In less than 90 days or on 22nd of February 2018 to be exact, the Notifiable Data Breach (NDB) amendment will take effect in Australia. By this time, businesses would have had nearly a year to prepare themselves for the introduction of this new law and what it means for executives and IT teams moving forward. The Office of the Australian Information Commissioner (OAIC) has been supportive in providing detailed resources to help organisations understand the law and prepare for its introduction.
While it is important to note the efforts of the OAIC are a positive step forward to ensure businesses have what they need to comply with the new regulations, there is still something missing in the preparation of the roll-out of this new legislation.
Even though the OAIC and other organisations, have implemented strategies such as 'privacy by design', which is the process of taking privacy into account throughout the entire development process of a service, there are gaps which can lead to vulnerabilities.
What many organisations fail to realise, is that programmes and processes that have previously been developed without privacy in mind are still at risk. Although the average time for detecting an active compromise changes, the vast number of published breaches reveal that compromise events occurred months, if not years, prior to detection.
Effectively the threat actor had been 'living off the land,' which is defined as a threat actor using an organisation's inbuilt systems and software to achieve their goal. In order to avoid this, it is imperative that businesses integrate pre-validation, understand how hackers think, and constantly test prior to investing big bucks into security.
Validation as Part of the Cybersecurity Lifecycle
To describe pre-validation in terms of the NDB legislation, think of it like buying a house. If someone is about to make a large investment in something that they will depend on for many years, then it is in their best interest to have it inspected for issues that could be problematic and costly in the future. This is the same attitude organisations should adopt when preparing for the NDB legislation.
Before entering a period when organisations must report breaches to the Australian Privacy Commissioner, it is of benefit to make sure there is no existing breach to report on. Validating that organisations have a clean threat-free environment prior to the law coming into effect, ensures that the investments made towards future processes and security policies for notifiable breach reporting are not going to be used to report on a pre-existing breach.
An effective cybersecurity strategy lifecycle is similar to an Incident Response lifecycle. It is important to understand the difference because the incident response lifecycle is the treatment of one particular threat, designed to eradicate it from an organisation's environment. The cybersecurity strategy lifecycle gives businesses a strategy for their entire technology environment. Having visibility of the entire environment is important as most cyber criminals want to keep access to an organisation’s network, a secret for as long as possible.
How Hackers Think
Hackers follow many variations to complete the objectives of their attack. Reviewing these variations, highlights that most of the steps involved are focused on getting into an organisation's environment undetected. It probably comes as no surprise that this is the hardest part for most cyber criminals. Once they find a way in, they are not going to give up the access they have acquired immediately, good hackers think of long-term goals.
Criminals will most likely keep these back doors open, hiding malware in an organisation's environment, ready to be utilised when they decide to launch an attack. Sometimes this can be seen in an organisation's environment in the form unusual system issues, such as a user logging over VPN from two different countries just minutes apart.
An irregularity like this is often inappropriately referred to as a "glitch," but organisations experiencing any suspicious network behaviour could already have been in danger.
Testing Before Investing
Threat actors living off the land is a lot more common than you might think. In fact, the vast majority of targeted threat hunts result in uncovering threats that existing security solutions have missed, allowing IT professionals to eradicate the threat and eliminate back doors to prevent the threat from returning.
Even within some of the most sophisticated security postures, threats have sat dormant, often because the threat existed in the network prior to the security strategy's implementation. This is why validating that a threat doesn't exist in a business’s environment should be the first step in preparing for the NBD legislation.
This will help make certain organisations have a clean bill of health before building out a robust strategy to help reduce overall risk exposure. With NDB laws coming into effect and driving greater attention to cybersecurity, activities such as Targeted Threat Hunting should be seen as food for thought as organisation.