Fighting today's advanced threats
CIOs are setting themselves up for failure if they assume they can keep attackers out.
Advanced persistent threats (APTs) are military-grade cyber attacks aimed at private corporations. They're carried out by well-organised, nation-state attack units that invade your network and won't stop until they get what they came for.
Uri Rivner, VP business development and cyber strategy at BioCatch, says CIOs must be aware that the odds of preventing this sort of attack are stacked against them.
"Hundreds of mega-corporations with security budgets bigger than yours, all armed to the teeth with state-of-the-art products of a $67-billion-a-year IT security industry have been penetrated in the last few years," says Rivner. "Detection rates are horrible. What does this mean for you as a CIO? What information is absolutely crucial to protect?
"Are you spending your security budget on traditional lines of defence or diverting a sizable portion to newer, and perhaps less battle-tested, technologies that have a far greater chance of detecting APTs? Are you happy with the skill set of your current security operations team, or do you need to add some cyber intelligence expertise?"
One of the challenges chief information security officers (CISOs) face is that many have trained their management to believe security problems are solved by buying and installing products, says security researcher Ian Farquhar. "Target in the US had a FireEye, which is a product designed to detect APTs. According to press reports, it worked and detected the threat. But Target's security team seems to have neglected to act."
Farquhar says APTs require an appreciation that security products will fail. Most traditional security products detect known-bad, but the nature of an APT is that it can be rebuilt for every attack, so there won't be a signature or indicator that detects it. "Successful APT tools work by applying advanced analytics and techniques like sandboxing, which then detect potential threats. It's then up to the security team to go in and address those issues."
However, the thing many companies balk at is that this means the security team becomes a big OPEX expense, and it's up to the CISO to educate management about a threat that's inherently technical, adds Farquhar. "It can also be difficult for the CISO, who may have advocated for millions of dollars of Capex in security tools, to explain why they're not working anymore."
Rivner believes APTs are growing in frequency, efficacy and popularity, because modern malware is extremely stealthy, while at the same time business needs require that employees are allowed free access from anywhere and into anything without a lot of hassle.
"But there's an economic reason for the recent boost of APT activity. It's essentially good old industrial espionage, now executed in the cyber realm, James Bond stuff using modern computer networks. Foreign nations and other high-resource players are interested in your information for its commercial value or because you're an important link in a supply chain leading to a high-yield target.
A growing threat
In the US, it's mostly intellectual property, product designs, source code and defence information. In Europe, it's manufacturing and finance. In the gulf countries, it's oil and gas. In Israel, it's the buzzing high-tech and startup sector. In countries like South Africa, Australia and Scandinavia, the mining industry is a lucrative target," says Rivner.
"There's a huge economic incentive for the APT actors: rather than invest in research and development, they invest in armies of hackers that obtain all the trade secrets. In fact, this suggests that the only real way a nation can fight off APTs targeting its private sector and civilian critical infrastructure is to apply economic pressure on the attackers. This has been done effectively by the Australians, who banned Chinese companies from competing on gigantic national IT projects. APTs in Australia all but stopped."
There's a huge economic incentive for the APT actors: rather than invest in research and development, they invest in armies of hackers that obtain all the trade secrets.Uri Rivner, BioCatch
Costin Raiu, director, Global Research & Analysis Team at Kaspersky Lab, says over the last few years, most businesses have moved their operations onto the Internet. In this way, information that was previously inaccessible became available on computers that can be hacked and accessed through the Internet."
Some of the trends Kaspersky Lab observed lately don't only indicate an increase in APT-type attacks, but also the lowering of the cost of these attacks. While such attacks used to cost millions of dollars year ago, nowadays, through reuse of exploits and malware, APT attacks can be executed for thousands of dollars. Additionally, some of the attacks indicate a new trend, namely 'elite cyber mercenaries'. These groups are available for hire and can execute APT attacks against any target, for money.
Defending the enterprise
Rivner isn't surprised that traditional perimeter defences no longer hold. "A new defence doctrine is needed, one that doesn't rely mainly on prevention, but rather on making the infrastructure more resilient to attacks, effective detection that focuses on abnormal behaviours inside the network, quick investigative tools, and ? most importantly ? cyber intelligence, meaning knowing your adversary, his motivation and mode of operation."
Raiu says defence against APTs requires implementing a number of mitigation strategies.
"These strategies range from basic common sense, such as installing updates for the operating system and third-party applications, installing an Internet security solution that combines an antivirus with a firewall and host intrusion detection system, up to more complex strategies such as application whitelisting and default deny modes or centralised patch management."
Raiu says it's important to point out that no single strategy can protect against APT attacks, because in general, these are highly customised to a specific businesses internal network configuration. "However, following best security practices and implementing a set of mitigation strategies can make it so difficult for attackers that they go and hit another company instead."
Farquhar says CIOs need to know they're setting themselves up for failure by assuming they can keep attackers out. "You have to change to a different strategy, which is called the 'assumption of compromise'. In this, you build defences to keep attackers out, but you always assume that you will fail. In this mode of operation, you maintain constant and pervasive vigilance within your company, and detect intruders before they can do damage or cause loss."
The biggest threat is complacency, adds Farquhar. "The CISO who says, 'We're not big enough to be targeted', the board that disregards their CISO because they don't understand the threat, the CIO who thinks his signature-based anti-malware software is going to protect him or her: these people are the biggest threat. This is something to be taken seriously."
First published in the July 2014 issue of ITWeb Brainstorm magazine.