To analyze the cyber security
challenges faced by companies nowadays, it is necessary to obtain tangible
data, and evidence of what's currently happening in the market. Not all industries
will have the same type of cyber security challenges, and for this reason we
will enumerate the threats that are still the most prevelant across different
industries. This seems to be the most appropriate approach for cyber security
analysts that are not specialized in certain industries, but at some point in
their career they might need to deal with a certain industry that they are not
so familiar with.
Old Techniques and broader results
According to Kaspersky Global IT
Risk Report 2016, the top causes for the most costly data breaches are
based on old attacks that are evolving over time, which are in the. following
order: Viruses, malware, and Trojans Lack of diligence and untrained employees Phishing
and social engineering Targeted Attack Crypto and ransomware Although the top
three in this list are old suspects and very well-known attacks in the cyber security
community, they are still succeeding, and for this reason they are still part
of the current cyber security challenges. The real problem with the top three is
that they are usually correlated to human error. As explained before,
everything may start with a phishing email that uses social engineering to lead
the employee to click on a link that may download a virus, malware, or Trojan.
In the last sentence, I covered all three in a single scenario. The term
targeted attack sometimes is not too clear for
some individuals, but there are some key attributes that can help you identify
when this type of attack is taking place.
The first and most important attribute is that the attacker has a specific target in mind when he/she starts to create a plan of attack. During this initial phase, the attacker will spend a lot of time and resources to perform public reconnaissance to obtain the necessary information to carry out the attack. The motivation behind this attack is usually data ex-filtration, in other words, stealing data.
Another attribute for this type of attack is the longevity, or the amount of time that they maintain persistent access to the target's network. The intent is to continue moving laterally across the network, compromising different systems until the goal is reached.
The first and most important attribute is that the attacker has a specific target in mind when he/she starts to create a plan of attack. During this initial phase, the attacker will spend a lot of time and resources to perform public reconnaissance to obtain the necessary information to carry out the attack. The motivation behind this attack is usually data ex-filtration, in other words, stealing data.
Another attribute for this type of attack is the longevity, or the amount of time that they maintain persistent access to the target's network. The intent is to continue moving laterally across the network, compromising different systems until the goal is reached.
One of the greatest challenges in
this area is to identify the attacker once they are already inside the network.
The traditional detection systems such as Intrusion Detection Systems (IDS) may
not be sufficient to alert on suspicious activity taking place, especially when
the traffic is encrypted. Many researchers already pointed out that it can take
up to 229 days between the infiltration and detection. Reducing this gap
is definitely one of the greatest challenges for cyber security professionals. Crypto
and ransomware are emerging and growing threats that are creating a whole new level
of challenge for organizations and cyber security professionals. In May 2017,
the world was shocked by the biggest ransomware attack in history, called
Wannacry. This ransomware exploited a known Windows SMBv1 vulnerability that
had a patch released in March 2017 (59 days prior to the attack) via MS17-010 bulletin. The attackers used an exploit called Eternal Blue that was
released in April 2017, by a hacking group called Shadow Brokers. According to
Malware Tech, this ransomware infected more than 400,000 machines across
the globe, which is a gigantic number, never seen before in this type of
attack. One lesson learned from this attack was that companies across the world
are still failing to implement an effective vulnerability management program, Vulnerability
Management. It is very important to mention that phishing emails are still the
number one delivery vehicle for ransomware, which means that we are going back
to the same cycle again, educate the user to reduce the likelihood of
successful exploitation of human factor via social engineering, and have tight
technical security controls in place to protect and detect.
The shift in the threat landscape
In 2016, a new wave of attacks
also gained mainstream visibility, when CrowdStrike reported that it had
identified two separate Russian intelligence-affiliated adversaries present in
the United States Democratic National Committee (DNC) network . According to their report, they found
evidence that two Russian hacking groups were in the DNC network: Cozy Bear
(also classified as APT29) and Fancy Bear (APT28). Cozy Bear was not a new
actor in this type of attack, since evidence has shown that in 2015 they were
behind the attack against the Pentagon email system via spear phishing attacks.
This type of scenario is called Government-sponsored cyber-attacks, but some
specialists prefer to be more general and call it data as a weapon, since the
intent is to steal information that can be used against the hacked party. The
private sector should not ignore these signs.
Enhancing your security posture
If you carefully read this entire
chapter, it should be very clear that you can't use the old approach to security
facing today's challenges and threats. For this reason, it is important to ensure
that your security posture is prepared to deal with these challenges. To
accomplish this, you must solidify your current protection system across
different devices regardless of the form factor. It is also important to enable
IT and security operations to quickly identify an attack, by enhancing the
detection system. Last but certainly not least, it is necessary to reduce the time
between infection and containment by rapidly responding to an attack by
enhancing the effectiveness of the response process.
The Red and Blue Team
The Red/Blue Team exercise is not
something new. The original concept was introduced a long time ago during World
War I and like many terms used in information security, originated in the
military. The general idea was to demonstrate the effectiveness of an attack
through simulations. For example, in 1932 Rear Admiral Harry E. Yarnell demonstrated
the efficacy of an attack on Pearl Harbor. Nine years later, when the Japanese
attacked Pearl Harbor, it was possible to compare and see how similar tactics
were used (22). The effectiveness of simulations based on real tactics that
might be used by the adversary are well known and used in the military. The
University of Foreign Military and Cultural Studies has specialized courses
just to prepare Red Team participants and leaders (23). Although the concept of
read eaming in the military is broader, the intelligence support via threat
emulation is similar to what a cybersecurity Red Team is trying to accomplish.
The Homeland Security Exercise and Evaluation Program (HSEEP) (24) also uses
red teaming in the preventions exercise to track how adversaries move and
create countermeasures based on the outcome of these exercises. In the
cybersecurity field, the adoption of the Red Team approach also helped
organizations to keep their assets more secure. The Red Team must be composed
of highly trained individuals, with different skill sets and they must be fully
aware of the current threat landscape for the organization's industry. The Red
Team must be aware of trends and understand how current attacks are taking
place. In some circumstances and depending on the organization's requirements,
members of the Red Team must have coding skills to create their own exploit and
customize it to better exploit relevant vulnerabilities that could affect the
organization. The core Red Team workflow takes place using the following
approach: The Red Team will perform an attack and penetrate the environment by
trying to break through the current security controls, also known as
penetration testing. The intent of the mission is to find vulnerabilities and
exploit them in order to gain access to the company's assets. The attack and
penetration phase usually follows the Lockheed Martin approach, published in
the paper, Intelligence-Driven Computer Network Defense Informed by Analysis of
Adversary Campaigns and Intrusion Kill Chains (25). We will discuss the kill
chain in more detail in Chapter 3, Understanding the Cyber security Kill Chain. The
Red Team is also accountable to register their core metrics, which are very
important for the business.
The main metrics are as follows:
Mean Time to Compromise (MTTC):
This starts counting from the minute that the Red Team initiated the attack to
the moment that they were able to successfully compromise the target Mean Time
to Privilege Escalation (MTTP): This starts at the same point as the previous
metric, but goes all the way to full compromise, which is the moment that the
Red Team has administrative privilege on the target So far, we've discussed the
capacity of the Red Team, but the exercise is not completed without the counter
partner, the Blue Team. The Blue Team needs to ensure that the assets are
secure and in case the Red Team finds a vulnerability and exploits it, they
need to rapidly remediate and document it as part of the lessons learned. The
following are some examples of tasks done by the Blue Team when an adversary
(in
this case the Red Team) is able
to breach the system: Save evidence: It is imperative to save evidence during
these incidents to ensure you have tangible information to analyze,
rationalize, and take action to mitigate in the future. Validate the evidence:
Not every single alert, or in this case evidence, will lead you to a valid
attempt to breach the system. But if it does, it needs to be cataloged as an
Indication of Compromise (IOC). Engage whoever is necessary to engage: At this
point, the Blue Team must know what to do with this IOC, and which team should
be aware of this compromise. Engage all relevant teams, which may vary
according to the organization. Triage the incident: Sometimes the Blue Team may
need to engage law enforcement, or they may need a warrant in order to perform
the further investigation, a proper triage will help on this process. Scope the
breach: At this point, the Blue Team has enough information to scope the
breach. Create a remediation plan: The Blue Team should put together a
remediation plan to either isolate or evict the adversary. Execute the plan:
Once the plan is finished, the Blue Team needs to execute it and recover from
the breach. The Blue Team members should also have a wide variety of skill sets
and should be composed of professionals from different departments. Keep in
mind that some companies do have a dedicated Red/Blue Team, while others do
not. Companies put these teams together only during exercises. Just like the
Red Team, the Blue Team also has accountability for some security metrics,
which in this case is not 100% precise. The reason the metrics are not precise
is that the true reality is that the Blue Team might not know precisely what
time the Red Team was able to compromise the system. Having said that, the estimation
is already good enough for this type of exercise. These estimations are self-explanatory
as you can see in the following list:
Estimated Time to Detection (ETTD) and Estimated Time to Recovery (ETTR)
The Blue Team and the Red Team's
work doesn't finish when the Red Team is able to compromise the system. There
is a lot more to do at this point, which will require full collaboration among
these teams. A final report must be created to highlight the details regarding
how the breach occurred, provide a documented timeline of the attack, the
details of the vulnerabilities that were exploited in order to gain access and
to elevate privileges (if applicable), and the business impact to the company.