In the 1990s, your typical hacker’s approach used to be “hit-and-run”, and in many cases it was about fame and recognition. Back in those days most organizations only had a firewall implemented between their internal network and the Internet. As time passed, the focus started shifting, and cyber-attacks evolved into a profitable business for cybercriminals. As we are now living in the world we once thought of as the distant future, we are witnessing sophisticated and targeted attacks against many organizations.
Targeted attacks are becoming very popular amongst cybercriminals today and they are aimed at specific organizations and the sectors they operate in. Cybercriminals have the desire, ability, patience and skills to invest their time and resources into these modern attacks to achieve financial gains. In these attacks they will learn as much as they can about the target and its third party suppliers. The malware is created specifically for the organization based on the information gathered in the reconnaissance phase.
Cybercriminals are using different methods and tactics to exploit their targets. As they are getting more and more sophisticated and targeted, it is becoming more and more difficult and challenging for organizations to discover potential breaches. Social engineering and phishing continue to be widely used because they represent the easiest way for them to get a foothold in the organization. Once they evade detection tools and security strategies and breach a system, they sometimes stay undetected for weeks, months and even years. Many recent high-profile breaches showed the truth of this.
So, who are these guys and where do they come from? They operate globally and many of them belong to well-organized and profit-motivated groups. Typically, they develop their own tools for their attacks, while some of them develop malicious tools to sell and rent to other cybercriminals to perform their own attacks. Some of the tools are even offered as a service (Software-as-a-Service). These services are mostly offered in the dark web, where most of the cybercriminals operate and organize.
There are several hackers-for-hire groups. Those groups consist of professional and elite hackers, most of whom are very intelligent, calculated and, for lack of a better term, “best of breed.” They go to work every morning just like you and me, but they are hired and paid to do illegal hacking. Hackers-for-hire develop their own malicious tools, software, exploits and most of the time they have access to zero-day vulnerabilities. They are very patient and will explore every possible route to get to their intended target. Sometimes they will compromise a supplier or third-party vendor and use them to get to the target.
A few months ago, I was asked if cybercriminals attack each other. Of course they do – they are trying to eliminate the competition and in the past couple of years they have been going after each other’s Bitcoins – especially these days when a Bitcoin is worth a considerable amount of real-world money.
So, what can we do to protect ourselves in this cyber era? As we all know there is no silver bullet to eliminate every single threat that could strike an organization. But what we can do is take bits and pieces away from the equation to make it challenging and more difficult for them to get a foothold in the organization.
Does your organization follow these seven tips to reduce the risk of being compromised and to stay one step ahead of these guys?
1. Know where your data resides. In today’s digital age data lives in multiple locations – the organization’s network extends far beyond the perimeter firewalls, e.g. in the cloud. Know where all your data resides and see to it that it’s properly protected.
2. Risk management. Understand the threat landscape and ensure that you adopt a risk-based approach to identify important assets and critical data. Then, select appropriate security controls to protect it. Vulnerabilities are lurking even at the most unexpected places – make sure to re-assess the situation frequently.
3. Make security decisions based on risk and metrics. Decisions based on risk will ensure that you protect your most critical assets and data. Decisions based on metrics will ensure that you protect areas where you are likely exposed. Metrics will also help you communicate information security to executive management.
4. Implement proper security architecture. Like I mentioned in the beginning of the article, firewalls between the internal network and internet used to be the security architecture. As threats started evolving, additional security layers such as an IDS and DLP were added, and what is now known as defense-in-depth was created. But, is this proper security architecture? Does it ultimately reduce the attack surface, thus breaking the cyber-attack lifecycle? If you have a legacy system and/or application that no one uses anymore, decommissioning is the best solution to reduce your attack surface. Targeted attacks are multistage-attacks and you have to be prepared to disrupt them in the process before it’s too late. Consider vulnerability, identity, and threat management and learn how to incorporate it into your security architecture. Also, the principles of Least Privilege and Separation of Duties are not an option – they are a requirement. Furthermore, network segregation is not just the PCI DSS way to reduce the scope, but an approach that every organization should include into their secure architecture. This will result in repeatable and actionable processes to be followed by your organization.
5. Security awareness and education. Technology and tools alone will not make your organization secure. Standard security training about security threats and how to recognize them should be provided to all users within your organization on an ongoing basis. Specific, role-based security training is extremely important. For example, you will not provide the same training to a HR employee who handles sensitive data and a marketing employee who handles different type of data.
6. Threat intelligence. Threat intelligence is no longer a buzzword and it is not just a list of bad IP addresses and domains. You have to ensure that data you receive pertains to your organization and business sector you operate in.
7. Sell value of information security to executive management. In the long run information security must have executive management support. The best way to accomplish this is to show your management the reason why your security team exists within the organization and what value it brings. The focus must be on “why the organization needs security” and not on “what security does” and “how security does it.”
The bottom line is to implement true security – not via compliance. You can always map to a particular compliance standard, but the main focus must be on security. Many moving parts within an organization increase the risk – incorporate the tips above into your overall security program to minimize the risk involved.