We hear about nations spying on each other, of geeks hacking large corporations just for fun; how can I know if my company is at risk?
We are all at risk. The questions really are: “How much are we at risk?” and “To what kind of risk are we exposed?” As you have enumerated already, there are many potential attackers, and understanding what our highest value information is will help us answer who could be after us. To keep it simple, let us use Marc Théberge’s, Chief Cyber Security Operations at Arc4dia, categories of attackers: The Gangster and The Traitor.
The Gangster will contemplate exploiting you for a quick win, quick profit, while the Traitor looks at exploiting you for long-term profit.
Ransomware being the superstar for the Gangster has been recently affecting all of us. Either in direct fiscal losses of $1B in 2016 or in mission critical information such as police loss of nine years of evidence, the range impact on business has led to some business closures. Thankfully, you can protect yourself from it by making sure you have at least two (2) backups at all time. And remember, only verified working backups are valid backups.
The Botnet is still around in the Gangster category, making damage by exploiting more and more Internet of Things (IoT) and home routers. This one is a bit trickier as many of the IoT devices simply cannot be updated or patched to protect them against known exploitation vectors.
The best mitigation strategy at the moment is to keep them isolated from direct external Internet access. There are a few technologies worth looking into lately such as the Google Wi-Fi router as well as the F-Secure Sense, both offering some level of protection for our very vulnerable home IoT devices.
As if the Gangster was not problems enough, here comes the most dangerous threat against your company: the Traitor.
The Traitor will go to a great extent to either cause high profile reputable damage or stay hidden to steal as much as possible from you for profit in the long run.
We have seen all sorts of very creative hacking to reach such goals by criminals or state-sponsored acting in the best interest of their local industry. Defending against such actors is the subject of long studies and professional work, but let us try to isolate some ideas for a better understanding of the problem.
The Traitor will seek to breach your privacy by breaching your security in order to target your most valuable information. To preserve your privacy, the first step is to take time to identify what is your high-value information and high-value reputation.
For example, we know of attackers targeting the core systems to gain access to:
- Intellectual property,
- Critical infrastructure,
- International strategies,
- Acquisition plans,
Some of our clients need to bid internationally to acquire some resources. Hackers have targeted the executives in charge of performing such a bidding process with the intent of outbidding them at lowest overhead costs as possible. Such mission critical information losses have been the cause of large companies foreclosing in the last 10 years and even more.
Others are suffering from privacy information leaks. It is very common for companies with very sensitive information in hands to have to pay a ransom in exchange for privacy otherwise they would lose the trust of their clients. These ransom payments are happening behind closed doors and do not make it to the public knowledge, but they are good examples of where to look to identify where we are at risk. The information on ransom paid is very limited, but we can go as far back as the year 2000 when the FBI released information that more than 40 companies had paid ransoms over $100,000 to avoid information release within the last year.
To summarize, if you run a successful business, you are at important risk, especially nowadays with such a rise in criminal hacking.
We see nothing, but we hear about the “hacking battle”; how have threats evolved in the last few years?
True enough, hacking battles are happening, in fact some security vendors like to outline that some of their clients have had almost all the strains of possible advanced malware out there and that they look there when they suspect something is going on.
The threats certainly have evolved. The advanced malware has lowered the number of targeted hosts in exchange for value to optimize the return on investment in their technology against the infosec community after suffering more and more exposure in the recent years.
The rise of ransomware, now possible because of cryptocurrencies such as Bitcoin, has brought a new type of malware in the sense that it is not trying to hide. It is simply acting in a brute force and fast matter.
At the opposite end of the spectrum where stealth is critical for the malware success, we are seeing a rise in fileless malware. This malware avoids touching the system disks in favour of living in memory, only making it much harder to detect.
We heard of the “hunting malware” type of defence, what is it?
Traditionally, the anti-virus was attempting to keep your computers clean of any viruses. This method was very effective at finding the known malware or the already seen before malware. This was an effective way of stopping the viruses because spreading methods were much slower, especially before the Internet days.
Fast forwarding to 2017, these techniques are applying machine defence mechanism fighting against a very dynamic threat controlled by humans. The “old” approach is effectively a machine vs human fight and the machines, in this case, are losing radically.
Malware hunting is bringing the fight at the human vs human level by being dynamic and continuously connected to the protected hosts. Malware hunters are performing live forensic analysis on computers with suspicious alerts without interrupting them.
So what is the best protection strategy, considering the costs involved?
One of my favourite guides is that from the Australian Signal Directorates:
Start with their top 4 recommendations and add an Endpoint Detection and Response platform supported by quality malware hunting managed service. Dedicated malware hunting services are part of defensive strategies to free up time in favour of hardening the environment instead of running around trying to stop potential hackers inefficiently.
Let the old techniques cycle out. We have many high-profile clients letting go of expansive SEIM and IDS/IPS services in favour of cheaper ones or even simpler and more effective techniques as mentioned before.
For small businesses, I would add to this to make sure you have a very simple VPN service on all devices that are going out of your premises. Services such as Freedome by F-Secure are simply too cheap, easy and efficient to pass on. They will protect users from several local attack types while at the local café or the airport.
Pierre Roberge: An 11-year veteran of the Communication Security Establishment (CSE), Pierre led advanced technical teams tasked with protecting Canada’s national interests in cyberspace. While the majority of Pierre’s projects remain classified, Pierre established a strong reputation among ‘5- Eyes’ nations as a leading expert and innovator in cyber intelligence operations.
His declassified awards include the CSE Excellency Award and the Chief of the Defence Staff Commendation. While working alongside British and American counterparts, Pierre lead teams of 100+ members to combat the most advanced cyber threats originating from both state and non-state actors.
Pierre is experienced in working within a complex, enterprise-level networking environment using the most advanced technologies. His technical experience ranges from securing low-level infrastructure and endpoint systems to interfacing with dynamic and cross-functional networks.