Spotting threats in cyberspace is like star gazing. There are lots of them out there, but telling them apart and working out which ones are about to go supernova takes experience and skill.
You don’t want to pour the same resource into protecting yourself against every single perceived threat, because no budget can support that. Instead, your response must be proportionate. How can you identify threats properly and ensure an appropriate response to each of them?
How do you distinguish between different types of attack?
In its 2015 annual report, UK-CERT divides security incidents into several types. These include compromise of network infrastructure, data loss, spam and phishing, targeted phishing, malware, website DDoS, vulnerabilities (in websites or your broader infrastructure), and abuse of credentials or unsecured infrastructure.
Several of these categories overlap each other, and some may be used as a stepping stone to others. Phishing is an excellent way to install malware, for example, which is in turn a pivotal tool in attacking network infrastructure.
While few attack types stood out over others, malware did shine through. The organisation said 30 per cent of all incident types in 2014 were malware-based.
Some of these attacks are more obvious than others, explained Eric Stevens, director of strategic security consulting services at Forcepoint, which sells cloud-based tools for cyber-protection.
“If I’m being hit with a denial of service, then it’s pretty obvious that’s serious because it’s limiting our ability to communicate,” Stevens said. But other attacks can be less obvious. DDoS attacks are designed to disrupt, whereas data stealing attacks are supposed to be stealthy. Businesses must understand how a threat works, of course, but it is just as important to factor in the ultimate impact of an attack when profiling it, said Stevens.
Context is a key factor, he points out. Some data is more important than others. If someone is moving social insurance numbers around an organization’s servers, it may arouse more concern than someone who is shifting non-sensitive Word documents from one folder to another, say. Classifying data and assigning importance to it is a key piece of the cybersecurity process. You may be able to prioritize a spearphishing attempt on several of your key developers as a key threat that could give a malicious actor access to important software code within your organization.
It’s also important to watch for apparently disconnected attacks that may seem less important but which present a more serious threat when taken in context. This requires a broad level of visibility across an organization’s infrastructure and applications.
What is the appropriate response to different types of attack?
What happens when you spot an ongoing attack? Having a playbook is critical, so that staff know what they should be doing when the alert comes in. That also includes an investment in training, said Stevens. He spent time working on aircraft carriers and describes an “all hands on deck moment”, when an emergency (or a drill) occurs, and everyone has to know exactly what their job is.
This playbook is a regularly-rehearsed crisis management plan that includes cyber drills and employee training, explained Dr Adrian Davis, managing director, EMEA at IT security certification non-profit the International Information System Security Certification Consortium (ISC)2 “Then, if the worst happens, you have rapid response and disaster recovery in place,” he said.
That playbook may contain different scenarios depending on the type and severity of the attack in play, experts warn.
“In all cases, an enterprise-wide incident response process including consideration of business impacts and effective crisis management is critical,’ explained Emily Mossburg, resilient practice leader for Deloitte Cyber Risk Services, adding that the legal considerations (such as who to inform, when, and how) will vary by jurisdiction.
Here, though, classification of data and assessment of impact will guide the kind of response that an organization should take. “The value of the target will drive decisions regarding the trade-off between restoration and protection,” Mossburg said.
If an attacker has your crown jewels, you may make protection more of a priority than continuity of service, for example. It may be acceptable to take a system down for a few hours if it stops an attacker who is just about to transmit your highly sensitive data. If you see an attack that is nowhere near your sensitive data, you may have more time to cordon off that subnet without affecting mission-critical services.