IT Focus Area: security
June 26, 2017
How to Successfully Combat Targeted Cyber Attacks
Editor's Note: Sirius and Forsythe are now one company. Sirius acquired Forsythe in October 2017 and we are pleased to share their exceptional thought leadership with you.
Once upon a time, security was easier. Corporate information assets were tucked safely behind a firewall, secure within the physical confines of the data center. We had a strong set of access controls and, frankly, didn’t consider the corporate brand to be much of a target for would-be attackers. Companies focused on how to grow the business and protecting data was a simple, reactive process.
Times have changed.
Cloud computing, mobile devices, the Internet of Things (IoT) and the ubiquity of information have shifted information technology (IT) paradigms and opened new avenues of attack.
Critical data is under siege
The business world has reached a state of cyber siege, with data breaches dominating news headlines. Companies are now struggling to protect critical information assets as their networks are hit by a constant barrage of attacks. In 2016 we saw some of the largest data breaches ever, and 2017 is delivering more of the same with the global outbreak of WannaCry ransomware, and attacks on organizations including Honda, Arby's, Intercontinental Hotels Group, Saks Fifth Avenue, the U.S. Air Force, over 60 universitites and U.S. federal government organizations and even Cellebrite, a notorious iPhone and device cracker.
Security has evolved from a vague concern into a high-stakes battlefield, and cyber attacks are a stark reality. There is no upper limit to what highly skilled, aggressive attackers can do; recent volumetric distributed denial of service (DDoS) attacks have demonstrated that even the Internet itself is at risk. As the number of data breaches continues to rise, targeted attacks are threatening to undermine the ability of organizations in all industries to compete in the global marketplace.
What is a targeted attack?
An attack can be considered targeted when it fulfills the following criteria:
Targeted attacks are not just an IT issue
Targeted attacks are often discovered long after the fact, when sensitive corporate and customer data has already been stolen. Mandiant Consulting’s 2017 M-Trends report cites the median number of days an organization was compromised in 2016 before discovering or being notified of a breach was 99. This means adversaries may have had full visibility into everything occurring on victim organization networks for an average of over three months.
The results of a successful attack can be devastating. Targeted attacks are not just an IT security issue, they are a business issue that can dramatically impact financial performance, brand reputation, and customer loyalty. It is important not to make the mistake of thinking, It won’t happen to me. This is not just a problem for other organizations; targeted attacks are affecting everyone. Even if you feel your company has nothing of interest to exploit, consider your customers and partners — you may be viewed as a stepping stone to the data or intellectual property being sought.
“My message for companies that think they haven’t been attacked is: You’re not looking hard enough”.
— James Snook, Deputy Director, UK Office for Cyber Security
A recent Accenture survey of 2,000 executives from 12 industries and 15 countries across North and South America, Europe, and Asia Pacific revealed that on average, a large enterprise organization will face more than a hundred targeted attacks every year, and one in three will result in a successful security breach.
The actors behind these attacks are interested in a broad range of information, and they are stealing everything from military defense plans to schematics for toys. Their motivation can be financial gain, espionage, sabotage, or even just revenge.
They start by identifying vulnerabilities that are unique to your employees and infrastructure. And since they are precisely targeted, surreptitious, and often leverage advanced techniques and zero-day (unknown) exploits, they can bypass traditional network and host-based security defenses.
Overcoming cyber defense failure
Recent high-profile attacks highlight the fact that malicious actors have become extremely adept at leveraging Web application attacks including structured query language (SQL) injection and cross-site scripting (XSS), malware attacks ranging from viruses and worms to spyware and ransomware, application-specific attacks that target applications based on the results of packet sniffing, and denial of service (DoS) and distributed denial of service (DDoS) attacks.
Verizon’s 2016 Data Breach Investigations Report revealed just how successful attackers have become. According to the report in 81.9% of incidents, attackers compromised their target within minutes; and in nearly 70% of cases, successful data exfiltration was accomplished in a matter of days.
With the deck seemingly stacked in the attackers’ favor, how can organizations combat targeted attacks?
Here are a couple of approaches that don’t work: if your information security program is purely compliance-based and all of your efforts are focused on checking items off of a list, you’re in trouble. If you have intrusion detection and prevention systems (IDS/IPS) running or are collecting internet protocol (IP) traffic information with NetFlow but don’t review the logs or analyze the data, you will not be able to stop these attacks.
Too much IT security spending has focused on the prevention of attacks, and not enough has gone towards preparing for the inevitable. Prevention is inadequate as a strategy to defend against targeted attacks. Attackers are opening windows of vulnerability that are extremely difficult to detect. In order to effectively secure your organization’s data and collapse the attackers’ window of opportunity you need to be vigilant and work from the assumption there is unwanted, unauthorized activity already taking place on your network.
Critical elements of targeted attack defense
To combat cyber attacks, companies should move from a perimeter-based mentality to a comprehensive, active approach that focuses on multiple layers of defense, analytics and incident response. Critical elements of a defense strategy include a clear understanding of what you need to protect, data classification, security posture evaluation, enhanced detection capabilities, security awareness and training, and proactive incident response plans.
