Analysis: Could your business be the next Sony, TalkTalk or Ashley Madison?
Your data has been breached.
A strong statement, yes, but for those of you who disagree, the statement still stands – you just don’t know about it yet. As Terry Greer-King, director of cybersecurity, Cisco UKI & Africa, put it to CBR: "there are effectively two types of companies today; those that have been hacked, and those that don’t know they have been hacked."
We have seen Sony, Ashley Madison, and VTech named as just some of the high-profile companies to be hit by data breaches. The much publicised TalkTalk data breach hit the company for £60m and saw over 100,000 customers walk away from the company, yet despite these very public breaches businesses are still not taking action.
The 2015 Information Security Breaches Survey, conducted by PWC for the UK government, found that 90% of large organisations fell victim to a data breach between 2014 and 2015, while 74% of small businesses were also attacked.
However, as Andy Thomas, managing director of CSID, Europe, noted to CBR, the figures in the report only account for detected attacks.
"Only around 40% of incidents were identified by the organisation’s routine internal security or other controls; over 25% were detected by accident or by notification from outside the business (i.e. the police or the media)." Thomas told CBR.
This tells us that companies are not doing enough to mitigate attacks, and goes some way to explaining why companies are taking as long as 200 days to detect a breach – and that detection period is important. Recent Cisco research found that 60% of data is stolen within the first few hours of attack. Worryingly the research also found that 50% of attacks stay on systems for months, and in some cases years, without being detected.
So in short – data breaches are inevitable, companies large and small are getting attacked, and those same companies under attack are failing to detect and deal with numerous threats. This paints a worrying picture of today’s data landscape.
However, although data breaches are an accepted ‘when’ not ‘if’ scenario, there are measures companies can take – but before you can fight an attack, you have to find it first.
However, finding a breach or attack is not straightforward, as Piers Wilson, Head of Product Management, Huntsman Security, told CBR: "The issue with finding out if you’ve been the victim of a breach is that the majority of successful attackers won’t mark their actions and are likely even to try and conceal them. Plus, a loss of data or unauthorised access may only come to light when something is done with the data or when customers or the press get wind of what has happened."
The nature of the cyber attack is also key in this cat and mouse data chase. Generally, there are insider threats and external threats, but as Garry Sidaway, SVP Security Strategy at NTT Com Security, told CBR, the issue extends past the general notions of insider and external.
"There are outside threats, ranging from ‘reconnaissance attacks’ to determine weaknesses in the perimeter defences of an organisation, to ‘social engineering’ where the outside attacker uses social networking, news articles and personal calls to gain an insight into the person or company’s defences – then typically uses this knowledge to craft a specific email that contains malware or a link to a compromised or malicious website.
"Insider threats, on the other hand, have some level of knowledge and privilege. And, with the advent of cloud computing and an increased mobile workforce, controls are often being bypassed. One of the tell-tale signs would be a user transferring large amounts of data to cloud storage or a database administrator trying to access HR records."
Amongst the malware, social engineering and subtle hacking techniques, how can an organisation know if a breach has occurred?
Put simply, it’s about knowing what’s normal in regards to your business. Businesses need to establish a baseline of normal behaviour in regards to network traffic, access and operations. Knowing what’s normal will give visibility to irregular behaviour, or anomalies, as Tim Mitchell, Security Researcher, Dell SecureWorks, explained to CBR:
"In order to spot what’s abnormal activity, businesses need to understand what normal operations look like. This will help in identifying suspicious behaviour. For example, a user is more likely to check their emails first thing in the morning than attempt to access files in an unusual directory.
"Do users with standard permissions generally open a command prompt? Do they use software that doesn’t feature on a business’s list of allowed applications? Do IT admin staff normally log in at 3am on a Monday morning? Put simply, a malicious actor is likely to act differently from a regular user because his or her objectives are different. Therefore, such activity could be indicative of a breach of a company’s systems and observing it should be a priority."
Although the warning signs, or Indicators of Compromise, of a data breach very much depend on the type of attack used against a company, there are common red flags which companies can look out for.
