Writing for Defence Online, Chris Sedgwick, Director of Security Operations at Talion examines what businesses can do to mitigate cyber security threats
Businesses have experienced a lot of challenges over the past 12 months, however, one item that should never be deprioritised or ignored should be cyber security risk. The risk potential that a cyber security breach poses is often catastrophic, not only in terms of financial impact but business reputation and the knock-on effect for customers and third parties.
One key trend that keeps reappearing is visibility; and as an enthusiast of military history myself, the same problems that have mired Generals for centuries in traditional kinetic warfare can be applied perfectly to a cyber dimension. The work I have done over the past few years in cyber threat intelligence focuses on the techniques, movements, and motivations of cyber attackers, however visibility should also be reflective and inward looking. As much as a General needs to understand how many troops he has, where they are and how equipped they are to face the enemy at hand, they also need to realise what their resources look like from the enemy’s perspective. Are there vulnerable aspects exposed, is sophistication (or lack of!) exposed somehow or is there some leakage of information that could be intercepted for enemy gain?
The Art of Cyber war – Understanding the enemy
In much the same way, CISOs and IT Security Managers need to understand the corporate network and its weaknesses, and all of the activity that is being done within it. Key to this is visibility of what is being done on a network level, what is coming in and out of the network perimeter. Is there anything malicious coming in, or is there anything company sensitive that is making its way out? It is also a critical need to have visibility of each host within the network, the processes that are being run and who is logging in to each machine, as otherwise you are restricted to only having visibility of the perimeter. If an internal machine loads a USB with a propagating ransomware, there could be catastrophic impact, but you would never see it with perimeter monitoring alone.
In the words of Sun Tzu, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Regular vulnerability scans should be conducted against the network in order to identify patches that should be deployed and against which assets. The severity of the vulnerability should be taken into consideration, but context is key, and businesses will commonly overlook lower priority vulnerabilities that are being actively exploited by high-risk cyber groups against their sector/geography.
Scouting the cyber security battlefield
Recently, the revolution of home working, a necessity which many businesses have needed to accommodate owing to the Covid-19 pandemic, has exacerbated the problem of maintaining security within the corporate network. Employees working remotely increases the attack surface exponentially from an attacker’s point of view and places a lot of onus onto secure VPN infrastructure, conference call and cloud hosting platforms in addition to factor such as the underlying security of people’s home networks.
Much as an army needs to be well trained, so do end users on a network. Cyber awareness and phishing training should not be overlooked given it remains the largest point of entry for an attacker, with Verizon’s Data Breach Digest stating that 90% of all data breaches involve phishing emails. BEC (Business Email Compromise) is also extremely common with half of reported cybercrime in 2020 being as a result of BEC fraud, a total loss of $2 billion.
Ransomware remains popular with criminals looking to make money – even more so given the ransoms are demanded in cryptocurrencies which have exponentially increased in value – however there is an interesting addition to the “stand and deliver” technique that has worked well for adversaries in recent years. In recent months it has become commonplace to conduct a “double ransom” tactic where attackers will exfiltrate information externally prior to encrypting it on the victim’s network. That way, attackers can demand ransom not just once for the data to be decrypted, but they can charge again on the promise that failure to do so would result in it being leaked online. To avoid this effective takeover of the fort and it being held to ransom, businesses should run effective backups and ensure safeguards are in place to deny malware propagation and account system privileges from being altered.
Another important element of visibility often overlooked is what the business looks like to a potential cyber attacker. Any decent cyber attacker will not only spend a lot of time in reconnaissance but will spend the majority of their time conducting research on the target, which again harks back to the military analogy and axiom of “time spent in reconnaissance is rarely wasted,” attributed to many famous military Generals over the years. Attackers will observe various aspects of a potential target, such as how the corporate domain is registered, or does it link back to an individual? Does that individual likely have elevated privileges and a password in a breached password database available? Does the company have any weak or vulnerable infrastructure, or even some single-factor login pages to test the aforementioned password against? Most companies are unaware about unconscious information leakage, project names, confidential documents and emails. Attackers know where to look to obtain these and the value that these pieces of information provided to them during an attack cannot be underestimated. By conducting this reconnaissance on your corporate footprint either yourself or using another set of eyes via a supplier enables you to find the dirt before the bad guys do.
Expanding your cyber security arsenal
Ultimately, all of this inward-looking visibility work should be done in conjunction with outward focussed reconnaissance in order to tailor and prioritise what actions to take. One key task that a managed security service provider’s (MSSP) Threat Intelligence units conduct is the tracking of Cyber Threat Actor groups and the attack techniques they use against victims. This typically includes the types of malware that are typical for that threat group and this is usually decided by their motive, whether they are after money or after information. An extremely useful exercise is to map out the known tactics and techniques of adversaries against a model (in the industry it is common to use the “MITRE ATT&CK model” to map this out). That way, any common traits of high-risk adversaries can be tackled as a priority by the business. All of this takes time and expertise, but is ultimately a case of the more that you put in, the more relevant your mitigations will be, and the less likely you will suffer a cyber-attack.
If you would like to join our community and read more articles like this then please click here
Post written by: Matt Brown
.
RELATED ARTICLES
April 9, 2024
Ultra Intelligence & Communications celebrates opening of its new Cyber Centre of Excellence
Ultra Intelligence & Communications, also known as Ultra I&C, celebrated the official opening of its flagship facility in Maidenhead, UK,
February 27, 2024
Homeland - Global cyber competition secures and strengthens key relationships
Defence Cyber Marvel 3 (DCM3) has taken place in Estonia – the first pan-Defence initiative to build a grass roots community
