My last post introduced Fidelis Cybersecurity’s effort to empower board members in their battle against cyber attacks by offering real-world counsel regarding the management of incident response via a NYSE-published cybersecurity guide entitled Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers. We now take a deeper look at understanding the threat actors and threat lifecycle in order to better anticipate, detect, and respond faster to attacks.
Experts predict that cyberattacks will intensify as cyber criminals accelerate their activities. To make matters worse, attackers have sharpened their skills and expanded their techniques over the last couple of years. Now, cybercrime has advanced to include cyber warfare and cyber terrorism as nation-state actors have moved from disruptive to destructive attacks, presenting organizations with new challenges. Board directors and C-level executives are clearly fighting a war against cyber attacks – but exactly who are they battling? Hacktivists? Organized cyber criminals? Or nation-state actors?
Battles are won by understanding the enemy. This is vital, as motivations among the groups may differ:
- Hacktivists often seek to cause disruption to damage the reputation of an organization.
- Organized cyber criminals include international crime syndicates targeting organizations largely in the financial services and retail industries for financial gain. Although there are a number of players, this arena is dominated by loosely knit teams of attackers located in Eastern Europe.
- State-sponsored espionage threat actors deploy targeted malware in stealthy, multi-stage attacks, sometimes called advanced persistent threats (APT), targeting intellectual property.
Blurring lines of attack
Blurring lines of attack make understanding the enemy even more challenging. It used to be that the tactics employed by Eastern European cyber criminals were relatively unique compared with those used by hackers deploying state-sponsored APT attacks to target intellectual property. Cybercrime experts are now seeing a blurring of the lines of attack, which has caused some forensics teams to misidentify the adversary, slowing the progress of incident response efforts. For example, researchers from two forensics firms investigated an attack on a global credit card processor for two months without success, convinced that it was an APT attack. It wasn’t until the firm brought in a new forensics team that they were able to identify the attack as originating from Eastern Europe and stop the breach.
Directors can gain insight into their adversaries and their motives by examining the way in which peer organizations and other firms within the industry are being attacked. As Rick Holland, VP, Principal Analyst at Forrester Research, advises in 10 Questions To Help Differentiate Incident Response Service Providers, this knowledge becomes especially valuable when engaging a forensics and remediation firm.
“Of the cases they have worked, how many of them are from companies that share a similar threat model? This is a critical question; you don’t want to select a vendor that doesn’t have experience working with threat actors operating against your vertical. It is important to know how a candidate’s experience aligns with your threat model. A firm that focuses on cyber criminals might not be the best provider if your vertical has a history of being targeted by nation-state actors.”
Robust, constant monitoring is key to detection
No network is so secure that hackers won’t find their way in. Today’s threat actors conduct detailed reconnaissance and develop custom malware in an effort to penetrate networks. Once in, they can go for months, even years, without detection. Because deeply embedded hackers can be extremely difficult to eradicate, it’s critical that organizations detect these threats as soon as possible.
Unfortunately, organizations jeopardize their ability to detect threats by failing to fully integrate security solutions into the entire network defense infrastructure. Often security technologies are deployed with default settings, resulting in many false- positive alerts, making it more difficult to dig the serious threats out of all the background noise. And all too often, organizations overlook the human element.
Organizations can’t depend on technology alone to defend networks. Detecting advanced threats requires a risk-management program that includes technology, people, and processes. Within this mix, robust, constant network monitoring is vital to uncovering threats. Because the volume of network traffic combined with increasingly complex networks defies manual threat analysis, organizations often rely on the automated threat-detection capabilities of multiple disparate solutions. Equally important in the defense arsenal is threat intelligence. A dynamic threat intelligence capability helps to ensure that organizations more clearly understand threat actors and their tactics. This positions the organization to anticipate the nature of likely attacks before they occur and adjust defensive strategies.
Board members don’t need to be cyber experts, but they should have a solid understanding of the threats their organization faces. Boards that fail to actively measure and continuously monitor cybersecurity as part of the organization’s strategy will leave their firms open to significant financial, reputational, and competitive risk.
For more information on understanding the threat environment, please download the Fidelis chapter on Detection, analysis and understanding of threat vectors.
Coming next, Arming the Boardroom, Part 3: A Breach Hits, Now What?