Leveraging Threat Intelligence

Simply put, we benefit when we think like a cyber-criminal and plan defenses around their tactics and attack methods. By leveraging threat intelligence, we can improve our understanding of security posture and make more strategic security decisions. It’s an arms-race out there, and constant vigilance and evolving strategies are needed to win.

Cyber breach and attack data are readily available, and research is expanding every year. We need to do a better job of capitalizing on it. Using ALL of the data as a competitive advantage means that someone in your organization must study the reports collectively, capture salient points, look at industry attack trends, and develop a strategy around protecting your business.

Additionally, you must have a clear understanding of the strengths and weaknesses of your security program relative to today’s attacks and current threats. An independent review by a security-focused firm with broad experience will produce an honest and accurate evaluation.

Data Breach Reports: The Nature of Today’s Attacks

The 2019 Verizon Data Breach Investigations Report tells us that 69% of all data breaches are perpetrated by outsiders, 34% involved internal actors, and 7% involved partners and multiple parties. Organized criminal groups were behind 39% of the breaches, and 23% were actors identified as nation-state or state-affiliated. Most of these nefarious actors work at their trade full time and, like other businesses, they rely on specialists in their supply chain — often found on the dark web — to provide the needed products and skills such as:

Hacker Org Chart

  • Reconnaissance analysts for research, identification, and target selection
  • Development of malware undetected by anti-virus programs
  • Social engineering specialists
  • Network penetration specialists
  • Command and control system operations
  • Distributed Denial of Service (DDoS) botnet operations
  • Exfiltration of data experts
  • Marketplace to buy stolen debit, credit, and prepaid card numbers
  • Printing of counterfeit stolen debit, credit, and prepaid card numbers
  • Team dedicated to purchasing high value goods with stolen cards
  • Stolen identity marketplace to sell social security numbers and other Personally Identifiable Information (PII)
  • Fraudulent bank accounts with remote wire transfer capabilities
  • Marketplace to sell stolen goods

What threat tactics are most common today?Threat Tactics Chart

  • 52% of the breaches featured hacking
  • 33% used social engineering
  • 28% use malware
  • 21% of the breaches were caused by human error
  • 15% involved misuse by authorized users
  • 4% included physical actions

Public Sector

In the public sector, phishing, malware, and malware delivered though command and control botnets take the top three spots for methods of compromise. In this case, it may be sensible to focus efforts on training the staff thoroughly about phishing attacks, and create and report metrics on click rates for test phishing messages by employees. There are several companies that do this well. They integrate immediate training sessions for employees that click on phishing attempts sent to test the employee’s actions. All employees can be tested, and a management dashboard informs the company of progress to reduce click rates.

Consider the enhancement of malware detection and quarantine capabilities using a product in addition to anti-virus. Products like Cisco’s Advanced Malware Protection, Palo Alto Traps/Cortex, Cylance, CrowdStrike, Cyber Reason, and Carbon Black’s CB Defense come to mind. Focus on alerting mechanisms that provide early warning of infections and anomalous activity.

Give your Incident Response Program a thorough review and perform quarterly attack simulations to evaluate and improve your response time. The faster a data breach can be identified and contained, the lower the costs. This is a simple and low-cost way to reduce your potential losses.

Healthcare

According to the Verizon Data Breach Report, 59% of breaches in Health Care were associated with internal actors. Medical and personal information was compromised in 72% and 34% of the incidents respectively. The top three patterns were – Miscellaneous Errors, Privilege Misuse, and web Applications, representing 81% of all incidents.

What can be done about Miscellaneous Errors, Privilege Misuse, and Web Application compromise? A review of privileged account monitoring processes would identify gaps that can be shored up. Then begin planning strategic investments to improve detection of access to privileged data, how that data is protected, encryption methods, and how it is moving across the network. Next, put data loss prevention controls in place to prevent sensitive information from getting into the wrong hands and exiting the company’s information systems.

Other important improvements include attack prevention and detection of web application compromises. Begin evaluating vulnerability management, web application testing, penetration testing, and regular external vulnerability assessments by competent testers. Enhance your system logging and monitoring with a 24 X 7 Security Operations Center (SOC) that reviews and alerts operations staff when potential security incidents occur.

Financial and Insurance

Web Application compromise, Privilege Misuse, and Miscellaneous Errors represent 72% of breaches reported in this industry segment. Financial gain was a motive in 88% of the incidents. Compromise of customer and employee credentials was very common, leading to unauthorized use of account information and fraud. The primary data compromised in this vertical market was personal information (43%), credentials (38%), and internal data.

What are improvements to consider for Financial and Insurance industries? Damage control for the use of stolen credentials can usually be stopped by using multi-factor authentication (MFA) for internal IT support staff accessing critical systems, and for business customers with wire and cash management capabilities. MFA should be offered to all your internet banking customers as an option if your platform supports it. Strong anti-phishing controls should be implemented, as mentioned in the Public Sector section above since most attacks today begin with social engineering based on phishing attempts. Stopping data leakage of internal information requires controls that stop the egress of sensitive data outside the company network perimeter. Enhanced logging and monitoring of access to sensitive data and implementation of a review process for privileged users and their access is also important.

Security Assessments: Think Qualitatively

We need to get smarter about our security assessments. To know how well your company’s security systems will resist an attack, we need to have a deep understanding of what controls are in place, as well as the quality of the implementation of the control. That takes expertise, time, and effort.

As important as it is to know what’s being done by hackers in our industry, it’s also important to understand where our security program stands. We need to do more than “check the box,” and be sure we’re in compliance. We must fully engage our minds to think both qualitatively and quantitatively. Assessing not only the existence of a control, but its maturity and robustness paints a clearer picture. Rating and prioritizing controls is critical within any standard. Information Security as a discipline is relatively new, and while it’s difficult to objectively measure assurance and program quality, it can be done with the right approach and a documented process.

To learn more about how our smarter approach to security assessments can benefit your organization, please contact us.

Continued in Part III: Security is Not in a Vacuum: Contextual Analysis and Modeling of Industry Data