1. Know what to protect
The first step in any IT security strategy: know what you need to protect. Consider the following questions:
- What are your most valuable information assets?
- Where are they?
- Who has access to them and why?
- When are they being accessed?
Answering these questions can help to establish an understanding of the critical pieces in your infrastructure that need attention. It will also provide insight into what normal activity looks like, which will better enable you to recognize abnormal patterns of behavior. It is important to think of your organization not only as an ultimate target, but as a stepping stone. Assess your partnerships and business relationships to identify which might provide access to your company’s information in the event of a breach, and vice versa. This in-depth evaluation requires collaboration between IT, security, and the business.
2. Classify your data
Data classification policies and tools help to separate valuable information that may be targeted from less valuable information. Through data classification, information is divided into predefined groups that share a common risk, and the corresponding security controls required to secure each group type are detailed. Classification tools can be used to improve the treatment and handling of sensitive data, and promote a culture of security that helps to enforce data governance policies and prevent inadvertent disclosure. Classification metadata can be ingested by data loss prevention (DLP), encryption, and other security solutions to determine which information is sensitive, and how it should be protected.
3. Assess your security posture
Many targeted attacks use well-known vulnerabilities as part of the overall attack. Careful evaluation of your organization’s security posture is critical and should be a continuous process.
- Consider threats from insiders and partners, as well as malicious unknowns in your assessments. Professional services such as security program assessments help to evaluate the overall state of your organization’s security by providing an objective view of your organization’s policies, controls, and processes. The development of an effective vulnerability and threat management program will identify vulnerabilities exposing the organization to malicious activity. Compromise assessments can determine whether or not a malicious activity is already taking place on your network. They should be regularly scheduled as a part of your vulnerability management practices, and integrated with incident-response capabilities.
- Ensure that basic security practices are in place. Proper password and authentication policies, patch-management procedures, firewall and IDS/IPS configuration, and log review procedures are among the practices that should be well-established within your organization, and that of your partners and contractors. Ensure the information from these tools and systems are visible and correlated between key teams and incident responders. Remember to focus appropriately on third-party relationships and deploy compensating controls if your partners are not at the level of security you desire.
- Identify the security tools, technologies, and strategies you currently employ and maximize their effectiveness against targeted attacks. Is your security information and event management system (SIEM) properly logging, monitoring and auditing employee actions and activity? Do you have DLP and analytics technology implemented and integrated to provide visibility into data movement?
- Should you upgrade your current vendors’ products, or invest in new technologies? Many organizations fail to optimize their existing tools and technologies, and programs and processes often have gaps that can be exploited. Focus on what currently exists within the organization, and perform programmatic gap assessments to enhance your efforts. Many companies leverage a vendor-independent technology partner to test additional solutions and find the right fit for their organization (see advanced tools for advanced threats sidebar).
- How strong is your existing identity management infrastructure? It’s important to monitor employee roles carefully as they change, as well as the accessibility of information by partners and outside consultants. Your identity management system should ensure only those who require access to sensitive information have it. If an employee leaves the organization or moves to another department, your identity management system should make appropriate changes to access or wipe data on mobile and other devices as necessary. Privilege management should be a key area of focus. Ensure controls are in place to cross-reference identities with data protection strategies. IAM consulting, integration and support services can help your organization meet regulatory guidelines and user expectations while delivering accountability and transparency of access to the business.
4. Enhance your detection capabilities
It is imperative to know when a targeted attack is underway, and how to gather evidence to be able to understand its purpose and origin. Leveraging multiple security solutions that use different methods to detect malicious activity for both internal and external threats can enhance your capabilities. Security technology has been evolving, and manufacturers are developing ingenious ways of not only detecting but stopping zero-day attacks (see advanced tools for advanced threats sidebar). Many advanced security monitoring tools work well in conjunction with more traditional defenses, such as firewalls, IDS/IPS, antivirus, gateways and SIEM systems. With the right tools in place and staff and operational support behind them, you can gain the situational awareness and counter-intelligence needed to identify an attack—and potentially divert, block or quarantine threats. Even if an attack is successful, the insight gained into how it occurred, what information may have been compromised, and the relative effect of your defenses can be invaluable to recovery efforts and will help you continuously improve your security posture.
Advanced tools for advanced threats:
Here are a few of the tools and services that can help to identify and combat targeted attacks:
User & Entity Behavior Analytics (UEBA)
These tools provide artificial intelligence and machine learning capabilities based on a number of technical components including data analytics, data integration, data visualization and source systems analyses. They help to establish baselines of normal user behavior to work from, and facilitate the detection of users with high-risk identity profiles as well as high-risk activity, access, and events. Through these tools, threats can be identified based on actions that stray from normal patterns, and addressed through manual or automated remediation.
Defensive deception tools and techniques help to detect an attacker’s lateral movement early and divert it before critical data is accessed or damaged. Distributed decoy systems create the appearance of endpoints and servers throughout the range of IP addresses used within the organization, and scatter various traps such as fake credentials for accounts on decoy machines. Because legitimate users have no reason to interact with decoys, attacks can be rapidly identified and false positives greatly reduced. Endpoint detection and response platforms, IPS, next-generation firewalls (NGFWs), web application firewalls (WAFs) and Web application deception solutions can also be used to facilitate deception initiatives.
