The sophistication of attacker tactics, techniques and procedures (TTPs), coupled with Australia’s mandatory data breach notification laws coming into effect in early 2018 means organisations are faced with the onerous task of evaluating their existing cybersecurity investments to ensure personally identifiable information (PII) and critical business information are protected at all times.
As a result, the pressure is on chief information security officers (CISOs) to ensure their organisations are not only prepared to prevent an attack, but are also able to respond to one if – and when – it occurs. Many organisations are focusing strongly on their response capabilities as they are assuming they have already been breached, rather than thinking they will never be attacked.
This trend can be seen not only in the financial services and healthcare sectors – which are both typically driven internally by compliance due to their possession of critical PII – but also in manufacturing, transportation and even entertainment and sports. While these companies may not be directly impacted by the federal government’s incoming data breach notification laws, they are taking notes on what preparation measures they need to take to respond to a cybersecurity attack.
Balancing cost and risk reduction
We all understand the need for better cybersecurity. However, for most CISOs the next logical challenge is determining the best way to reduce real-world risk without exhausting or overshooting an already-strained budget.
Many small- to medium-sized businesses are constrained by budgets leading to weaker defences and lack of layered protection. This financial constraint can often become an opportunity, that can drive CISOs to become creative in re-engineering their existing business processes to eliminate any potential risks (e.g. by removing unnecessary information), and by redeploying their cyber security investments on technology, processes, people and cyber-insurance.
However, preparing your controls and systems to defend only against certain types of cyberattacks is risky, especially as attacker tactics, techniques and procedures (TTPs) continue to evolve and become increasingly sophisticated in conjunction with an upsurge in well-oiled industry offering Malware as a Service (MaaS).
You can’t control what you don’t understand
To control risk, you must first assess it accurately and comprehensively. In the absence of a network of spies relaying individual information on each attacker, we must pragmatically settle for knowing how to assess our own environments, how to improve our understanding of attacker TTPs and how to implement adequate countermeasures.
Based on the insights Verizon’s Investigative Response team has gained from conducting risk assessments, there are two particular attacker TTPs we’ve identified as increasingly common in the APAC region.
The first are web application attacks, which are driven by the increasing reliance on e-automation platforms, e-commerce platforms and web portals deployed by Australian technology firms. Web applications are the window for businesses to connect with their partners, supply chain and their customers. The best example of this is the recent Equifax attack that emanated from vulnerable web applications.
The second are a result of attacker TTPs taking aim at social engineering, with phishing attacks becoming all too common as users unknowingly download malicious files and click on web links without understanding the impact of their actions.
Obtaining information and threat intelligence on attackers’ actions, both inside and outside of your organisation, is important to better understanding their TTPs. Locking your doors and windows is one step toward being more secure, but being able to see burglars as they roam can help you ascertain what they want and how you can protect yourself more effectively.
Knowing what you don’t know is a far better situation than not knowing what you don’t know. As described in the “Unknown Unknowns” scenario in the Data Breach Digest 2017, we found that unknown systems – accounts, software and data – act as landmines for enterprises. Hidden and ready to detonate, these unknown unknowns can explode at any time, resulting in substantial impact to a company’s operations and/or public perception. Countermeasures from Critical Security Controls (CSC), such as CSC-5, CSC-6, CSC-7, CSC-10 and CSC-13 can help mitigate the risks from such threats.
Don’t lose sight of non-technical controls
Whether your organisation plans to introduce a new cybersecurity system or use an existing one, any defence strategy is made up of layered technical, physical and administrative or procedural security controls. Technical security controls get the most attention, but procedural controls are equally important.
While there are technical vulnerabilities in any piece of hardware or software, determined social engineering can crack rigorous administrative and procedural design, such as building air gaps or establishing least privilege and segregation of duties. These controls aren’t invincible, but they can deter large numbers of opportunistic attackers.
Part of these procedural controls should also include implementing a proper security awareness procedure to ensure users of every piece of hardware and software are invited to join the journey.
Once you create the right environment, employees will follow the correct procedures which in turn will start to drive the correct behaviour.
For instance, while investigating business e-mail compromise (BEC) incidents, we frequently recommend our customers go beyond technical controls and build in administrative and procedural controls in their critical business processes to safeguard their investments. Requiring a simple out-of-band verification call can help save significant dollars that might otherwise be siphoned off using these BEC scams.
How to balance controls with user experience
The complexity of defence in depth has a cost to users or administrators that can’t be counted in dollars. Well-designed defences don’t have to complicate the user experience, but poorly designed ones certainly will.
Human Computer Interaction Security (HCISec) is a field specifically dedicated to this challenge – and you don’t have to be an HCISec specialist to address the issue in your organisation. Part of simplifying security for your users is considering what should be done in-house versus what should be outsourced. Managed security service providers can help you balance your controls across preparation, detection and response, manage complexity and maintain documentation for all your controls.
Finding the right controls for your organisation
The devil is in the detail when it comes to security controls. Implementing non-effective controls or just narrowly focusing on compliance requirements may lead to a false sense of security that could be far more detrimental than having no controls at all.
It’s important to go back to the basics when it comes to security hygiene, particularly if budgets are tight. Always assess the right controls for your organisation by first researching the enterprise risks. This is the easiest way to understand how to start protecting your most prioritised assets.
Ashish Thapar is a Managing Principal on the Investigative Response team at Verizon. He leads the team that is responsible for all supporting customer-facing computer incident response, digital forensics, electronic discovery and IT investigations in the Asia Pacific & Japan region.