Lies, damned lies and statistics

Cyber-crime figures are a dime or dozen but are they really improving your security, asks Ken Munro.

Lies, Damned Lies and Statistics
Lies, Damned Lies and Statistics

Cyber-crime surveys are routinely churned out by the security industry, analysing everything from cost per breach to the geographical distribution of cyber-crime. They're generally used to cite statistics at the board in order to justify spend. But are these reports really helping to improve security or are they simply contributing to the usual fug of Fear, Uncertainty and Doubt (FUD)?

There is certainly a need for cyber-security analysis. Businesses want to understand why breaches occur, and what they can do to mitigate the threats. But cyber-crime reports tend to be peppered with sketchy statements that often fail to identify the threat vectors. For instance, I recently heard the BBC News report that '33 percent of SME businesses have been attacked by an unauthorised outsider'; a little gem of a statement prised from the BIS 2014 Information Security Breaches Survey.

There was no discussion about the type of attack: A virus infection? A port scan? A phishing attack? Cryptolocker? An exploit attempt that was blocked? The vague reference made it nigh on impossible to deduce any meaningful risk-decision or draft any remedial actions. So what was the point then? Surely not to drum-up yet more trade for the consultants who just happened to sponsor the paper?

In the absence of substance you are better off working from genuine threat intelligence. Threat intel is an emerging market, with companies that can give you the lowdown on the sorts of threats and attacks specific to your industry. However they can be expensive, in order to justify the cost you might need to prove to the board that there is a problem in the first place.

This is where DIY threat intel gathering really comes into its own, it's possible to pinpoint the type of malware threats being targeted against your organisation, starting with a honeynet.

By creating fake social media profiles for mock employees, and corresponding company email addresses, we can identify unsolicited emails including those carrying malware. The majority of attacks start with a spear-phish, with the attacker doing some research to identify which people to target in the organisation. If you set up a fake email account on your domain solely for the purpose of monitoring attackers, you can then capture, isolate and identify the threat before it can be triggered. You could then reverse engineer the malware, find out where the connection back goes to, then get the sample and destination IP address on to VirusTotal to publicise the threat.

Similarly, you can also test the viability of corporate anti-virus solutions. AV vendors claim to have high capture rates but few users bother to verify if their AV is working effectively for them. It's relatively straightforward to do, using available tools, some freeware, and some commercial kit and if the capture rate is less than expected it gives you ample justification to jump ship or negotiate new licence terms.

You can also create a computer honeypot. This is a fake server or machine, sat on your network that looks like it is vulnerable to various attacks. What appears to be a soft target to attackers is in fact a threat intel gathering machine. Over time it will show you exactly what is being thrown at you, so you can adjust your security accordingly.

Self-testing aside, there is one thing all of us can do and that's to invest in cyber-liability insurance. I've heard countless tales of companies that have found that their bank account has been emptied or the business has been taken offline. A first party cyber-liability policy can protect the business in the event of a breach and is remarkably good value for money given the cover it provides.

Yes cyber-security surveys do have a place in creating interest and even spreading awareness of cyber-crime, but as to whether they really provide any meaningful insights and actionable intelligence? That's questionable. If we're going to gather real information, pertinent to our individual situation, to counter the cyber threat, we should at the very least be gathering our own threat intel.

So, take cyber-crime surveys with a large pinch of salt and do your best to make the case for a good threat intel service. To help your case you should self-test, and gather information from honeynets and honeypots. Not only will you have a solid grounding to justify the spend, you'll also have the hands-on visibility in the interim that many would kill for when making the case for security.

Ken Munro is founder and partner at Pen Test Partners