Distributed Denial-of-Service (DDoS) Protection
This technology helps defend against targeted DDoS attacks and block multi-vector threats, including attacks that target applications and the underlying infrastructure. Hybrid solutions can integrate on-premises DDoS protection with cloud-based scrubbing, automatically collecting and analyzing data across deployments that includes SSL inspection, behavioral analytics, bandwidth usage, health monitoring, and other statistics. This ensures that attacks can be quickly discovered, and mitigation activated via hardware, upstream, or across cloud-based services.
Threat intelligence technology and services help enterprises arm themselves with the strategic, tactical, and operational insights they need to identify and respond to global threat activity, and integrate intelligence into their security programs. Threat intelligence can include internal intelligence about the organization’s own assets, behavior, and network traffic, commercial intelligence from a vast network of security and technology partners, closed-source community intelligence shared by various industry and vertical groups (e.g., FS-ISAC, R-CISC and ISC-ISAC), and open-source intelligence from publicly available sources such as websites, blogs, social media, and news feeds.
Endpoint Detection and Response (EDR)
In the past, endpoint security focused on signature-based solutions such as anti-virus, host IPS and heuristics to prevent exploits and malware propagation. Today’s EDR solutions and next-generation endpoint protection platforms (EPPs) include these components, but also enable SOCs and IR teams to leverage additional capabilities such as continuous endpoint recording, customized detection, live endpoint investigation, remediation, and rapid attack banning. They are generally broken down into the following categories:
• Threat prevention
• Threat detection & response
• Endpoint monitoring & management
• Digital forensics
Automation & Orchestration
Manually addressing targeted attacks is not a viable option. Hackers have turned to automation to advance their capabilities; in order to keep up with them, we need to do the same.
Automation and orchestration technology can help organizations address the security skills shortage, and achieve the following:
• Raise the productivity of skilled security engineers
• Minimize the mean time to resolution (MTTR)
• Integrate the diverse products required to defend against agile threats
When properly operationalized and used in conjunction with data-centric security tools and managed security services, these tools can improve an organization's ability to detect and respond to targeted attacks, and manage threats more effectively.
5. Ensure security awareness and training
Humans are the weakest link in any security strategy. Security awareness at all levels of the organization is critical. After all, employees can't practice good security if they aren't educated about best practices, or informed of what the latest threats look like.
Many targeted attacks take the form of emails that leverage social engineering tactics and entice users to click on a malicious link or open an attached file, thereby triggering the hackers’ code and installing a back door for outbound communications to command and control servers. In Wombat Security's 2017 State of the Phish report, 76% of respondents reported being the victim of a phishing attack in 2016. The average business end user faces at least one risky email per day, and Verizon’s 2017 Data Breach Investigations report found that 1 in 14 were tricked into following a link or opening an attachment, and a quarter of those users went on to be duped more than once.
You can build a human firewall by educating employees — especially those with access to critical intellectual property — continually about the threat to their company, their personal information, and their livelihood. And make sure you have strong corporate policies regulating bring-your-own-device programs, including applications, cloud resources, and IoT devices.
6. Put a comprehensive incident response plan in place
A comprehensive incident response plan will enable your organization to respond aggressively to an attack, minimize damage and align defenses to mitigate future intrusions.
How can you gauge your organization’s IR capabilities?
Consider the following questions:
- Do you have an incident response program in place, with well-documented plans and procedures?
- Are employees aware of what constitutes an incident to begin with and how to report and manage an incident?
- Do you conduct hands-on walk-throughs and mock exercises that test written policies and help to standardize response?
- Have you optimized the tools you’re using today to protect against and detect incidents?
- Has your program been updated and tested to support today’s cyber threats and response needs?
- Have you incorporated machine learning capabilities to replace processes that would otherwise require arduous human analysis?
- Does the executive team know their role and what is expected of them?
- Do you have the tools and relationships in place to accelerate your response to a serious security incident for containment and public management?
Don’t be surprised if you cannot answer a lot of these questions. Many companies do have an IR program or plan in place but are struggling to keep it up-to-date and able to support current cyber-security concerns.
Services such as incident response readiness assessments can help to evaluate existing response plans, test their effectiveness by simulating relevant threat scenarios, and guide the organization through each phase of response to an attack, from preparation to containment.
Winning the cybersecurity war
While we may have lost the opening battle with cyber attackers, we haven’t lost the war. Your organization can reach an acceptable level of risk if you upgrade your philosophy around securing data assets, and work from the assumption that you may already be compromised. Acknowledging that there is only so much you can prevent and being ready to respond aggressively to an attack will go a long way. Mounting an active defense, and arming yourself with the right tools is critical — if botnets are the heavy artillery of cybercrime, tools such as user and entity behavior analytics, defensive deception, DDoS protection, endpoint detection and response and automation and orchestration are the reactive armor. You may not be able to completely lock down your network, but with a vigilant approach and the right systems in place, you can defend it.