Targeted Attack Defence Mechanisms: How effective are your cyber solutions?

Paul Heffernan: Principal Consultant (Cyber) at Unipart Security Solutions

Paul Heffernan: Principal Consultant (Cyber) at Unipart Security Solutions

Scanning the latest Information Security Breaches Survey1, it would seem that 90% of large-scale organisations and 74% of smaller businesses have suffered some form of cyber security breach. On that basis, becoming a cyber security victim seems a near certainty for many. Paul Heffernan offers some solutions for Targeted Attack Defence Mechanisms.

We know that many UK organisations are not taking cyber security as seriously as they should, but the aforementioned statistic also tells us something else. Those that are taking cyber seriously enough are still not effective when it comes to preventing breaches.

Companies that have been most successful at defending themselves have moved away from just relying on defender-oriented approaches towards the adoption of more attacker-oriented set-ups.

For example, take a typical organisation that has just implemented a vulnerability management programme. Businesses using this approach are seeking to defend themselves based on what they perceive ‘Bad’ to be. They search their networks and systems for known vulnerabilities using predictable enumeration methods. This is not to say that vulnerability scanning is a bad thing as such, but hackers just don’t think like that. 

Focus on penetration testing

An upgrade on this methodology could be the use of penetration testing which seeks to add human creativity to the evaluation process and move slightly closer to the attacker-oriented perspective. Even this approach has some drawbacks, though.

First, some tools and techniques can be out of scope even for ethical hackers. Denial of Service-style attacks and exploitation on production systems are rarely conducted under a penetration testing engagement. Furthermore, commercial decisions often compress the engagement timescales and this leads to shrinking scopes or high levels of test automation.

Traditional defensive approaches simply don’t work because hackers do not play by these rules.

One alternative approach is to engage testing against your organisation using more realistic attacks based on specific threat actors and their trade crafts. One such framework is the Bank of England’s CBEST testing methodology2.

Launched back in May 2013, the CBEST scheme was put forward as a way of providing more intelligence-led and bespoke security tests for the financial sector. It provides a very considered and well established way in which to test cyber security maturity, but has yet to break out of the specific contexts belonging to the financial sector.

For others, there’s little else quite so developed as this. There’s a gap in capability available to these sectors.

What, then, might security professionals operating in these sectors do to address the issue on a firm footing?

Threat intelligence and the testing regime

You may wish to simply start considering threat intelligence as part of your testing regime. We know that many attacker tools, techniques and procedures are designed to target specific industries, or even specific configurations of technologies employed within these industries.

For instance, the ongoing cyber espionage campaign dubbed ‘Energetic Bear’ initially targeted US defence and aviation companies in 2011 before shifting its attentions to US and European energy firms3. It did this through phishing campaigns using PDF documents embedded with an Adobe Flash exploit. Later on, complex watering hole attacks tailored to specific employees in the energy sector were then employed.

Such attacks are difficult to defend against unless you are actually trying these same techniques against your enterprise. This requires access to the threat intelligence in the first place to know about them, but also the management will to use tools, techniques and procedures which may not always have confidentiality, availability and integrity in mind.

Like all offensive techniques, there is often an ethical dilemma. Take the Sony PlayStation Distributed Denial of Service (DDoS) attacks that hit the organisation over Christmas last year4. Under the targeted attack defence methodology, it could have been worthwhile Sony actually buying a subscription to the Lizard Squad’s LizardStresser tool in order to test its own DDoS defences before other nefarious buyers of the tool did the same and used it against them.

Clearly, this is abetting the enemy, but nation state defence contractors do the same today.

Even overcoming these moral issues, such techniques also require Chief Information Security Officers to convince the Board that more aggressive approaches can actually be trusted not to introduce risks which outweigh the benefits. That – ie management sponsorship – is the crux of the issue.

Paul Heffernan is Principal Consultant (Cyber) at Unipart Security Solutions

References

1http://www.pwc.co.uk/audit-assurance/publications/2015-information-security-breaches-survey.jhtml

2http://www.bankofengland.co.uk/financialstability/fsc/Pages/cbest.aspx

3https://securelist.com/files/2014/07/EB-YetiJuly2014-Public.pdf

4http://www.forbes.com/sites/davidthier/2015/05/15/psn-is-down-and-lizard-squad-claims-credit/

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts