Scanning the latest Information Security Breaches Survey1, it would seem that 90% of large-scale organisations and 74% of smaller businesses have suffered some form of cyber security breach. On that basis, becoming a cyber security victim seems a near certainty for many. Paul Heffernan offers some solutions for Targeted Attack Defence Mechanisms.
We know that many UK organisations are not taking cyber security as seriously as they should, but the aforementioned statistic also tells us something else. Those that are taking cyber seriously enough are still not effective when it comes to preventing breaches.
Companies that have been most successful at defending themselves have moved away from just relying on defender-oriented approaches towards the adoption of more attacker-oriented set-ups.
For example, take a typical organisation that has just implemented a vulnerability management programme. Businesses using this approach are seeking to defend themselves based on what they perceive ‘Bad’ to be. They search their networks and systems for known vulnerabilities using predictable enumeration methods. This is not to say that vulnerability scanning is a bad thing as such, but hackers just don’t think like that.
Focus on penetration testing
An upgrade on this methodology could be the use of penetration testing which seeks to add human creativity to the evaluation process and move slightly closer to the attacker-oriented perspective. Even this approach has some drawbacks, though.
First, some tools and techniques can be out of scope even for ethical hackers. Denial of Service-style attacks and exploitation on production systems are rarely conducted under a penetration testing engagement. Furthermore, commercial decisions often compress the engagement timescales and this leads to shrinking scopes or high levels of test automation.
Traditional defensive approaches simply don’t work because hackers do not play by these rules.
One alternative approach is to engage testing against your organisation using more realistic attacks based on specific threat actors and their trade crafts. One such framework is the Bank of England’s CBEST testing methodology2.
Launched back in May 2013, the CBEST scheme was put forward as a way of providing more intelligence-led and bespoke security tests for the financial sector. It provides a very considered and well established way in which to test cyber security maturity, but has yet to break out of the specific contexts belonging to the financial sector.
For others, there’s little else quite so developed as this. There’s a gap in capability available to these sectors.
What, then, might security professionals operating in these sectors do to address the issue on a firm footing?
Threat intelligence and the testing regime
You may wish to simply start considering threat intelligence as part of your testing regime. We know that many attacker tools, techniques and procedures are designed to target specific industries, or even specific configurations of technologies employed within these industries.
For instance, the ongoing cyber espionage campaign dubbed ‘Energetic Bear’ initially targeted US defence and aviation companies in 2011 before shifting its attentions to US and European energy firms3. It did this through phishing campaigns using PDF documents embedded with an Adobe Flash exploit. Later on, complex watering hole attacks tailored to specific employees in the energy sector were then employed.
Such attacks are difficult to defend against unless you are actually trying these same techniques against your enterprise. This requires access to the threat intelligence in the first place to know about them, but also the management will to use tools, techniques and procedures which may not always have confidentiality, availability and integrity in mind.
Like all offensive techniques, there is often an ethical dilemma. Take the Sony PlayStation Distributed Denial of Service (DDoS) attacks that hit the organisation over Christmas last year4. Under the targeted attack defence methodology, it could have been worthwhile Sony actually buying a subscription to the Lizard Squad’s LizardStresser tool in order to test its own DDoS defences before other nefarious buyers of the tool did the same and used it against them.
Clearly, this is abetting the enemy, but nation state defence contractors do the same today.
Even overcoming these moral issues, such techniques also require Chief Information Security Officers to convince the Board that more aggressive approaches can actually be trusted not to introduce risks which outweigh the benefits. That – ie management sponsorship – is the crux of the issue.
Paul Heffernan is Principal Consultant (Cyber) at Unipart Security Solutions