Adapt or die
Cyber warfare truly kicked off last year. 2014 will be remembered for the alarming number of successful cyber-attacks on organisations, from JP Morgan and Sony, through to Target and Home Depot. These were just some of the biggest organisations to have suffered a breach. The most striking thing of these attacks, besides the scale of them, was how long the attackers were in the networks unnoticed. It has been reported that for the Target, JP Morgan & Sony attacks the attackers were in the networks for over 200 days unnoticed. This stat shows a change in attacker’s strategy, with the smash and grab method being discarded for a more methodical, Advanced Persistent Threat approach.
This change in behaviour is part of a larger shift in cyber attacker’s methodology. Attackers no longer waste their resources on beating perimeter security but are now going straight for the users in the walled garden. In many of the attacks, hackers used convincing spear-phishing campaigns to drop malware on targeted systems and gain an initial foothold on a corporate network, e.g. Sony. In other attacks, like the ones at Target and Home Depot, hackers used login credentials stolen from third parties to gain access to their victims' networks. This shift in strategy represents a real problem for companies that are still stuck with perimeter-centric defence strategies that are focused purely on keeping intruders out of the enterprise network. Both tactics gained attackers access and relatively easily bypassed whatever perimeter controls the companies had put in place at the edge of their networks. Once inside the attackers took their time to explore and learn the environment, not doing much to attract attention but taking time to map out the network and copying whatever information they can one bit at a time.
Late last year security researchers at Symantec and Budapest University of Technology and Economics found out about a new type of malware they have never seen before. The malware was later named DUQU, because the temporary files the malware created on infected machines all had names that began with ~DQ . It was no amateur piece of software. Once in the target system it was designed to record passwords and other keystrokes on infected machines, as well as steal documents and take screenshots. It also catalogued any devices or systems that were connected to the machines so the attackers could build a blueprint of the company’s network architecture. The malware didn’t immediately siphon the stolen data from infected machines but instead stored it in a temporary file and encrypted it. This was nothing like what we are used to this was a whole new level of intelligence, organisation and skill. The only thing that came close to resembling this sort of code was Stuxnet.
Now even though DUQU and Stuxnet have the hallmarks of state sponsored cyber-attacks the tactics they used are being employed by general attackers. The Sony attack was so devastating due to the fact once the attackers were in the network, they changed passwords and encrypted the network locking everyone out. Most breaches go undetected for a long time due to the fact that the companies are not actively looking for one in their networks. Now as work and personal information borders become more and more blurred with Bring Your Own Device (BYOD) being more accepted the security strategy has to change. Security in depth in now key. A shift in the way people think about security has to happen, people in charge of security in organisation need to be more pragmatic and stop being so idealistic. Companies are only looking for a smoking gun when they suspect there is a breach and this is not the right way to think about information security anymore. A network breach is inevitable and information security professionals need to shift their strategies to match.
Companies need to improve network and endpoint visibility to better identify irregular activity e.g. a file touched or created when no one is working or malicious activity e.g. trying to copy information into different locations that do not fit with the user profile. Information security should adapt with the conditions of whatever environment the business is in and should not be slowing the company down. However, to achieve this security needs to be fully integrated into the companies processes and life cycles and not an afterthought as it is most of the time. A better standard in security awareness & education in users is a must as we see attackers are now going straight for the users and no longer wasting time trying to beat perimeter security. It’s a well-known saying now that “There is no need to penetrate a network when you can breach the people that run it. Networks are hard, People are soft.”
Good security has always been about identifying your weak areas and strengthen them, adapting to your conditions and learning from your mistakes. Unfortunately, in our search for greater convenience, security has always been an afterthought for most and as the stakes have just risen to astronomical levels, we all have a responsibility of our own information security. We all have to adapt to the new conditions we find ourselves in now or risk losing much more than reputational damage.