As the cyber pandemic ramps up, indications are increasing that hacking is not only an organised crime activity being conducted at a global scale –hacking is a government-supported industry in countries like China and Russia. Not only have certain governments supported the hacking industry to achieve state purposes, they’re then quite happy to let them run free and pursue straight criminal activity from inside their borders. With the rise of global hacking, ransomware response solutions and cybersecurity are big issues for every Australian organisation. The mainstream media is reporting on stories that used to be the province of technical industry publications. They’re getting more informed every day, but there are a few really important points that they’re yet to get to. While these three critical topics AREN’T making the mainstream discussions yet, understanding them is vital to protecting your organisation and its future.
What you need to know, understand AND believe
1. Hacker’s just don’t want ransom money
Cyber criminals want EVERY valuable piece of data they can find on your system – including things you don’t even think of as valuable. That means the LAST thing they do is launch a ransomware attack – AFTER they’ve “cased the joint”, turned off your alarms and explored your whole network. Once they penetrate your system, they can spend anything from 44 to 88 days inside your systems BEFORE they push the “ransom button” to demand payment from you, exploring what you do, what you know and who you know. This is called their ‘Dwell-time’ when they are in ‘stealth mode’ INSIDE your system. British security company Sophos actually walked through all of the different tools and steps that one threat actor group used in a major cyber attack:
What does this mean for senior Australian managers?
It means that there are up to 9 phases of an attack and you are probably investing in tools to deal with only two of those phases. In particular your tools will probably not be able to limit the dwell-time that a criminal is inside your environment, you will not be recording their lateral movement or be able to identify what data they managed to exfiltrate. All of these points are critical for you to properly report on whether a data breach happened or not. According to cyberreason.com, companies are investing in five areas – but unfortunately the majority of that investment only explicitly covers either the ‘initial access’ phase or the ‘impact’ phase.
The first 4 areas are:
Cyber Security Awareness Training (Phase – Initial Access)
Email Scanning (Phase -Initial Access)
EndPoint Protection (Phase – Initial Access; Maybe Execution if not disabled)
Backup and Recovery (Phase – Impact)
So, these four investment initiatives are designed to either stop the criminal from gaining initial access or to recover after the damage was done. This means that the fifth investment, which is the creation or expansion of a Security Operation Centre (SOC), will need to address all of the other phases of a cyber attack – Execution, Defence Evasion, Discovery, Persistence, Lateral Movement, Exfiltration and Command & Control. We will elaborate more below on the three key functions that are required in order to have an effective, functional SOC.
2. It doesn’t matter how good your defences are – you have to expect that you WILL get hacked
One penetration tester in our network (tr. a security expert testing other organisation’s systems) who ran phishing campaigns against IT system administrators had a 60% success rate! 30 times out of 50, he could get IT professionals to click on a bogus link and give him what he needed to break into their systems. Given the explosion of remote working caused by COVID, along with the growth in automated process operations, the chances of no one “getting in” to your systems are increasingly remote. The major tools that do Endpoint Detection and Response (Antivirus) have been around for 10 years or more. Today cyber criminals regularly test their tools so that they can avoid (and even leverage) their functionality. In the Kaseya Ransomware event, the attacker turned off the computer’s Endpoint Protection and even used a part of Windows Defender to run the encryption!
What does this mean?
While necessary, traditional security approaches concerned with stopping criminals at the ‘initial access’ phase are insufficient by themselves.
Detecting ‘abnormal behaviour’ within your systems that might constitute a criminal in ‘steal-mode’ is critical.
3. Ransomware attacks aren’t one-off affairs
A lot of victim organizations get “double tapped”. They get hit, they pay the ransom. But if they don’t have full 3-D security tools, they can’t do a full blown incident response to really clean out contamination and start fresh. Their attackers often still have hooks in their network and they can come back and hit them again – a double tap. For example, one security analyst said that if he had gained access to a network the first thing he would do is infect the android ‘smart-TV’ on the network. He could then let all the computers on the network get reinstalled – and then re-infect from the TV! On top of repeat attacks, ransomware gangs already have all your data. So, they can sell anything that other criminals might value on the Dark Web.
What does this mean?
Just restoring from backups will not stop information being sold on the dark web or the organisation to be hit again either during the restore process or three months later.
Specialist tools are needed to give you confidence that nothing ‘nasty’ has been left behind to cause you more pain and expense.
Industry best practice for cyber security
In the current environment, Security Operations Centers are becoming increasingly important. Their defence strategies are built around theGartner-approved SOC Visibility Triad.
The three dimensions of effective cybersecurity – the SOC Visibility Triad
All three aspects of this triangle are equally important. The first two are:
Security information and event management (SIEM) and User and Entity Behavior Analytics (UEBA) SIEM solutions collect logging data from across your organisation’s security infrastructure. Over time, analysis of this data for anomalies can help with faster threat detection.
Endpoint detection and response (EDR) – which is about carefully monitoring activity on your organisation’s user devices (endpoints) with the aim of detecting and preventing as much hacking as possible (think of it as advanced anti-virus protection).
SIEM is usually the starting point for security improvements – to analyse what’s happening where using existing security logs. EDR is typically the next step in security – it is all about analysing what’s happening on (most but not all) user devices. The third dimension is one that’s less discussed BUT increasingly necessary and strongly backed by industry leaders Gartner:
Network detection and response (NDR) – which is about analysing your network traffic in close to real time – what’s going on ACROSS your network and detecting suspicious activity to determine threatening activity.
Network Detection and Response has developed from network monitoring. Network monitoring USED to be a useful security tool – until everybody in the world started using networks. Without ways to pick patterns of network logs, it stopped being useful. With the evolution of machine learning and artificial intelligence, accompanied by metadata and de-identification techniques, network monitoring has evolved into Network Detection and Response.
Three-dimensional protection is the best protection
These three components are equally needed, according to Gartner. Their opinion is and accepted by all leading security experts. The newest and least known dimension is Network Detection and Response – but it’s become a vital component in effective security.
Inability to respond to a ransomware attack is becoming negligence
When ransomware attacks were rare and their impact was limited, you could insure against them and do business as usual. Today an attack is no longer an unlikely circumstance that you can simply cover with an insurance policy. Traditional strategies such as “restore from backup” and claim on insurance” are no longer sufficient. This is particularly true when an attack impacts beyond your 4 walls. Recently, a class action lawsuit has been mounted against the company operating Colonial Pipeline – because of the scope and scale of damage caused to their community by the outage of their pipeline. If you don’t review your protection levels and your recovery strategy regularly, then it’s like living in a fire-prone area and not having/practicing your fire plan regularly.
How do organisations afford good cybersecurity in a changing world?
Not every business can afford to run an internal Security Operations Center to protect itself with the full-spectrum protection that combines SIEM, EDR and NDR. And even if a business can do that, they can’t easily extend that protection to their suppliers or customers in the value chain – leaving their value chain exposed to expensive disruption. Those that want more are adjusting their IT Security strategies to include collective and community-based IT solutions and partners.
By anonymising/de-identifying and working with metadata across a community of organisations, a collective defence approach enables you to keep your data secure but still benefit from having a Security Operations Centre that spreads costs and enables real-time attack intelligence across a collective of organisations. We’re working with US experts IronNet to pilot collective cybersecurity solutions in Australia and in particular to build out the SOC Visibility Triad that can scale across organisations in your ecosystem. If you want to increase your security and explore a cost-effective Collective Defence approach then call us on 1300 368 928 and press 1 for a consultation.