Building a custom defence solution

How Australian businesses should look beyond standard industry security products and solutions to build custom defence strategies unique to their organisation, and the best way for companies to individually detect, analyse, adapt, and respond to targeted attacks

Today’s most damaging attacks are targeted specifically at an organisation’s people, systems, vulnerabilities and data. Advanced targeted attacks are more sophisticated than traditional approaches, using social engineering techniques to quietly penetrate an organisation to deploy customised malware.

The incredibly damaging security breach that Target suffered last year was the most elaborate retail heist in the history of cyber crime, with the prize being of financial and personal information for nearly one in three Americans. Ultimately, the attackers exercised what appears to be a two-phased approach to compromising the 40 million credit and debit cards.

The greatest worry is that the US Senate report on the attack, released this week, found that Target missed multiple opportunities to stop the attackers and prevent the data breach. The report suggested that there was no indication that Target responded to warnings that malware was being installed on its system, and ignored automated warnings revealing how the attackers planned to carry data out of Target's network.

Target may be a high profile retail giant but Trend Micro’s 2013 security roundup report showed that no company, regardless of size, is safe from cyber attacks. 2013 saw varied targeted attack campaigns, each with a unique technique. Australia also saw the number of botnet C&C (Command and Control) servers increase by around 65 per cent from Q1 to Q4 2013.

In 2014, cyber criminals will increasingly use targeted attack methodologies like open source research and highly customised spear phishing. The allure of targeted attack techniques goes beyond campaigns’ success rate; they will be adopted because of ease of use and effectiveness in terms of evading detection. We will increasingly see new and more creative ways to monetise stolen data, which will lead to a more competitive cyber criminal market.

Moving beyond the standard

Most Australian CSOs are aware that their networks and systems require defences against targeted attacks carried out by well-equipped, knowledgeable attackers. But as the Target attack, along with so many recent data breaches at home and overseas have shown us, existing security strategies with a one-size-fits-all approach are no longer enough to deal with the custom nature of targeted attacks and their dedicated perpetrators.

To combat these targeted attacks organisations must look at a custom defence strategy, a new strategy that recognises the need for a specific approach and relevant intelligence that is uniquely adapted to each organisation and its attackers.

That may be an easy statement to make, but how do organisations develop a strategy to help defend against these attacks?

An effective strategy considers more than purely technical concerns: it is the work of malware analysts, security operations centre (SOC) operators, researchers, forensics, penetration testers, operations managers, and crisis managers. A multidisciplinary approach ensures that all aspects of a potential attack can be recognised and the appropriate countermeasures and defences put in place.

Building a custom defence strategy against targeted attacks

An ideal solution and strategy weaves an organisation’s entire security infrastructure into a custom and adaptable defence that is tuned to its particular environment and threat landscape. Custom defence strategies should employ a comprehensive lifecycle that detects, analyses, adapts and responds uniquely to your particular organisation and the threats against it.

When building a custom defence solution, I would recommend incorporating these important elements for the most effective protection:

Understanding. Understanding the threat environment is crucial. Look at the attackers, their methods and the clear goals they have in mind – i.e., to infiltrate the networks of the target and acquire information. By understanding their goals and their psychology, it becomes easier to understand the tactics of attackers. This makes it easier to defend or detect their attacks, as well as force attackers to make mistakes.

Visibility. Visibility into an organisation’s network is part of effective custom defence, and traffic monitoring is the foundation of the proactive risk management strategies proposed by most security analysts and experts.

Advanced monitoring and analysis of inbound/outbound and local traffic provides insight into what is really happening on the network. In addition to detecting advanced threats, it can also reveal any risky applications in use, mobile device access and activities, and unusual traffic and data transfer patterns.

Detection. Advanced threat detection at the network can discover the malicious content, malware, communications and attacker activities that are typically invisible to standard defences. But key to detecting target attacks is to employ sandbox simulation and threat detection rules that are customised to reflect an organisation’s particular host configurations and IT environment and risk concerns.

Additionally, by using an open detection and analysis platform, organisations can increase the detection and blocking capabilities of standard protection points such as email and web gateways and endpoint security, offering increased protection against spear phishing and other early phase attack events.

Risk assessment. An ideal custom defence solution augments automated local threat analysis with relevant global intelligence. With the right information, even zero-day malware and previously unknown communication channels can often be linked to related samples or activities seen elsewhere, providing a strong set of indicators of the attack nature, objectives and source.

A threat profile based on this custom intelligence allows organisations to respond with the appropriate actions and urgency.

Prevention. For a true custom defence solution, use custom detection, analysis and intelligence to enhance protection from further attack and optionally block current attack activity such as C&C communications.

This may include direct blocking at the detection point but should include custom security updates (IP/URL blacklists, antivirus or other signatures) sent from the detection/analysis platform to all pertinent protection points. In this way, the entire security infrastructure adapts to defend against this new attacker.

Remediation. Detailed threat profile information will help guide containment and remediation actions and enable the optimum use of specialised tools and SIEM or other log analysis methods to determine the full extent of the attack and perform a detailed forensic analysis of the attack.

Let’s all treat the Target attack as a major wake-up call. Let’s all recognise and appreciate the level of professionalism and sophistication in which this truly enormous data breach was carried out. If we can learn from Target’s mistakes, we should investigate the new technologies, strategies and innovation that exist to thwart these types of targeted attacks. The time is now to build a custom defence solution and avoid being the next Target.

Sanjay Mehta is managing director of Trend Micro Australia and New Zealand.

Join the CSO newsletter!

Error: Please check your email address.

More about CustomTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sanjay Mehta

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts