What are you doing to spot a breach?
It’s probably already happened, but you just haven't seen it...
Technology moves quickly, not just in legitimate business, but in the cybercriminal world too. Advanced attack tools are now available on the black market, lowering the barrier to entry for the average online lowlife. They are happy to target large and small organizations alike, and they only have to be lucky once.
Security pros have been forced to prepare for a world of constant, sustained attack by understanding the threats and choosing the right measures to prepare for them. Companies are realising the extent of the threat and gearing up for it, say experts.
“We have seen information security budgets increasing in the last 12 months to address the challenges that cyber crime is bringing to the organisation,” said Steve Durbin, managing director of the Information Security Forum.
So what kinds of threats are they dealing with, and how can they prepare?
What are the threats and where are they coming from?
The cyberthreats facing modern companies fall into various categories, and they’re loosely linked to the type of cybercriminal that you’re dealing with and the kind of information that they’re after. Hacktivism has traditionally been characterised by attacks with a relatively low barrier to entry such as DDoS and web site defacements, for example.
While hackers’ motives are frequently political or ideological, financial cybercriminals are interested purely in money, and are adept in their pursuit of it. Some will attempt to transfer money out of an organization, while others will focus on saleable information. Malware typically underpins a financial cybercrime attack.
One notable recent example is Carbanak, an extensive attack on financial institutions that netted $1bn in stolen assets. It was a devilish attack, starting with a backdoor sent as an attachment that then moved through the network until it found an administrative machine.
Then, the malware intercepted clerks’ computers, recording their sessions, and subsequently used that information to transfer money fraudulently using online banking sessions and to dispense money from ATMs.
Carbanak was a sophisticated attack that sought to directly manipulate systems, but cybercriminals typically look to steal specific types of information such as personally identifiable information (PII) when they attack. Malware delivery via phishing and drive-by downloads is still a highly effective tool to steal this data. Exploit kits designed to target enterprise clients with malicious payloads are on the rise. In its 2015 Threat Report, Forcepoint found three times more exploit kits in circulation than it had in 2013.
This information can be about your customers or your employees. The latter can be just as damaging, because you’re likely to have financial and other data about the people who work for you. One of the most egregious attacks on employee data recently must be the Office of Personnel and Management hack that compromised 5.6 million fingerprint records, and more than 21 million former and government employees, harvesting social security numbers and addresses.
PII isn’t the only threat category, though. Intellectual property is another rich seam for online criminals to mine. Often the subject of targeted attacks, this information can take many forms, from email archives through to launch plans for new products, or details of new products currently under development.
“We see a lot of intellectual property theft out there, coming from assumed nation states based on the IPs that they’re coming from, and from industry, too,” said Eric Stevens, director of strategic security consulting services at Forcepoint. “It’s a lot cheaper to steal development time than it is to do that development yourself,” he pointed out.
While these different groups will typically seek different types of information, there is also an increasing amount of overlap. Hacktivists have begun targeting both customer data and intellectual property where it suits their needs. Anonymous was behind the theft of ticketholder data for the 2012 F1 Grand Prix in Montreal, which was posted online. Hacktivist faction Lulzsec mined intellectual property from private security firm Stratfor in 2011.
How do you live with attackers getting in, and continue to fight them?
Over the years, the focus on keeping attackers out at all costs has shifted towards managing them when they break into an organization. Security professionals seem to be tacitly admitting that network intrusion is a question of ‘when’, rather than ‘if’.
“15 years ago, the focus was keeping them out. Today, organizations are starting to realize they have to deal with a certain degree of compromise,” explained Stephen Northcutt, director of academic advising for the SANS Technology Institute.
This is something that at least one of the three-letter agencies has understood for years. In 2010, Deborah Plunkett, then-head of the Information Assurance Directorate at the NSA, said that the agency assumed that there were already intruders inside its network. Considering itself already compromised forced it to protect critical data inside the network, rather than relying on a single ring of iron.
The Open Group’s Jericho Forum focused on containing rather than preventing threats with its de-perimeterization principle, first espoused in the mid-2000s, which stated that the traditional trusted network boundary had eroded. One of the group’s commandments to survive in a de-perimeterized future was the assumption that your network was untrusted.
Clearly, the NSA didn’t protect its resources especially well, though. Ed Snowden, working for third party contractor Booz-Allen Hamilton, happily vacuumed up gigabytes of sensitive data for a sustained trickle-feed campaign to the media.
No matter what side of the Snowden debate you’re on, for CISOs his case highlights the need for controls to stop the theft of information through authorized accounts.
“Over the next few years, you will see a lot of growth in privilege and identity management,” said Northcutt. “At the network level you are going to see more segmentation and isolation.”
To fully protect themselves with these techniques, though, organizations need a deep understanding of the data that they have and how it is used in their business, said Stevens. There are many roles and sets of responsibilities in an organisation. Some of them may even transcend internal employees altogether.
“You have to understand what your business processes are surrounding that data,” he said. It’s necessary to understand what a normal process looks like. A hospital may send data to a third party company that produces its invoices for it. How can you distinguish between a legitimate business process like that, and an illegitimate one that is sending sensitive data to bad people?