Brian Hussey, Director of Global Incident Response and Readiness at Trustwave’s SpiderLabs team, told CBR that the common warning signs include "reduced operating speeds across the network, anti-virus or security software not functioning correctly, and machines restarting or shutting down unexpectedly. Monitoring for unexpected IPs and other unusual behaviour into and out of a network also serves as a clear warning of a potential breach."
A business must look for patterns, trends in unusual behavior and security teams must, as Dave Palmer, Director of Technology at Darktrace, told CBR, "be constantly prepared for the unknown, and correlate many small indicators to the network to establish odd patterns of activity. Like a jigsaw puzzle, each digital event needs to be placed together in order to understand exactly what is going on, even if these events look insignificant in isolation."
Putting the spotlight on some of those jigsaw puzzle pieces, Ian Trump, Security Lead at LOGICnow, gave CBR a handy checklist of signs to look out for – check them against your current systems to see if an attack is going undetected.
– Errors in the Application and System Event Logs (Event Log Checks)
– Failed Logins & Strange Event Log Entries in the Security Log (Event Log Checks)
– New Ports Open on the firewall
– Strange Firewall Log Entries (Network & DNS traffic to unknown destinations or strange destinations like Amazon cloud, when Amazon cloud is not used in the business; this is especially visible when allaying after-hours or on weekends when no employees are using their systems)
– Failed Patches, Disabled Anti-Virus
– Unable to Patch/Unable to Install AV
– Slow Network (Complaints of poor machine performance, instability or difficult to explain network traffic)
– Heavy Network Traffic from a workstation, significantly larger than other workstations
– New Devices on the network & New Users created with Admin Privileges!?
– Heavy/Strange Network Traffic (Destination IP’s outside of where customers and services are located)
– New Applications installed on endpoints & New Protocols such as direct communication to IP’s using DNS/IRC/NTP and other methods of communication
These warning signs, however, are constantly changing as hackers evolve and change techniques, in addition to adding new technology to their cyber arsenal. Ron Symons, regional director at A10 networks, told CBR that hackers are now using encryption to hide malware ‘on a major scale.’ Calling encrypted traffic ‘a dangerous Achilles heel for many organisations,’ this adoption of technology in order to more effectively deploy an attack not only reinforces the practice that security teams should be vigilant yet flexible in their security strategy, but also the need to know where your organsiation’s weak spots are.
Of course the major weak spot has nothing to do with technology, with the finger of blame pointed squarely at the employee. Using the weak link of the employee as a means to stress the importance of monitoring, Paul Briault, Digital Security, Identity and API Management Director at CA Technologies, told CBR:
"When it comes to security, one of the weakest links in any organisation is its employees. Human error is part of daily life and insider threats are one of the greatest risks to any organisation. Everyone from the most junior employee to the most senior must have their activity audited. Those with the highest privileges can be targeted through phishing scams as they are seen to be the most trusted employees with the greatest access. The majority of breaches happen when one of these highly trusted accounts are used to carry out a malicious event to extract sensitive information from the organisation.
"This means that all IT activity, from applications to networks, to identity systems to databases, need to be constantly monitored to ensure a positive position regarding security hygiene. Prevention strategies need to be enforced and if anything unusual is noticed the situation must be resolved quickly, with the root cause and effect being understood."
While threat detection has been likened to a jigsaw puzzle, the same simile can be afforded to cyber security.
No one thing is going to protect your organisation, with the ‘key to an organisation’s success in identifying breaches is not so much the tools they use but the processes and policies which are in place. Most importantly, businesses need analytic tools that can not only notify and recommend an action to take but also show key ‘what if?’ scenarios and remediation plays," according to Briault.
Although we have detailed the potential warning signs or symptoms of a data breach, it’s not just about understanding the threat. The devil is in the detail, as James Chappell CTO and co-founder of Digital Shadows, told CBR:
"Understanding the threats is only one part. A business may also benefit from understanding how it is ‘perceived’ by hostile threat actors. By understanding where key information assets, employee credentials and sensitive documents are being exposed online, an organisation can understand where it is likely to be most vulnerable.
"But to truly gain knowledge, organisations must place their observations in the context of their own risks and concerns. This enables firms to gain cyber situational awareness and is critical to ensuring that the collected information is relevant to their specific circumstances."