In today's ever-changing threat landscape, cyber-criminals and rogue governments are using automation to deploy malware with speed and scale we have not seen before. A manual approach to cyber-defence is no longer sufficient, but how have we ended up in this rather worrying situation?
What we're seeing:
The spread of cloud adoption across enterprises has far reaching implications for the cyber-landscape. Fortinet's Q1 Threat Landscape Report found the median number of cloud applications used was 62 – split by 33 SaaS applications and 29 IaaS applications. It is true that cloud apps expand an organisation's attack surface due to threat vectors such as shadow IT and personal cloud services. However, Q2's Threat Landscape Report found the chances that cloud applications will contribute to your next malware or botnet infection are low. This is because there doesn't appear to be any correlation between cloud application usage and increased threat frequency – meaning carriers, cloud providers, and MSPs are doing a good job of maintaining secure cloud environments.
Encryption is, ironically, another infrastructure trend that causes a security headache. Q1's report also found the median ratio of HTTPS to HTTP traffic hit a high mark in the first quarter of 2017. Whilst this protocol is useful for maintaining privacy, it comes at the expense of threat monitoring and detection. Organisations with high numbers of secure HTTPS traffic do not have visibility to the threats that exist within the encrypted communications. A large proportion of exploit activity today is fully automated, meaning it uses tools that are able to scan the depths of the internet looking for openings. Modern tools and pervasive ‘crimeware-as-a-service' infrastructure allow cyber-criminals to operate on a global level at a blistering pace.
Planning your response
With attacks and alerts coming at your security team from all angles, chances are they're feeling overwhelmed – often left without the resource or even the expertise to respond to everything that crosses their desk. Consequently teams are increasingly relying on managed security service providers (MSSPs) and their security vendors to address their flurry of cyber problems.
Addressing the appropriate response time is a whole other issue. The window of response before significant damage occurs is diminishing. IT teams do not have the capacity to respond to all or even most of the alerts in the right time, making matters worse. Due to the volume of alerts, IT teams often find themselves prioritising some threats over others. Modern attacks, especially automated ones, have a short half-life -the indicators of compromise have fingerprints linked to specific attacks, but they fade quickly. Imagine it to being similar to touching the condensation on a mirror and leaving a fingerprint, which disappears after a while. To be effective in your security response, you must be able to do so whilst the attack is still visible. The process is incredibly complex, if you have point solutions and rely solely on IT teams (humans) to do all the integration. This is where automation comes into its own.
Fighting automation with automation
When technology controls work together and can communicate, IT can let the technology start to make some automated decisions for you. This is the first step towards creating an expert system — one that mimics the decision-making process of a human expert. Whilst these controls may not remove the actual threat, they will help an organisation contain or isolate the breach – allowing the incident response team more time to fight the attack.
Taking a holistic approach to cyber-security will give organisations the best chance of fighting off an attack. Utilising the five tools below can unify control across all attack vectors to halt automated attacks:
1. Patch management is absolutely vital. Mirai, WannaCry, and NotPetya all took advantage of poor cyber-hygiene from organisations and caused havoc. The ransomware attacks of early 2017 took advantage of a Microsoft exploit that had been patched earlier in the year. This demonstrates the damage that can be done when IT teams fail to patch known vulnerabilities.
2. An intrusion prevention system (IPS) is your first line of defence. This can be helpful for organisations because the manufacturers of Internet of Things devices aren't accountable for securing their devices. Due to the headless nature of IoT devices, there are billions of devices that are vulnerable to attack, with no patches in sight. An IPS system essentially does virtual patching to block hacks and attacks on IoT devices.
3. Know your data. Redundancy segmentation is a must to defend against ransom attacks – they're always going to target an organisation's valuable data. Certain types of ransomware enter the network, infect the data and the data backups, which can be disastrous for an organisation. Data backups should always be segmented away from the organisation's network.
4. Focus on visibility. People often picture security as building a wall around their fortress. However, once a wall is built, that wall is visible to anyone looking in from the outside (ie attackers). They will then look to circumnavigate the wall to gain access to the network. What's required is threat intelligence solutions to understand who your attackers are and what their tactics and procedures are, and then start intelligently defending according to that information. Know where your critical assets are and then prioritise your security around that information. If an asset is ransomed, attacked by a distributed denial of service, or otherwise compromised, how much will it cost your business?
5. Once you understand your enemy and have built the appropriate security solutions – look to regularly re-evaluate and tighten up the time to defence. Use proactive solutions and look at ways to create interoperability. Most organisations have many different solutions from different providers. Look to reduce that complexity by further integrating and consolidating existing security devices with a security framework that utilises advanced threat intelligence sharing and an open architecture.
The best defence is a good offence
Regardless of how excellent IT security teams are at their jobs, humans simply cannot stay on top of today's automated attacks. Network incursions must be detected and dealt with in a timely manner, before they can do damage and before their trail disappears from sight. A system of integrated, orchestrated security solutions allows organisations to fight automation with automation, using cyber-criminals' own methods against them.Fortinet
Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.