It’s not every day that you get to play the role of the chief information officer (CIO) of a Fortune 100 company. However, in light of recent high-profile cybersecurity breaches, let’s imagine for a moment that you are a CIO who is busy preparing to deliver a rather sobering cybersecurity briefing.
This is the first of a series of articles that I’ll be posting on CyberSecurity and Advanced Persistent Threats (APTs).
Much of what will be covered has been obtained from numerous sources — publications, whitepapers, conferences, blogs, personal experience and interviews — in the hope of presenting actionable guidance within a contemporary setting.
Being the bearer of bad news is never easy, particularly so when the news is likely to derail a multi-billion dollar corporation. And so, having completed the postmortem on a sophisticated hack that ran circles around your cyberdefences, you have been called in front of the chief executive officer (CEO) and the board of directors to deliver your briefing.
You take a moment to compose your thoughts and then begin to speak:
It took the attackers only six minutes to circumvent the perimeter defenses. From there, they achieved domain administrator privileges in less than 12 hours. In less than a week they fully compromised all 30 of our global domains. They harvested more than 200,000 credentials, giving them the ability to log in to the network masquerading as any of us—they could even change our investment elections in our 401(k)s or transfer money out.
There was no place on our global network they could not go and only a handful of computers they did not have easy access to—only 10 percent of our manufacturing facilities are behind firewalls, segregating them from our network. The attackers were in a position to electronically transfer millions of dollars out of our bank accounts through our accounts payable system. Their tools did not set off any alarms—our antivirus software did not trigger any alerts.
They had direct access to our manufacturing environment and could affect both the quality of our production processes and safety on our shop floors. They had access to our most sensitive intellectual property, including our past, current and future plans for major acquisitions and divestitures as well as the results of the billions of dollars we have invested in a decade of research and development.
And, in the end, they were able to steal all the data. We were not able to stop them, or even see them in our network.
While helpless panic filled the boardroom, it also marked a dramatic shift in the way the organization viewed cybersecurity. This watershed moment granted a previously neglected aspect of operational security the mandate to rethink its mitigation strategy.
The above example was a case of too little, too late. And although the damage here had been done, many of the board members held non-executive positions at other Fortune 100 companies. Their minds were busy assessing the likelihood of similar cybersecurity failures at these other organizations.
The questions they were asking: “What if someone does this to us again? How would we fare? How are we positioned to make an attacker’s tasks difficult, to detect that an attack scenario is underway, and to respond to attacks we detect?”
The ten assessment scenarios shown in Figure 1 were developed by Ernst & Young’s attack and penetration teams based on their previous encounters with advanced persistent threats (APTs).
These ten scenarios, although not an exhaustive list, can serve as a good starting point for organizations trying to come to terms with an adversary whose differing motives and increasingly sophisticated attacks pose significant risk to their operations.
Only a very small proportion of attacks receive national or international media attention. The vast majority of organizations, unless required by law, will try to minimize the negative press and never fully disclose the scale of a hack. After all, would you trust a bank to look after your money when they struggle to secure their own corporate website?
The scale of the problem can be seen in the Figure 2, and even these have been filtered to show breaches where total losses amounted to at least 30,000 records per incident. For a fully interactive and up to date version of the data visit the source.
The incident briefing, as described by our CIO to the CEO and the board, reflected an urgent need to fundamentally shift how the enterprise approached cybersecurity. This need was driven primarily by one key fact: The threats that enterprises face by being connected to the Internet are evolving at a much faster pace than the information security architectures, technologies and processes they have deployed to thwart them.
The threats that enterprises face by being connected to the Internet are evolving at a much faster pace than the information security architectures, technologies and processes they have deployed to thwart them.
While following prescriptive guidance will dramatically improve an organization’s preparedness in thwarting attacks, it is worth noting that guidance alone is no silver bullet. Transforming the security posture will only be helpful if such transformation is performed on a a continual basis.
Advanced Persistent Threats are actively engaged in reshaping their attack philosophies. If organizations are to mitigate such efforts, they need to be equally nimble at embracing novel approaches to cybersecurity.