Cyber synergy: The need for collaborative cyber intelligence

It’s official – cybercrime now has a bigger impact than any other form of crime in the UK. That’s the conclusion drawn by the National Crime Agency (NCA) and Strategic Cyber Industry Group after releasing the Cyber Crime Assessment 2016 report which found that businesses are unable to keep pace with the speed of criminal attack development in what it describes as a ‘cyber arms race’.

The report goes on to suggest that government, business and the board are currently too isolationist and that there remains a fear of disclosure which is preventing speedy response. It highlights the poor correlation between the figures reported by the Office of National Statistics (which recorded 2.46 million incidents) versus those reported to Action Fraud (700,000) and calls for a more collaborative approach which would see current intelligence initiatives used to gather and report cyber crime more widely.

Those posing the greatest threat to UK business are identified as “a few hundred international cyber criminals” who are able to devise and launch attacks that are highly sophisticated in nature, such as banking Trojans. But while these may pose the most serious threat, the most prolific problem is the black marketplace which is enabling less technical cyber criminals to acquire the tools and technical capabilities to carry out attacks on a mammoth scale. These perpetrators are involved in DDoS attacks and ransomware attacks, both of which grew substantially in 2015.

Fight back

What’s telling here is it’s this market which could help businesses fight back. Rather than relying on point systems on the network or simple security procedures to protect the business, which can easily be subverted, the business goes to the source of the attack, buying it time to activate incident response. By monitoring the market and listening in on activity, a business community can tap into a highly useful resource that allows them first hand to view activity specific to their sector.

For example, DDoS attacks are orchestrated campaigns that typically involve planning and alignment of botnet resource, and that all causes ‘noise’ on the dark web. By monitoring key indicators that could motivate an attack (be it changes on the political stage, legislative disruption etc), chatter on underground forums, and intelligence gathering honeynets, it becomes possible to track the evolution of an attack and even anticipate how it may unfold.

The technology exists to do this so why isn’t this happening? The NCA identified multiple factors hamstringing cyber monitoring. These include a lack of management buy-in, limited resource and limited investigation, which together suggest attempting to tackle the problem inhouse isn’t working. Organisations need to look at either pooling resources, as we’ve seen in the financial sector, or outsourcing security to be able to benefit from intelligence gathering, by using a next generation security operations center (SOC).

Evolving attacks

Another point made by the report is the constant fluctuation and change that is seeing attacks morph and evolve. This can mean that what constitutes an effective form of defence one year, becomes ineffective in subsequent years, which is why we need to make it so that cyber security can also adapt and evolve.

One way to achieve this is to look at using Artificial Intelligence capabilities, such as machine learning techniques, to create security solutions that identify and learn from repeat occurrences and that can interpret that data to forecast how attacks may mutate over time.

Achieve cyber synergy

It is possible to achieve a cyber synergy that is greater than the sum of its parts if business works together to proactively monitor cyber threats. But that will require a real change in mindset. Businesses need to acknowledge that there will be attacks that are successful, which means adopting a cyber resilient stance, whereby the business seeks to detect, withstand and remediate a breach rather than simply focus only defence. And that makes incident response no longer a safety net but a key priority, which needs to be escalated up the corporate agenda so that if the worse does happen, the business can maintain some semblance of business as usual. More effective monitoring and mitigation will then see businesses become more transparent and confident at sharing intelligence. But that won’t happen overnight.