Seeing Your Business Through the Eyes of a Hacker

Uploaded on 2015-04-14 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

41faKiSC2RL.jpg

JP Morgan Chase. Target. Sony. Each has been part of the growing number of cyber-attacks against private companies around the world in recent years. In the latter two cases, CEOs were forced to resign in the wake of the breach. Attacks are growing more sophisticated and more damaging, targeting what companies value the most: their customer data, their intellectual property, and their reputations.
What these attacks, together with breaches to defense, law-enforcement, and military-contractor networks, reveal is that our cyber-security efforts over the last two decades have largely failed, and fixing this will require the attention not only of security officers and IT teams, but also of boards and CEOs.
Companies need to take a new approach. They can do so by looking at themselves through the eyes of their attackers. In the military this is called turning the map around. The point is to get inside the mind of the enemy, and to see the situation as they do, in order to anticipate and prepare for what’s to come.
Unfortunately, this mindset is still too rare. Despite spending billions of dollars every year on the latest security products and hiring the best security engineers and analysts, companies are more vulnerable than they’ve ever been. Two trends account for this: the rapid convergence of enterprise IT architectures, and the proliferation of increasingly sophisticated adversaries.
Changes in enterprise IT over the past decade mean that every company is now a technology company. By the end of the decade, there will be 50 billion devices connected to the Internet, complicating networks and generating petabytes of data. To add to that, the cloud revolution has finally dissolved perimeters – companies enjoying the benefits of infrastructure as a service must depend upon the security of networks and systems beyond their direct control.
As mobility, the Internet of Things, and the cloud change enterprises, adversaries are also becoming more sophisticated. States and state-sponsored entities spy on and attack private companies, often using military-grade tactics and capabilities. They do this within a system where offense enjoys a structural advantage over defense because attribution is difficult, deterrence is uncertain, and attackers need to succeed only once, but defenders must succeed always.
Most companies try to deal with this chaos by parsing signal from noise. They build walled castles around their most precious assets, but perimeters don’t matter when even the average college student owns seven IP-enabled devices. They rely on automated alerts to tell them when something malicious on their networks matches some previous bad event, but this approach overwhelms them with red flags while remaining blind to new and previously unknown threats.
There’s just too much noise to contend with. Security analysts, for example, may see a thousand incidents in a given day, but only have the time and resources to investigate a fraction of them. This is why hackers were able to exfiltrate over 40 million credit-card numbers from Target, despite the fact that a peripheral network device had detected the malware. It’s also the reason why Neiman Marcus was hacked after its system generated over 60-days’ worth of malware alerts. And this is why Sony was hacked after its IT team knew the company had been under attack for two years.
By turning the map around, executive teams can learn a great deal about their own companies, and better prepare for the inevitable attacks. This is how most companies look from an attacker’s perspective:

1.    Their security is overwhelmingly focused on generic malware detection and protection against automated threats that aren’t being guided with precision.
2.    They don’t have a full picture of what is on their networks, the cloud services they’re using, the applications running on those services, and the security postures of their supply chains and partners. 
3.    Their IT and security teams are peripheral concerns, costs to be managed rather than centers of excellence that support the core business.
4.    Overall, they are reactive, rather than proactive, in their approach to security.

Each bullet-point above is a weakness that attackers can exploit. This is why companies should learn from attackers in deciding how to defend themselves. Here’s how.

1. Understand your major risks and how adversaries aim to exploit them. If security could be calculated, then adversaries would be the numerator. Companies must understand their unique threatscapes to the greatest possible extent, and generic data are insufficient. Effective security must integrate indicators of compromise (have we been attacked?), tactics, techniques and procedures (how are we being targeted?), identity intelligence (who would target us, and why?), vulnerability intelligence (what is being exploited in the wild?), and attack attribution (is this commodity or targeted?). Only with focused threat intelligence can analysts spend their precious and valuable time investigating the most important incidents, prioritizing those associated with your most formidable adversaries and your greatest business risks. You can go crazy (and broke) trying to play Whack-A-Mole in defense against them all. Instead, identify your most essential assets and focus scarce resources only on those threats that actually pose a risk to your company.
 
2. Take inventory of your assets and monitor them continuously. If security could be calculated, then inventory would be the denominator. At the simplest level, companies must identify and monitor all of their interconnected assets: is a developer spinning up a thousand virtual machines without your knowledge? What applications are running on the database servers holding your most valuable information? Did an employee connect a new device to your corporate network? Does one of your distant subsidiaries have a new partner? Does your HVAC system connect somehow with your Point of Sale? Periodic assessments, reports that take weeks to prepare, and conclusions that require complex interpretation contribute to gaps in security. Companies must maintain a dynamic, real-time inventory of assets, monitor those assets continuously, and render them visually in way that is simple and intuitive for security and operations teams.

