The Changing Cyber Threat Landscape
THE EXPLOSION OF NEW DEVICES BEING CONNECTED TO THE INTERNET HAS CREATED MAJOR BENEFITS FOR BUSINESSES, FACILITATING THE SHARING OF INFORMATION IN WAYS THAT WERE UNIMAGINABLE A FEW YEARS AGO. HOWEVER, THIS HAS ALSO REVEALED INNUMERABLE KNOWN AND UNKNOWN W
Why do so many companies still find themselves the victims of successful cyber attacks, in spite of all the layers of protection they have put in place and the significant investments they have made in cyber security over the past few years? The cyber threat landscape is continually evolving and attackers are finding innovative new ways to circumvent network defences. Previously unknown software bugs, or "zero day attacks", are becoming a mounting security problem for public and private entities, and can lead to compromised systems, fraudulent activity and information breaches.
Cyber criminals are concurrently creating more sophisticated and specialised malware, and leveraging the open market to gain faster access to zero day vulnerabilities they can exploit. In 2005, for example, the New York Times reported that seven malware "families" represented 70% of all malware activity, while in 2014, 20 "families" represented 70% of all malware activity.This proliferation and rapid change in the sources of malware has made traditional firewalls and anti-virus functionality of limited use on their own in detecting and preventing attacks.
This is combined with the convergence of cyber and financial crime. Many high-profile attacks on financial services companies are carried out by individuals or groups of hackers for financial gain, with recent attacks such as the Bangladesh bank heist, often achieving that using a combination of cyber crime and financial fraud.
We live in a digital age where both customers and employees can expect to have their information stolen. As an insurer, not only do you need to be mindful of phishing and malware coming through your email channel, you also need to be wary of customers having their identities stolen by criminals using cyber techniques such as social engineering, and then selling them on the dark web to users who wish to create fraudulent insurance contracts and carry out claims fraud.
Leaders need to be prepared and ready to protect their business in this changing cyber threat environment. Businesses use a number of strategies to improve their defence and try to minimise these threats.
GREATER INFORMATION AND DATA SHARING INSIDE AND OUT
Attacks are coming from both inside and outside the organisation, so the organisation needs to be completely lined up to deal with this challenge. This means claims, call centre, analytics and information security teams need to be sharing intelligence and working together to defend against attacks.
We share a lot of intelligence and information within the community already and this is paramount to defeating cyber and financial crime. By using Sophisticated Social Network Analysis and a consortium approach, they are able to identify cross insurer and complex organised crime rings more readily.
Good cybersecurity should always start with education of staff of existing and emerging threats and how to avoid them. With education, employees can improve their ability to identify a suspect email designed to obtain sensitive information. However, this requires a significant, and ongoing, commitment to training.
Leaders need to ensure they understand the threats and vulnerabilities in their business. As the cyber threat landscape evolves, so too does the need for more situational awareness, more robust defences, and real-world testing of those defences.
It is also important to widen the security focus to include unknown and new threats, and to understand the unusual behaviour patterns that can be identified in data. This is
known as threat intelligence. Threat intelligence delivers rich information on new malware, previously-unknown perpetrators, emerging trends, and more. This can fuel analytics and provide a better understanding of the threat environment.
Threat intelligence gathers information about potential security breaches that are relevant to the client organisation’s specific environment. This gives security professionals immediate, tailored and actionable information that they can act on quickly to protect the organisation, focusing the threat mitigation effort and reducing response times.
But that in itself is not enough to detect malicious cyber activity. You also need to know what to look for, how to look, and where to look. And of course, not all "suspicious" cyber activity is malicious: a lot of activity is benign or "normal" even though it may fall under the spotlight of activity which could be indicative of a cyber threat. Therefore, when automatically analysing massive data sets, additional intelligence needs to be built into the analytics to enable the solution to determine whether observed behaviour is truly indicative of a threat or is actually normal within the context of that network and the business operations it supports.
DATA DRIVEN ANALYTICS
The next step in cyber defence is for organisations to evolve their approach to detecting malicious behaviour. They will require advanced security operations centre (SOC) capabilities that build on traditional security information and event management (SIEM) solutions by using complex behavioural analytics across the vast quantities of data they already collect. Security data analytics is key to understanding what is happening on an organisation’s networks and, specifically, if a compromise and exfiltration is taking place.
INTELLIGENCE-LED PENETRATION TESTING
In today’s cyber age, security testing needs to move from "tick-box" approaches to be based upon rich contextualised threat intelligence. This informs and guides how the testing should be conducted, what attack methods should be simulated, and where testers should focus their resources.
It should be carried out through penetration testing, as a preventative measure to remove flaws prior to launching a system. Penetration testing should also be used as an ongoing detective measure, through red teaming, to identify those flaws that slip through testing, that are introduced through systems integration and iteration, or that emerge as new vulnerabilities are found.
AFTER THE ATTACK
This needs to be integrated as part of a layered approach to business defence — using cooperative, mutually-supporting controls to interrupt attackers as they attempt to move from one phase to the next. Technology such as email and web security systems aim to prevent an attack succeeding, whilst post-attack technology, including monitoring and analysis tools, and security information and event management, detects attacks which have succeeded and allows mitigations and damage control.
While it is impossible to prevent every single attack from occurring in the rapidly-changing global threat environment, organisations can increase their chances of dealing with existing and emerging threats quickly and effectively by using threat intelligence to understand the threat, and incorporating a layered approach to security.
Leaders need to be prepared and ready to protect their business in this cyber threat environment.