Adapt or Die

Comment

Adapt or Die

Cyber warfare truly kicked off last year. 2014 will be remembered for the alarming number of successful cyber-attacks on organisations, from JP Morgan and Sony, through to Target and Home Depot. These were just some of the biggest organisations to have suffered a breach. The most striking thing of these attacks, besides the scale of them, was how long the attackers were in the networks unnoticed. It has been reported that for the Target, JP Morgan & Sony attacks the attackers were in the networks for over 200 days unnoticed.  This stat shows a change in attacker’s strategy, with the smash and grab method being discarded for a more methodical, Advanced Persistent Threat approach.

This change in behaviour is part of a larger shift in cyber attacker’s methodology. Attackers no longer waste their resources on beating perimeter security but are now going straight for the users in the walled garden. In many of the attacks, hackers used convincing spear-phishing campaigns to drop malware on targeted systems and gain an initial foothold on a corporate network, e.g. Sony.   In other attacks, like the ones at Target and Home Depot, hackers used login credentials stolen from third parties to gain access to their victims' networks. This shift in strategy represents a real problem for companies that are still stuck with perimeter-centric defence strategies that are focused purely on keeping intruders out of the enterprise network. Both tactics gained attackers access and relatively easily bypassed whatever perimeter controls the companies had put in place at the edge of their networks. Once inside the attackers took their time to explore and learn the environment, not doing much to attract attention but taking time to map out the network and copying whatever information they can one bit at a time.

Late last year security researchers at Symantec and Budapest University of Technology and Economics found out about a new type of malware they have never seen before. The malware was later named DUQU, because the temporary files the malware created on infected machines all had names that began with ~DQ .  It was no amateur piece of software. Once in the target system it was designed to record passwords and other keystrokes on infected machines, as well as steal documents and take screenshots. It also catalogued any devices or systems that were connected to the machines so the attackers could build a blueprint of the company’s network architecture. The malware didn’t immediately siphon the stolen data from infected machines but instead stored it in a temporary file and encrypted it. This was nothing like what we are used to this was a whole new level of intelligence, organisation and skill. The only thing that came close to resembling this sort of code was Stuxnet.

Now even though DUQU and Stuxnet have the hallmarks of state sponsored cyber-attacks the tactics they used are being employed by general attackers. The Sony attack was so devastating due to the fact once the attackers were in the network, they changed passwords and encrypted the network locking everyone out. Most breaches go undetected for a long time due to the fact that the companies are not actively looking for one in their networks. Now as work and personal information borders become more and more blurred with Bring Your Own Device (BYOD) being more accepted the security strategy has to change. Security in depth in now key. A shift in the way people think about security has to happen, people in charge of security in organisation need to be more pragmatic and stop being so idealistic. Companies are only looking for a smoking gun when they suspect there is a breach and this is not the right way to think about information security anymore. A network breach is inevitable and information security professionals need to shift their strategies to match.

Companies need to improve network and endpoint visibility to better identify irregular activity e.g. a file touched or created when no one is working or malicious activity e.g. trying to copy information into different locations that do not fit with the user profile. Information security should adapt with the conditions of whatever environment the business is in and should not be slowing the company down. However, to achieve this security needs to be fully integrated into the companies processes and life cycles and not an afterthought as it is most of the time. A better standard in security awareness & education in users is a must as we see attackers are now going straight for the users and no longer wasting time trying to beat perimeter security. It’s a well-known saying now that “There is no need to penetrate a network when you can breach the people that run it. Networks are hard, People are soft.”

Good security has always been about identifying your weak areas and strengthen them, adapting to your conditions and learning from your mistakes. Unfortunately, in our search for greater convenience, security has always been an afterthought for most and as the stakes have just risen to astronomical levels, we all have a responsibility of our own information security. We all have to adapt to the new conditions we find ourselves in now or risk losing much more than reputational damage.

Comment

Cyber Threats: The New Buzzword or a look at things to come?

Comment

Cyber Threats: The New Buzzword or a look at things to come?

I recently attended a conference discussing Cyber threats. The majority of the speakers were security professionals representing a wide range of UK organisations. An interesting theme began to emerge, there appears to be two current ways of thinking regarding Cyber threats, those that believe ‘Cyber’ is just another media buzzword and those that  genuinely believe ‘Cyber’ is the new war front. No matter where you stand on the topic, you will appreciate that in today’s world of “e-activities & interconnectivity” cyber threats are something to be taken seriously. In the last few years key events have changed the game completely. The militarisation of cyber space and criminals learning fast - moving into the low risk-high reward area of cyber crime. It is actually easier to rob a bank electronically than holding up a branch. Privacy is also changing, Edward Snowden has made sure of this.

There is a lack of understanding from organisations and the general public on how best to prepare for these new threats. Are these new cyber threats and risks going to be fed into the enterprises risk management plan or do you wait to see what happens first? With business and our own personal lives being increasingly carried out electronically and stored online there is a greater reward for criminals in this field. In the example of a large merger deal with a Bank, numerous emails will be sent between the concerned parties and if there is an individual that has no understanding or interest in maintaining up-to-date systems or anti-virus software then this can lead to criminals hacking into the system and gaining inside information. This won’t be from a state-of-the-art laboratory or using any ground breaking techniques, a simple phishing email with a trojan attached would do this pretty easily. The criminals are prepared to wait up as long as 200 days before attacking to learn user patterns and items of value. Once they have their information they can go and buy shares of the companies involved or sell the information to other interested parties or the press and make a pretty penny . . . all from behind their keyboards.

The threat landscape is changing and our attitudes must change with it. To have a chance against an ever evolving threat we need an ever evolving defence. We may not be able to win every fight but it is important to learn from the mistakes and prevent them from happening again. We need ways to quantify the impact of these attacks. Loss of Intellectual property, loss of future business, reputation damage; there are currently no definite methods calculating these at the moment, even for insurance purposes! The need to educate ourselves to raise awareness is of the up most priority. Unfortunately there is a reactive approach to information security and that is not good enough. We need to change how we think about it, we need to promote discussion and transparency in order to collectively improve, because as of now the risk for the criminal is so low that they would need to be very lazy not to get involved.

Comment