With big companies such as Home Depot and JP Morgan hitting the headlines as the latest victims of cyber attacks, it would seem that no one is safe. Even more worryingly, the common feature of these attacks is that they are discovered months after launching.
It is shocking to read analyst reports and to learn that in, organisations with over 5,000 computers, over 90 per cent are compromised at any given time. The problem here is a lack of visibility and it leads us to put companies into two categories: those that know they have been compromised and those that do not know it yet.
These figures give us the feeling that hackers are finding it easier than ever before to blindside CIOs and CISOs. There needs to be a solution to this lack of visibility to help prevent other companies falling victim to cyber-attacks.
Time for CIOs to act
Cyber-attacks today are more sophisticated, more specific and more targeted than in the past. Whilst a company may have an ‘above-average’ security system in place, it does not necessarily guarantee safety. In light of this, CIOs and CISOs need to start focusing their attention on how they can detect current threats rather than relying solely on defences designed to prevent attacks happening in the first place.
> See also: Don't let a data breach destroy you: a history lesson
In other words, prevention is no longer enough. Hackers are capable of creating a customised method of attack dedicated to compromising an organisation’s IT environment. Never before has it been so easy for hackers to take control of internal systems and sit silently for months, searching through and extracting information. It’s only when the company’s information is eventually exposed on the Internet or used as a means to negotiate a ransom that the organization knows it has been compromised.
Whereas previously attacks were executed to prove a point, today such situations lead to major financial, reputational and legal impacts that are costly to recover from. Today, it’s not about ‘if’ an attack is going to happen, it’s ‘when’ and once it’s too late, ‘how badly’ the company has been affected.
The first few minutes are crucial
Initial intrusion can take only a few minutes. The real damage occurs much later, after the adversaries have spent weeks or months silently gaining more rights and access once inside the target system. For hackers, it's like finding a gold mine. They take their time to study the internal network of the victim, compromising other systems to expand their exploration and extracting valuable data for months or even years before they are detected.
An attacker will inevitably leave traces behind them during every step of the attack. For example, it can move through the organisation in a manner slightly different from what is considered normal behaviour. It can access proprietary code on development servers using the connection of a sales manager perhaps, a context never before seen. But all too often, when traces of their presence are detected, it is too late and the information that companies wanted to protect has been taken.
It is important, therefore, to focus on those first few minutes. By having greater visibility at this initial stage of intrusion means that security teams can action a more immediate response to suspicious behaviour. By documenting and generating alerts about any abnormal activity, CIOs and CISOs will be in a better position to prevent the spread and damage of an attack before the entire infrastructure is compromised.
A sophisticated response for complex attacks
It is clear there is a need for robust detection of these movements. Organisations need real-time visibility into the enterprise IT environment, with supporting and intelligent analytical information automatically generated to reveal risk factors and exposure, indicators of compromise and data exfiltration activities.
This is a revolutionary approach compared to just focusing on blocking an intrusion through comparing its signature against the original malicious code. Although detection after an attack is not a new concept, the older generation of intrusion detection systems (IDS) is based on using predefined rules and signatures to detect breaches. It sorely lacks visibility on end-user context and as a result is rendered ineffective against today’s world of customised attacks.
Detecting breaches is possible through analysing a variety of data at high volume and high speed in order to identify potential violations. Importantly, the tools must be accurate; too many false positives and they will quickly be ignored. Rather than relying on the detection of known signatures, the fight against today’s sophisticated attackers is about leveraging big data techniques, self-learning and expertise in collaborative cybersecurity – generally in the cloud.
> See also: The enterprise guide to preparing for the EU's new data protection legislation
It is about understanding end-user habits and the behaviour of systems and applications across internal and external networks, allowing targeted and complex attacks to be detected through an analysis of post-intrusion effects. A sea of unnecessary alerts needs to be replaced with rich end-user interfaces that security professionals can use to facilitate exploration and further investigation.
Today, organisations need a sophisticated response to these complex threats. Prevention is no longer enough and the daily headlines of the latest hacks are proof of this. Having better visibility to detect suspicious behaviour and the ability to reconstruct the pieces in real-time and act before more extensive damage occurs, will dramatically change the current situation of CIOs and CISOs. It will restore their visibility and put up a better fight against cyber-attacks.
Paol Nielson, Director of Strategy at Nexthink