Cyber Security: Getting Prepared for Attacks

With increasing sophistication of adversaries and pace of innovation in cyber tactics, cyber attacks are more likely to succeed than not. To that end prevention – while remaining highly important – will be of one the toughest challenge for organisations, which at the same time must focus on increased vigilance and effectiveness in their detection of and response to security breaches.

An Ongoing Battle

Cyber attacks have been and will continue to be driven by financial and sociopolitical motivations. The financial sector is a prime target for adversaries, as it provides a direct means to achieve financial gains or to disrupt the social and economic stability of any nation. To deal with this, regulators around the world have raised the compliance bar by mandating security requirements for financial institutions (FIs). With the adoption of technologies such as multiple-factor authentication, end-to-end encryption, Europay, MasterCard and Visa (EMV) chip-based cards, and robust risk management capabilities, the level of information security within the financial sector is significantly more mature than others.

Yet these enhanced security measures have not deterred adversaries, who have been locked in a game of leap-frogging tactics since the dawn of technology. Instead of trying to break into a heavily fortified enterprise, adversaries have started to reformulate their tactics to target users outside the fortified perimeters. In what are commonly known as advanced persistent threats (APT), adversaries have been very selective in picking their target of opportunity to meet their ultimate objectives.

The fundamental mechanics behind APTs are similar to traditional attacks, in that they rely on creating malware that targets vulnerable services, tricking users into divulging important information through hacked websites or social engineering (also known as phishing), or opening attachments containing malicious codes. What has evolved is that such malware either uses unpublished vulnerabilities (typically known as zero-day vulnerabilities) or morphs in order to avoid detection by traditional security mechanisms. These malware also do not attempt to propagate rapidly, as this will draw attention to their activities. Instead, they can remain dormant for long periods of time and only perform what is necessary to sniff out important information and slowly exfiltrate such information from the organisation – usually in encrypted form, so that it is harder for organisations to figure out what is happening.

One group of entities being targeted by adversaries is upstream service providers as they are typically given either access into an organisation’s environment, or have access to some level of data. Depending on the size and complexity of the entity, the level of security mechanisms may be lower than that of a FI. They also may not always be operating within secured perimeters, and may work in external locations. Individuals in these organisations are prime targets as they can provide an easier access path into the ultimate target of interest.

It is unfortunate that over the past decade, many organisations without regulatory guidance have adopted a very reactive stance towards information security. Technologies and processes have been put in place without a holistic consideration of how security should be managed. Instead, many of these initiatives are in response to customer pressures and are often seen as a cost of doing business rather than a key enabler of sustainability.

As a result, over the past two years there has been a widening chasm between what organisations are doing versus what they should be doing. In too many cases their security management capabilities have not kept pace with the increasingly wide adoption of technologies such as mobility, cloud computing and social media. Additionally, companies underestimate the way targeted attacks avoid detection by exploiting unpublished vulnerabilities, which generally fall below thresholds that trigger alerts, and are unaware that entities linked to, but outside of, the organisation are also becoming prime targets.

Bridging the Gap

It is imperative that organisations re-evaluate their security strategies. In today’s landscape, it is not pragmatic to attempt to build an impenetrable defence by relying mainly on preventive techniques. It is important to consider shifting some of the investment budget into building a more holistic cyber threat management framework that comprises a balanced portfolio of threat intelligence, monitoring and detection of low-threshold persistent threats, proactive vulnerability identification, remediation plans, and an updated incident response plan.

This allows the organisation to ensure that a minimum security baseline can be sustained, and critical services are monitored to detect the occurrence of undesired disruptions or security breaches. It is also important to ensure that outsourcing relationships are rigorously evaluated to minimise the impact that a security breach to a vendor can have on the organisation.

Information security also needs to be embedded in the DNA of the organisation. It is not the sole responsibility of the information security function, which serves as the facilitator to provide the necessary expertise and guidance, while every individual team and employee must recognise that they can be a prime target for adversaries who seek to find the path of least resistance into the organisation.

Cyber attacks will never stop, given the driving financial and sociopolitical motivations. Assumptions about information security that were made just five years ago are no longer valid in the wake of recent revelations of what national intelligence communities and adversaries alike are capable of. It is time to transform old paradigms to more effectively monitor, detect, respond to and prevent, monitor and detect, security breaches – and new security analytics capabilities will play a major role in these activities.


Related reading