability? Second, if you are not going to, how do you prioritize? CVSS has some well-understood weaknesses. There are better ways to prioritize the risks of vulnerabilities.
Multifactor authentication was not in use on critical servers. This makes sense. However, the cost of managing certificates is, too often, not considered.
Static passwords were used in attacks on critical servers. While the concept of changing passwords frequently sounds good, too often the human costs measured in time consumed changing passwords are not considered. An automated password changer would be interesting.
If phishing was involved, there was no awareness program in place that went beyond phishing simulations and computer-based training. Phishing is a primary attack vector. The issue is how effective is your security awareness program? Moreover, how well can you monitor its effectiveness? Note here that Ira Winkler’s company, Secure Mentem, provides security awareness programs.
There was poor network segmentation that allowed the attackers to jump from low-value networks to critical systems. There is no doubt that segmentation is of critical importance. It’s well understood, as the Irari authors point out, that better segmentation in a couple of areas would have prevented the credit card exfiltration of the Target breach. However, until very recently, the complexity and implementation costs of datacenter segmentation put it out of reach for most organizations.
User accounts that were compromised had excessive privileges. Another excellent recommendation that, until very recently, was extremely difficult to prevent or detect. Users need administrative privileges for a variety of reasons. But there are now security agents that prevent unneeded activities despite users having administrative privileges. There are also User Behavior Analytics tools that are easy to administer and operate that will highlight users whose application access rights are greater than their peers.