[BreachExchange] Cyber crime as a service forces changes in information security

Thu Apr 27 00:18:45 EDT 2017

http://www.networkworld.com/article/3192400/security/cyber-crime-as-a-service-forces-changes-in-information-security.html

Cyber crime has been commercialized. Infecting computers with
ransomware or using an advanced persistent threat to pilfer
intellectual property no longer requires deep technical knowledge.
Just use Google to learn how to access the Dark Web, and you can find
hackers who, for a price, are more than happy to write malware, create
highly effective spear phishing campaigns and develop bogus websites
for harvesting login credentials.

Major companies (think Fortune 500 organizations) understand that
cyber crime as a service has changed how they handle defense. But for
organizations still maturing their defensive measures, here’s what the
transformation of cyber crime into an industry means for how you
approach information security.

You’re enemies aren’t script kiddies

Security and IT professionals need to accept that they’re not facing
inexperienced hackers. The good guys typically realize that
adversaries are skilled but don’t fully realize their technical
prowess. Script kiddies are still out there, but I’d argue that
they’re not going after enterprises.

The real threat is from the group of hackers who worked for the
Russian government, realized their skills could command a high price
in the private sector, and now sell their services on the Dark Web.
For them, hacking isn’t a pastime. It’s their profession. Often times
they get paid only if the mission is successful, giving them an
incentive to make sure the goal is achieved. If you’re a defender,
adopt the perspective of the enemy. Think what points you would try to
exploit if you were on the offensive side.

Better walls doesn’t lead to better security

With professional hackers behind the keyboard, infiltration is
guaranteed. Security and IT professionals should accept that attackers
will eventually find a way in, regardless of how great your defenses
are. This can be hard for companies (even major ones) to understand.
There’s a belief that better information security means building
higher and thicker walls. So, you add firewalls and antivirus
software. When those aren’t enough, you add next-generation antivirus,
intrusion prevention systems and some other next-generation
technology.

But adversaries will figure out how to get around all of those
products. You build a bigger wall; they just dig a tunnel under it.
You can’t fight every threat or the entire internet. This realization
isn’t meant to discourage information and IT professionals who are
diligently trying to protect their companies. Instead, I hope they’ll
adopt a different perspective on how to handle advanced adversaries.

Use a security incident to your advantage

If the bad guys are destined to infiltrate your company, what kind of
defense can you mount? To start, have a current incident response plan
in place. This means updating it to include any major changes at a
company and reviewing it to make sure key personnel are included.

For example, does your incident response plan include notifying public
relations staff to handle media inquiries or contacting a government
agency due to regulations? And make sure the people involved in the
plan know how to use it. The first time people see it shouldn’t be
during an incident. Run through the incident response plan at least
once a year.

Next, look for adversaries who are already in your environment. As
sophisiticated as attackers are, they’re not invisible. They will
always leave some trace, no matter how small. As defenders, your job
is to discover those tiny clues and use them to figure out the
attacker’s complete plan.

Try to learn how the attackers evaded your defenses, what they’re
after and what systems have been compromised. Your goal here is to
stop the entire attack, not just one component of a much more
elaborate campaign. Partial remediation means the attackers still have
a foothold in your environment.

Don’t focus on attack attribution. That doesn’t do much to improve
your security. If you’re in the midst of a crisis, your priority
should be helping your organization return to normal business
functions as quickly as possible, not figuring out whether the
Russians or Chinese stole your intellectual property.

When and if you find evidence of attackers, don’t treat this discovery
as a defeat. Security incidents—even major ones like a data breach—are
an opportunity to improve your defenses. Security budgets typically
aren’t increased as a result of everything going right in your
organization. Knowing the gaps in your defenses gives you the
opportunity to plug them.

Cyber crime as a service means the good guys must change their
approach to information security. Defense is no longer a zero-sum
game, with every breach equalling a defeat. And winning doesn’t mean
stopping all the attackers. If the enemies are bound to get in, use
this to your advantage by treating it as an opportunity to discover
their full plan and improve your defenses.