With 1,000 computer...
 
Notifications
Clear all

With 1,000 computers, expect 20-50 compromises a day?

9 Posts
5 Users
0 Likes
672 Views
(@audio)
Posts: 149
Estimable Member
Topic starter
 

The below blog post suggests that even with a seasoned infosec team, you should expect to find 20-50 compromised computers a day with a network of 1,000 computers?

http//henrybasset.blogspot.com/2013/02/attackers-collaborate-defenders-are.html

Are you guys finding it's really that bad?

 
Posted : 10/02/2013 6:22 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I would think that such a number depends upon a lot of things…visibility being one.

Some organizations do, in fact, have a "seasoned" infosec team. As an incident responder, I most often dealt with organizations that, while storing/processing a great deal of "sensitive data" (select your definition of choice), had no infosec team, or they had a team that was so hamstrung by internal politics that it was simply ineffective.

 
Posted : 10/02/2013 5:57 pm
(@audio)
Posts: 149
Estimable Member
Topic starter
 

I would think that such a number depends upon a lot of things…visibility being one.

Some organizations do, in fact, have a "seasoned" infosec team. As an incident responder, I most often dealt with organizations that, while storing/processing a great deal of "sensitive data" (select your definition of choice), had no infosec team, or they had a team that was so hamstrung by internal politics that it was simply ineffective.

Wow. So in your experience, if you actually have the ability to detect compromised computers, you can often expect to find around that many per day?

That seems like an awful lot. Although, I guess I can see how it can happen with malware spreading, or with how easy an attacker can often get domain admin.

 
Posted : 10/02/2013 6:20 pm
(@athulin)
Posts: 1156
Noble Member
 

…s that even with a seasoned infosec team, you should expect to find 20-50 compromised computers a day with a network of 1,000 computers?

I'm not sure I would use the word 'compromised', though I would not hesitate about 'being involved in an incident'. (Though I personally don't think 'alarm' = 'incident'.) But that depends a lot on the organization and what it considers an incident. 'Being reported as compromised', OK – that's what any AV solution does. (Added and if some conscientous backup manager tests the backup system by restoring the oldest backup tapes in store to a server which happens to have the latest heuristic virus-detection, an dpolicy requires each AV alarm to be counted as an incident, the average number of 'incidents' per day will increase sharply just by that action alone.)

Incident, in the case I am thinking of here, involved 'compromises' as well as anti-virus alarms, including adware and jokes, as well as finding suspect network traffic (skype, p2p, etc. – usually from consultants trying to use their computers in a way that was not allowed), and trying to connect to websites blacklisted by Bluecoat, and so on.

This is based on filling in as an incident dispatcher (i.e. sending alarms on to the correct incident responder/investigator) for a couple of months in an organization that was/is approximately that large.

Of those, the number of real compromises, after due investigation, was considerably smaller.

 
Posted : 10/02/2013 8:45 pm
(@audio)
Posts: 149
Estimable Member
Topic starter
 

@athulin, Compromised was the blog authors term. He suggested that while there would be a ton of results from searching for IOCs, that most would not be false positives. Even a great, highly trained, and mature infosec team should expect 20-50 compromised computers per day 7 days a week.

If that's anywhere near what others are experiencing, that's pretty surprising to me.

 
Posted : 10/02/2013 9:40 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Wow. So in your experience, if you actually have the ability to detect compromised computers, you can often expect to find around that many per day?

In my experience, it varies. It doesn't take malware spreading to cause massive compromises and infections. If you don't have visibility into what's happening on the network and endpoints, anything can happen without you seeing. Then, when something does happen that becomes visible to you, often, it's one of many.

I've seen boxes that were "thought" to have been infected as part of an incident, but weren't…the infection or compromise on that box had nothing to do with the incident we were investigating. I've seen systems thought to have been hacked by one party, only to find out that three or four parties are all accessing the system.

So…it varies. It depends. I would think that the data set discussed in the article showed just that…but that's one data set, at one point in time.

 
Posted : 11/02/2013 6:40 am
(@audio)
Posts: 149
Estimable Member
Topic starter
 

@keydet89 Good points… Thanks. )

 
Posted : 11/02/2013 7:04 am
(@trewmte)
Posts: 1877
Noble Member
 

The blog author states "could (should)" and not "will (definitely)". It could be difficult, for each event, to produce 20-50 and to mirror that as a common expectation across a like-for-like business using x-number of PCs/desktop terminals/laptops etc. The article reads as possible outcomes to be included in a 'contingency plan' for providing support (in its widest context) should such an event occur.

There is another aspect to consider as to how the design of IT comms network has been deployed, referred to as Network topology - http//en.wikipedia.org/wiki/Network_topology The use of a star network configuration may have entirely different results for compromise / alarms than a mesh network configuration. So a blanket approach maybe difficult to achieve.

However, sporadic outbreaks of compromises or alarms could be more easily increased when considering reduced control in a network due to an increase in possibility of originating causes that may/might be generated in allowing BYOD into a business

BYOD
http//www.trewmte.blogspot.co.uk/2013/01/smartphone-byod.html
http//www.trewmte.blogspot.co.uk/2013/02/one-hit-hits-all.html

 
Posted : 11/02/2013 11:30 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

20 to 50 every 1000 per day means 2% to 5% per day.

On average every single computer would be compromised (roughly) once a month or at the most once every two months.

So, on smaller networks, made (say) of 10 computers you would have a system compromised once or twice a week (provided that this smal network has the same "exposure" as the "big one" talked about).

I suspect that those figures represent "alarms" (or "incidents" as keydet89 defined them) and not actual PC's compromised.

As well I would expect that IF (WHEN) a single system on a 1000 PC network is actually compromised far more than 20 or 50 will follow very, very soon, i.e. if you plot them in a graph I would expect long periods of "flat" trend and "spikes" which peaks much higher than 20 or 50.

jaclaz

 
Posted : 11/02/2013 3:48 pm
Share: