There aren’t many organisations that can confidently say that they will never be hacked. And those that do, probably shouldn’t. As a result, security strategies are moving from cyber prevention to cyber resilience. In layman’s terms this simply means that you make your environment resilient enough that even if you get hacked you minimise the impact on what hackers can access and the impact on the business. If you do get hacked, you have processes in place to recover quickly and successfully. There are two questions that all CxOs have on their mind when it comes to cyber resilience.
1. How Do I Know If We Have Been Compromised?
Attackers are getting smarter by the day. On average it takes around 200 days before a compromise is discovered. To shorten this timeframe, the following four points are recommended:
- Do Your Research. Understand who is targeting you and how. This excellent guide from the Australian Cybersecurity Centre (ACSC) summarises the typical tactics, techniques and procedures
(TTPs) exploited by Advanced Persistent Threats (APT) and cybercriminals in Australia during 2019/2020. These TTPs are presented in the MITRE ATT&CK framework which is a knowledge base of adversary tactics and techniques based on real-world observations that is used to develop threat models. This information is critical for you to review your environment for the presence of the exploited vulnerabilities and TTPs.
• Perform a Compromise Assessment. Engage a specialist threat hunting organisation that can help you review your environment for threats as described above. It may be difficult for your current team to look for exploited vulnerabilities and TTPs themselves. This is where a specialist team can help come in and assist in finding exploited vulnerabilities and TTPs.
• Perform Threat Hunting and Red Teaming Exercises. Many organisations are increasing investments in threat hunting and red teaming capabilities internally. Threat hunting looks for a specific threat and its associated Indicators of Compromise (IoCs) in your environment. Detection of an IoC within your environment is an almost certain indicator of a security issue. Red teaming involves one team (Red team) simulating an attack using different techniques and scenarios based on the MITRE ATTACK framework. Simultaneously, another team (Blue team) tries to defend the environment. These dual attack and defend simulations are often referred to as Purple Teaming. Even though this is not a direct search for compromises within your environment, it is a good way to assess your security team’s preparedness for a possible attack.
- Monitor the Dark Web and Obtain Targeted Threat Intelligence. The reports of Toll Group’s data being dumped on the dark web is a clear example of why it’s critical to monitor the dark web for compromised data. Stolen data almost always ends up in the dark web. Keeping a watching brief for your data on in the dark web can help identify a security breach. There are specialist organisations that can help with this. Secondly, obtaining targeted threat intelligence is important as well. Targeted threat intelligence is intelligence on threats specific to the organisation such as phishing kits being sold tailored for a particular organisation. This differs from generic intelligence that may cover an industry or anyone that doesn’t have the right controls in place. Targeted threats are a more serious concern as they are specially targeting an organisation that must bolster its defences to mitigate the threat. Understand generic IoCs as well as specific IoCs and search for these in your environment will help detect security breaches.
When a breach is detected, containing the extent of the breach and recovery are the next steps. Containment can range from isolating a single affected system to the entire environment, depending on the spread of the compromise. Similarly, recovery ranges from simple infection removal to a complete systems rebuild from backups based on severity of compromise. During both phases, it is important to preserve evidence, particularly if you want to prosecute the perpetrators. Again, with both these activities, specialist help is advisable. Having discussed how to detect compromises, let’s focus on preventing future ones.
2. How Do I Stop Us Being Compromised?
These three steps are fundamental to prevent being compromised in the first place:
Cover the Basics
Discover and Classify Data
Unless you know where your data is and how critical it is, there is little hope of being able to secure it. The security of the data is directly dependent on its location and criticality. Build controls for data based on both of these factors. Critical data in an easily accessible location is likely to require stronger security controls than public data in a secure location. More on that later…
As a start, review the Essential 8 mitigation strategies recommended by the Australian Cybersecurity Centre. Understand what these are and assess your environment against them. Immediately address any that are missing.
Take an Attack-Based Approach
To truly protect yourself from ransomware attacks, it is important to understand the stages of the attack and how can you apply controls at each stage to protect yourself. Here is the typical attack methodology:
- Email or web-based attack – initially the attacker will send an email with a link or an attachment that will either contain or direct a user to malware.
- Malware download – once the user opens the attachment or clicks on the link, the malware downloads to the user’s device. This usually exploits a missing patch on the device.
- Local device takeover – once the malware has been downloaded to the device, the machine gets encrypted.
- Privilege Escalation (or not) – the attacker will then look to move laterally within the network and try to gain higher privileges. Once this is attained, the attacker will then start looking for critical data that they want to exfiltrate.
- Data Exfiltration – once the attacker has found the data, they will try to copy it to another location under their control.
Now that we have discussed how an attacker can get into an organisation (please note this is not the only way), let’s look at how we can implement controls to help stop this type of attack. Controls within a cybersecurity context generally falls into four categories:
- Predict – systems, tools, policies and procedures that help detect vulnerabilities in systems and predict potential avenues of attack.
- Prevent – systems, tools, policies and procedures that prevent threats affecting your systems. Examples include the corporate firewall and microsegmentation technology.
- Detect – systems, tools, policies and procedures that give you the ability to detect threats that may affect your system. An example is an Intrusion Detection System.
- Respond – systems, tools, policies and procedures that allow you to respond to threats and contain/eradicate them. A policy example is the corporate Incident Response Plan and associated tools such as a Security Information and Event Management (SIEM) system and automated response and isolation technology such as Dynamic Isolation.
Now comes the important part – we need to look at all the steps in the attack methodology and apply controls for each category of control for each step to help stop the attack. The simplest way to do this is in a table where you map existing controls against each category of controls that protect against the relevant attack phase. Any gaps should be addressed urgently. As you do this simple gap analysis, do not forget controls for people and processes, physical security, disaster recovery and third parties.
Mapping your controls to an adversary’s attack methodology isthe best way to stop the attack.
There are two other key points to factor into your cyber resilience approach:
With the proliferation and complexity of attacks, a Zero Trust model is necessary to protect your environment. The Zero Trust model has three key components:
• User/Application Authentication – we must authenticate the user or the application (in cases where applications are requesting automated access) irrefutably to ensure that the entity requesting access is indeed that entity.
• Device Authentication – authenticating just the user/application is not enough. We must authenticate the device that is requesting access too.
• Trust – access is then granted only once the user/application and device is irrefutably authenticated.
Essentially, the Zero Trust framework dictates that we cannot trust anything inside or outside your perimeters. The model operates on the principle of ‘never trust, always verify’. It effectively assumes that the perimeter is non-existent and we can no longer expect a lower level of security inside the perimeter. This has unfortunately proven true in multiple attacks as attackers simply enter the perimeter through trusted connections via tactics such as phishing attacks. Therefore, a Zero Trust approach will go a long way towards making your environment more resilient towards cyber-attacks.
Insider threat refers to cases of trusted insiders or those inside the network accessing and exfiltrating data that they shouldn’t have access to. There are some simple ways an organisation can reduce insider threats:
• Deploy a Zero Trust model where a user/application and device is authenticated based on identities and strict role based access controls are implemented on a need-to-know basis.
• Use user behaviour and network behaviour analysis to detect any unusual behaviour quickly. But detection alone is not enough. Ensure you have technology in place that can quickly isolate the ‘offending’ user or device through Dynamic Isolation to prevent major data exfiltration events.
The advice so far has been purely tactical. Threats will evolve and get worse. The only way to truly protect yourself is to conduct a robust risk analysis of your environment using standards such as ISO 27001, NIST, ISM, etc. and address the issues that are found. Start with a simple health check.
Understand your vulnerabilities and address them methodically. Moreover, once you are done, rinse and repeat! The threat landscape and your environment will constantly change and evolve. In order to stay on top of new and emerging threats, you have to stay ever vigilant and reassess your risks regularly.
In addition, engage in intelligence-led security. Simply put, this is having relevant intelligence about threats and vulnerabilities related to your environment and protecting yourself against them. Many organisations provide very useful threat information from sources including the open, deep and dark web. Importing this information along with your vulnerability information into your Security Information and Event Management (SIEM) tool will allow you to detect threats faster and much more accurately.
This process will greatly enhance your capability to pick up Indicators of Compromise, the investigation of which can prevent or minimise damage. Use of tools that allow quick isolation of endpoints upon detection of a security incident will greatly reduce the chances of lateral movement as well as ease the burden on your security operations centre. The traditional risk analysis approach looks at cybersecurity strategies from the inside out as you are primarily focused on control gaps inside your organisation. The intelligence-led approach looks at strategies from the outside in (from the attacker’s perspective). The combination of these two approaches can truly give you a well-rounded perspective to risks and threats affecting your organisation. It is critical to ensure that whatever methodology or tool is used, it must take into account threats and vulnerabilities to give you a true picture of likelihood.
Further, this information needs to be made available in near real-time so that Boards and Executives are fully informed of the organisation’s risk posture and can make informed decisions. Providing a clear idea on the value of risk mitigated based on previous breach costs within your industry will allow Boards and Executives to better understand the value of requested cybersecurity investments and will make obtaining funding easier.
Unfortunately, there are no silver bullets in cybersecurity. The best you can do is become cyber resilient. The good news is that these steps will put your organisation is a better position to deal with the threats of tomorrow.
Author: Ashwin Pal, Director of Security Services, Unisys Asia Pacific