3. Make security a part of your mission. The prevailing approach to security is compliance-focused, cost-constrained, peripheral to the core business, and delegable by C-suite leaders. Working on a team like that isn’t fun inside any enterprise, and it loses against 21st-century adversaries who know that it’s more fun to be a pirate than to join the Navy. Any defense is only as good as the people doing the defending. The new model of security needs to be about mission and leadership, ensuring that we have the best defenders up against the best attackers. Security is no longer delegable, and the mission of security teams must be synonymous with the mission of the company.

4. Be active, not passive, in hunting adversaries on your network and removing them. The term “active defense” has been tarred as a euphemism for “hacking back,” and companies are ill-advised to go on the offensive: first, it’s illegal to access others’ networks without permission, even if you’re acting in supposed self-defense; and second, it’s just not smart to escalate unless you can dominate, and even the biggest companies will ultimately lose against state or state-sponsored adversaries. So while you cannot go attack the other team on their own turf, you can and increasingly must be active against adversaries inside your own networks. This means assuming not merely that you are under attack, but that your attacker is in, and so you must hunt for a stealthy, persistent human adversary in order to contain and remediate the risk before they can cause damage – dramatically cutting the time between breach and detection from its current average of more than 200 days.

It is easy during these days of frequent and devastating attacks to cry out that the sky is falling, and that the very future of the Internet as a trusted domain of commerce and communication is at stake. But it would be wrong to extrapolate the data points of recent years into a line leading to ruin. Too many of us have too much at stake here, and the combined forces of executives, entrepreneurs, software developers, security teams, and investors all turning the map around can equip us to defend against this next generation of adversaries.

HBR: http://ow.ly/LnSJx

« Banks Undermine Chip and PIN Security
Cyber Insurance: Worth the Money? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Pervade Software

Pervade Software

Pervade Software is a global provider of dedicated compliance tracking software with monitoring & reporting capabilities.

Military Cyber Professionals Association (MCPA)

Military Cyber Professionals Association (MCPA)

MCPA are a team of Soldiers, Sailors, Airmen, Marines, Veterans and others interested in the development of the American military cyber profession.

Crossmatch

Crossmatch

Crossmatch is a world leader in risk-based composite authentication and biometric identity management.

PrivateVPN

PrivateVPN

PrivateVPN is a Virtual Private Network services provider offering secure encrypted access to the internet.

972VC

972VC

972VC was created to help entrepreneurs find potential funding for their startups. Your guide to the Israeli startup funding ecosystem.

Enterprise Incubator Foundation (EIF)

Enterprise Incubator Foundation (EIF)

Enterprise Incubator Foundation (EIF) of Armenia is one of the largest technology business incubators and IT development agencies in the region.

R3I Ventures - House of DeepTech

R3I Ventures - House of DeepTech

The House of DeepTech is an incubator for deeptech entrepreneurs that are transforming global industries. Areas of interest include cybersecurity.

Auriga Consulting

Auriga Consulting

Auriga is a center of excellence in Cyber Security, Assurance and Monitoring Services, with a renowned track record of succeeding where others have failed.

Scrut Automation

Scrut Automation

Scrut Automation's mission is to make compliance less painful and time consuming, so that businesses can focus on running their business.

Cyber Security Partners (CSP)

Cyber Security Partners (CSP)

Cyber Security Partners specialise in the provision of Cyber Security Consultancy, Data Protection and Certification and Compliance services.

Responsive Technology Partners

Responsive Technology Partners

Responsive Technology Partners provides superior IT support services including cybersecurity and compliance, telephony, cloud services, cabling, access control, and camera systems.

ExchangeDefender

ExchangeDefender

ExchangeDefender provides cybersecurity services that secures your company email and data, and guarantees 24/7 email access.

Suffescom Solutions

Suffescom Solutions

Suffescom Solutions is a leading blockchain development company, assisting businesses in harnessing the true potential of blockchain technology.

Sunnic

Sunnic

Sunnic is a leading provider of comprehensive digital data security technology.

SCS Technology Solutions

SCS Technology Solutions

SCS Technology Solutions has become the preferred partner for top performing organisations across Lincolnshire for IT support and consultancy.

ReformIT

ReformIT

ReformIT is a Managed IT Service and Security provider with many years experience helping companies find the right IT solutions to meet the needs of their businesses.