The trend for digital systems replacing older technology is far from new. In the past, when newspapers moved from a traditional, labour intensive approach where typesetters had a job for life, to computer aided production, we probably would have termed it “replacing with new technology”. However, the rate at which the current wave of “digital transformation”, as we now term it, is sweeping through many industries is hugely significant, both in its effect on those companies involved and in the way it exposes them to threats and vulnerabilities in today’s Internet connected world.
Reports now suggest that 65% of organisations are checking and reporting on their compliance to industry and security regulations and 15% of CISOs (Chief Information Security Officers) and CEOs now feel the need to allocate 10% of their overall IT spend to SecOPs (Security Operations).
The threat is clear
Cyber Crime is often over 80% of the monthly statistics on all attacks, with cyber espionage typically at around 15%. Cyber warfare and hacktivism usually only accounts for 1-2%. There are now fairly common stories of cyber criminal gangs retiring from active hacking, having made $Billions from the pursuit: a sobering thought for any company with financial data open to extortion by ransomware, or IP (Intellectual Property) open to exfiltration and sale on the Dark Web. Source
Even PII (Personally Identifiable Information) or simple lists of user credentials (i.e. name and password) are all too attractive to the cyber-criminal and leaving them unguarded on the Internet, perhaps with associated PCI (Payment Card Industry) data, is tantamount to leaving your wallet visible in your car. Again, in the media industry, Netflix, who started as a DVD hire company but went through a digital transformation to become possibly the premier movie and TV streaming service, was hacked publicly by an email phishing attack. The hackers gained passwords simply to steal the paid service from their real owners but although the monetary value is low here, the loss of reputation is not to be ignored.
The cloud provides greater flexibility with greater exposure
As well as digital transformation, the inexorable move to the cloud, which now sees over 80% of enterprise network traffic going off-premises, has exposed key company assets and sensitive data to a much greater extent. The idea of having a security perimeter, marshalled by firewalls and traditional anti-virus techniques is not really valid any longer and the perimeter, or “attack surface” as it’s described from the hacker’s perspective, is now really global with cloud storage based wherever cloud providers decide to locate it.
Not only is the area of cyber attack widening but also the sophistication of the attacks is increasing, with polymorphous malware avoiding signature detection and crafted and staged attacks using email or social media phishing to gain user credentials. These details are saved and then used at a later date by hackers. This method enables cyber criminals to infiltrate companies and use the admin rights and privileges they already have to run PowerShell/Mimikatz and then move laterally inside their network, from endpoints to supposedly secure hosts which contain the company “crown jewels”.
The arms race
This evolution of the threat landscape exhibits a kind of “arms race” between hackers trying to get access and enterprises defending their assets and reputation. It really started back in the early days of Windows computing with host-based AV (Anti-Virus), through IDS/IDP (Intrusion Detection Systems/ Intrusion Detection Prevention) at the network perimeter, to a requirement for newer, more intelligent ways to defend against the kind of APTs (Advanced Persistent Threats) that are prevalent today.
Attack and countermeasures
Lockheed Martin, the US aerospace and defence company, coined the term “kill chain”, a military term used to describe the acquisition and destruction of a target, for the stages of attack and countermeasures with a cyber-attack. This Cyber Kill Chain covers the 7 stages of Reconnaissance (attacker selects the target and identifies its vulnerabilities), Weaponization (attacker builds a malware weapon, exploiting the vulnerabilities), Delivery (attacker sends malware to target), Exploitation (attacker’s malware weapon triggers), Installation (attacker’s malware weapon creates a “backdoor” reusable access point), Command and Control (attacker’s malware enables “hands on the keyboard” access), Actions on Objective (attacker achieves goals, such as data exfiltration, data destruction, or encryption for ransom).
Today’s APTs usually follow this kind of pattern. In 2017 Maersk, the container ship and supply vessel operator, were infamously hit by the NotPetya ransomware attack. They reportedly managed to contain the spread of this malicious software but they warned that it would cause them losses of up to $300 million and would require the overhaul and reinstallation of thousands of machines. Interestingly and perhaps ominously, the NotPetya virus is reportedly an adaptation and combination of two earlier pieces of malware: Petya, ransomware that encrypts a user’s hard drive which was used against Ukrainian banks, media and energy companies, and EternalBlue, a cyber attack developed by the US National Security Agency which uses a known vulnerability in Microsoft’s SMB (Server Message Block) protocol.
So what should your SecOps toolset look like?
In today’s hostile and digitally transformed environment, advanced threat protection is needed for both endpoint and cloud access and this protection must be able to detect and respond to attacks across all parts of the cyber kill chain, with a coordinated SecOps (Security Operations) approach providing incident and event management and even automated response. At activereach we have identified key partners with advanced capabilities in the emerging cyber security product areas of EDR (Endpoint Detection and Response), CASB (Cloud Access Security Broker) and SOAR (Security Orchestration Automated Response).
Crowdstrike’s Falcon EDR platform brings machine learning and cloud delivery to provide complete endpoint protection via a single low resource, lightweight agent. Find out more.
Netskope hold patents for CASB technology and have a unique capability to parse cloud traffic for API and JSON data, enabling full protection against advanced threats and data leakage. Find out more.
Swimlane simplify the task of integrating multiple SecOps products by using an API-centric drag and drop playbook approach to provide leading SOAR capabilities. Find out more.
Contact us or call us on 0845 625 9025 to see how these technologies work together to provide a powerful suite of tools for your security operations.