4 strategies to root out your security risks

You’ll never reduce your security risk if you can’t identify and mitigate the root causes of those vulnerabilities. It isn’t enough to have a list of malware programs that your antimalware has detected. You need to to determine how viruses and hackers have penetrated your environment in the past.

In the vast majority of organizations, two root causes are responsible for successful exploits: unpatched software and social engineering. All other root causes generally account for less than a few percentage points of the risk. The key to reducing computer security risk is that every organization needs to determine its own, most prevalent root causes.

Hackers and malware can break in about a dozen different ways, including the following:

• Unpatched software
• Social engineering
• Zero-day exploits
• Password cracking
• Eavesdropping/main-in-the-middle attacks
• Privilege escalation
• Misconfiguration/user error
• Denial of service
• Insider malfeasance (including partners, consultants, and vendors)
• Physically accessing systems

If even a relatively benign program has exploited your environment, it’s important to understand how it broke in. Whether if the malware program was only adware, the effort it took to break in amounts to exactly the same effort that a more malevolent culprit, like ransomware, would undertake to carry off far worse.

For an effective defense, you have to learn which root causes are the most relevant to your environment, then work on minimizing them. Often, this isn’t easy; in some cases it’s impossible. But with these approaches you can give it your best shot.

Forensic investigation

It may be resource intensive, but nothing beats a complete forensics investigation for determining how a breach happened. In a perfect world with no resource constraints, every exploited device would have its memory and storage snapshotted and its contents analyzed. Many forensic investigation programs show you what changed on a timeline to ease the job of determining what happened. A thorough forensic investigation can’t always tell you how an action was executed on a computer, but it’s still the most effective option to get a complete and accurate picture of the origins of a successful attack.

Identify malware by attack method

Many malware programs are hard-coded to take advantage of particular root causes. When you encounter them, you’ll find it easier to determine how something happened. For instance, some types of malware programs only spread via USB devices. Malware spreads when someone executes a program, whereupon it spreads and self-replicates by infecting other programs and documents. Email worms spread … well, via email. Most malware programs use a single mechanism to propagate themselves. With a minimum of research, you can figure out a root cause.

Of course, many malware programs spread using multiple methods. For example, the Conficker worm spread through unpatched vulnerabilities, by guessing simple passwords on drive shares, by using a desktop.ini autorun vulnerability, or via USB key. These types of programs may take more research, but root-cause analysis can still be done. For a program like Conficker, you could check to see if the involved vulnerability is patched, look for a rogue desktop.ini file, or scan USB keys for infection.

Victim interviews

Amid today’s social engineering pandemic, it’s almost impossible to determine how a malicious program was executed without talking to users. Even then, users may have no clue how they were exploited. Nonetheless, under direct questioning, you’d be surprised how often users suddenly remember a funky email or a website that told them to download a file before their computer started to slow down or act weird. Interviewing people on a large scale is unwieldy and expensive, but it may be the only way to get at the truth.

Inventory analysis

This method is frequently overlooked. If you’re trying to determine how your computers were infected and have absolutely no other way to figure it out, consider analyzing your software and hardware inventory. If you see a huge spike associated with a particular configuration—say, a computer running a particular version of an operating system, browser, and browser plugin—then that configuration may be part of the problem.

External threat intelligence

All the previous methods help determine your own local threat intelligence, which is the most valuable information any organization can have. Beyond that, research what happens within your industry, to your competitors, to your country and region, and more broadly across the world. A lot of malware research, such as Microsoft’s Security Intelligence Reports, shows geographic distributions of hacking and malware. They offer a great way to get insight into what may be attacking your company. But keep in mind that any popular, successful exploit may be a top suspect.

What now?

Once you determine the leading root causes of your organization’s exploitation, focus your energy and resources into mitigating them. That extends to the measures you take, the products you buy, and the user education you give. Your focus on those root causes should continue over time until they are no longer leading causes.

This approach is how you reduce risk. Yes, you still need broad, across-the-board, defense-in-depth mitigations (credential hygiene, stronger authentication, and so on). But if you can tackle the biggest problems and deploy commodity defenses in tandem, you’ll be one of the most efficient organizations around at reducing security risk.