Over the last 18 months we have seen an increasing number of reports about „Cyber breaches“ where data is lost or services are unavailable. Let’s look at why this is happening, what kinds of organisations are behind this and what we can do to mitigate the risks that we face as organisations due to these attacks?
- Why is this happening ?
Almost every organisation I speak to has some kind of „digitalisation“ program which usually has high priority and involves massive changes to the ways in which they have worked up until now. The motivation of these programs is usually to reduce costs or improve services and despite the fact that the content of these programs varies by sector but there are a number of technical elements in common. Major amongst these are:
- There is a requirement for more and more of the organisation to be connected internally and also to be connected to entities outside the organisation. This may be customer facing or may involve integrating various partners into the supply chain.
- More and more assets are being stored digitally. These may be as diverse as customer records, business plans, product details or financial assets. No matter what these assets may be, they usually represent some kind of value to the organisation, and inappropriate sharing or denial of availability of these assets has multiple penalties.
- The infrastructure itself is an asset – this is already true in the area of Critical National Infrastructure (Power, Telecoms, Financial) and will spread as we see the advent of more and more Internet of Things devices connected to that infrastructure.
The combination of these three factors means that as we become more dependent on the digital infrastructure, its growth and its interconnected nature make it more liable to attack and disruption.
2. Who is behind it ?
Attackers can be broadly defined into a number of main groups :-
- governments or government sponsored organistions
- criminal organisations
- hacktivists or interest groups
- hobbyists or enthusiasts
Although their motivations may differ, all of these pose a threat to your organisations.
3. What are the Risks ?
Dr. Andreas Dombret from the Bundesbank characterised three major risks which confront us in the world of Cyber defence. These are :-
- risk to integrity – are the entities using your system in fact who they purport to be ?
- risk to confidentialty – are digital assets only accessible to those entities which have appropriate access rights ?
- risk to availability – can infrastructure or assets be made unavailbale either permanently or temporarily ?
Each of these risks can be „monetised“ by attackers in a number of ways – here we take „monetised“ both in the sense of making actual money from the risk or otherwise exploiting the risk for another kind of gain (damaging an opponent’s reputation for example).
A more recent phenomenon is the monetising of the availability risk through demanding a ransom in order to restore availability. This may be done by flooding the network with meaningless traffic so that legitimate traffic can’t be served (Distributed Denial of Service DDos) or possibly by encrypting digital assets and demanding payments to reveal the encrytion key.
More traditional styles of monetising have been for example, selling personal details in the market for such information (confidentiality risk) or possibly authorising transactions which are in fact not legitimate (integrity risk), however the list of possibilities here is very long.
4. How do I protect my organisation ?
As with any technology, there has been an evolution in both the attack and defence approaches – attackers have turned to far more deliberately crafted approaches to attacking specific objectives in organisations. They have worked harder to reverse engineer protection mechanisms with a view to circumventing them. As such the initial methods of hardening the perimeter are no longer sufficient.
As we build higher walls they will invent longer ladders. This does not mean that we do away with walls altogether; however it does mean that we need to take extra precautions if we are to protect ourselves. We should assume by default that our external defences are permeable and take precautions to secure our networks from the internal, as well as the external, threat.
One promising way to do this is by observing the behaviour of entities (machines, users, applications, devices) on the network and identifying when they do something unusual. Most attacks follow the Kill Chain model of Reconnoitre -Weaponise -Deliver -Exploit -Install – Command and Control -then Take Action. This means that they will be in the system and causing network activity before they actually strike and cause harm (some studies estimate the average linger time when attackers are in the network before initiating their attack as 212 days).
There are some challenges to this method, not least the volumes of data generated by the networks being observed. Modern technology can address that issue satisfactorily but there is another factor which comes into play – what is normal behaviour ? A challenge which makes answering this question even more difficult is that information about elements such as network setup and business organisation is often badly managed or, where available, it is not shared with security teams.
Some of this can be addressed by using machine learning techniques to help establish „normal“ but organisations really do need to ensure that such relevant information is appropriately created, managed and shared.
This anomaly detection approach has the benefit that it can identify previously unidentified behaviours (many of the current hardening techniques rely on list of previous observed bad behaviour) and as such is will prove a valuable addition to the arsenal of defence methods used.
Allan Russell is a SAS fellow and specialist on cybercrime. He held this speech at a United Europe debate on economic espionage on Octber 25 , 2016, in Munich.