This article is more than 1 year old

Cyberthreat: How to respond...and when

Is this an all hands on deck moment?

How to manage and remediate potentially threatening internal behaviour

External attacks are one problem, but companies must also look inside themselves to identify and counter threats. Insider threats are still a significant part of the cyber risk landscape, and companies should be on the lookout for them. Yet they can be difficult to spot, warned Davis.

“An employee sending out confidential data by accident may look very much like a cybercriminal who has managed to get that employee’s user name and is sending out material from that compromised account,” he pointed out. Managing those threats involves looking for abnormal behaviour, he said. “When attempting to discover whether a data leak is deliberate or accidental, it is important to look for things that do not fit the normal pattern of behaviour of the company, the IT system or the employee,” he advised.

Part of the challenge for modern organizations is that there simply isn’t a security perimeter anymore, warned Eddie Schwartz, international vice president and chair of the Cybersecurity Task Force at ISACA, a non-profit focusing on information security, risk management and governance.

“In a world of cloud, mobility and enterprise reliance on third-party providers, it’s important to realize that the perimeter as we knew it has disappeared, and that what we are really looking at are attacks on information wherever it lives and moves, instead of attacks on the perimeter,” he said.

Building systems to detect abnormalities is one measure that can help spot potentially damaging behaviour, but people are an integral part of the threat, and so must be part of the solution, warned G. Mark Hardy, a retired Navy captain and instructor at the SANS Institute who also runs his own cybersecurity consulting firm.

“Humans represent an attack surface that can be almost universally used in any large-scale successful assault, and that's often overlooked because it's simply not considered to be part of the technical alignment of defences,” he said. “The attackers know this, and therefore the best possible technical configuration is easily overcome by a deceived employee who simply allows an attacker to do something."

How to ensure the entire organization understands security and plays a part

Reducing your human attack surface using security awareness training is one part of the solution, he said. Another is testing those users to ensure that they are applying those principles in practice. That may involve benign phishing campaigns to test which users will actually open suspicious emails.

This security awareness training is vital, agreed Deloitte’s Mossburg, who argues that policy manuals, like traditional training programs, are important but insufficient on their own.

“Active learning scenarios can deepen the understanding of the threats, opportunities, and decisions made daily that impact an organization’s cyber risk posture,” she said. “Reinforcing desired behaviors and correcting undesired behaviors through incentive programs drive understanding and adoption.”

These techniques move beyond simply lecturing staff on the basics of cybersecurity, instead introducing discussions and problem solving techniques that help them to analyze and appreciate the threat. This awareness must go all the way to senior executive level, though, warns Hardy. They, after all, are the people who can issue the orders and get things done.

Preparing for next time

What happens after an attack is just as important as your actions during it. Learning from what has happened enables an organization to prepare itself more effectively for next time – and there will be a next time. Mossburg advocates investment in tools that can help with post-attack analysis and recovery.

“While you must invest in security controls to protect critical assets, in some cases a greater return is generated by gaining more insight into threats and improving response and recovery capabilities which minimize the impact of cyber incidents,” she said.

Security information and event management (SIEM) tools can help not only to aggregate and correlate data from across the organization and establish baselines for normal activity, but can also be used to collect incident data. This can then be fed back into intrusion detection systems, bolstering their defences and giving them new signatures and attack patterns to watch for.

That’s good, as far as it goes. But relying solely on previous attack data could put an organization one step behind attackers who are already moving on to the next zero-day or hacking technique. “In the end, a determined adversary will evolve its methods, and an adaptive response approach must be adopted in order to keep up,” Mossburg advised.

This is why understanding emerging attack patterns is an important piece of the cybersecurity puzzle. Relying on third-party partners for this threat intelligence is probably more advisable than doing it on your own.

How to avoid the vuln-fix-fix-the-fix cycle

Fixing holes that allowed attackers to infiltrate your infrastructure in the first place is a crucial step in strengthening your organization against future attacks. This may be as simple as patching the out-of-date software that got you pwned, or as complex as redesigning your network architecture to segregate key assets on protected subnets.

However complex the fix, it’s important that you don’t end up introducing new vulnerabilities or reliability issues when making it, Stevens points out.

“That comes down to integrated change management,” he said, adding that this often trips up even sophisticated companies. Understanding what configuration changes are in the pipe, and ensuring that they don’t conflict with each other, takes time and effort from technical staff. “If you are going to patch a vulnerability or make a change to systems, you have to make sure that the change is appropriately vetted for any cascading effects that this might have in an organization,” he said. Part of this analysis will involve assessing the risk that a vulnerability poses, and the impact that an exploit may have on the organization. Changes take time to implement safely, and there may be a queue. IT departments may have to prioritize which changes happen first.

They may also be forced to make a change within strict time constraints, especially if they are working to patch an already-exploited vulnerability. “We don’t always have a lot of time, and then you have to make the best choice at that moment to protect a business,” Stevens said. For that reason, he advocates the breaking of boundaries within IT departments. Eliminating silos is a key step in ensuring that everyone understands the effect of the change on all other systems.

That’s a good piece of advice for IT departments in general, but it’s especially worthwhile when dealing with cybersecurity issues. The fewer barriers to communication there are when trying to combat attacks and remediate threats, the better. ®

More about

More about

More about

TIP US OFF

Send us news


Other stories you might like