How we got here and what to do to ensure the future of cybersecurity.January 20, 2015
The evolving trends of mobility, cloud computing, and the Internet of Everything (IoE) present unparalleled opportunities for businesses, consumers, and hackers alike. Modern networks go beyond traditional walls and include datacenters, endpoints, virtual, mobile, and the cloud. These networks and their components constantly evolve and spawn new attack vectors including: mobile devices, web-enabled and mobile applications, hypervisors, social media, browsers, smart appliances, and even vehicles.
At the same time, cyber attacks are increasingly sophisticated and discrete, driven by financial or political gain. In this rapidly changing threat landscape, security professionals face an era driven by new breed of highly motivated and well-armed adversaries or, put another way, the Industrialization of Hacking. Less sophisticated attacks of years past, like Blaster or Slammer, have grown in sophistication, leading to today’s advanced malware, spam and cyber attacks. In the past, simple exploitation to deface a web site or a destructive worm might have been the norm. However, today’s motivated attackers are disciplined and use systematic techniques that leverage advanced malware, spam, phishing and other cyberattacks with strategic intent and goals. The Industrialization of Hacking has created a faster, more effective, and efficient criminal economy that is profiting every day from attacks to our IT infrastructure.
Federal agencies and private monitoring companies agree that cyber attacks today are more frequent and more destructive. It’s no longer a matter of if these attacks will happen, but when and for how long. Cisco reports stopping an average of 320 million cyber attacks each day. Or more than 3,700 attacks every second. Cisco also finds that 75 percent of all attacks take only minutes to begin data exfiltration but take much longer to detect. More than half of all attacks persist for months—even years—before they are discovered. And it can take weeks or months for a security breach to be fully contained and remediated.
In the period before a successful attack is discovered, a targeted organization can hemorrhage precious intellectual property, state secrets, and sensitive customer and employee information, putting its reputation, resources, and valuation at risk. In 2014, the average cost of an organizational data breach was US$3.5 million, according to the Ponemon Institute. And that doesn’t include the professional costs to the defenders whose heads are on the proverbial chopping block.
The Cybersecurity Arms Race
The Industrialization of Hacking is the result of a natural evolution, with attackers launching new types of exploits with increasing frequency and defenders quickly innovating to stay ahead of them. The motives and persistence of attackers have increased along with their understanding of classic security technologies, their applications, and how to exploit the gaps between them. As IT environments have increased in complexity, exploits have grown in sophistication. And with significant money to be made, hacking has become more standardized, mechanized, and profit driven.
In the early 1990’s, viruses targeted mainly operating systems. A decade later came self-propagating worms, which moved from machine to machine via enterprise networks and across the Internet. Spyware and rootkits – malicious software designed to gain privileged access to a computer and run stealthily – also emerged. Methods such as port and protocol hopping, encrypted tunneling, droppers, sandbox evasion, blended threats and techniques that use social engineering demonstrated increasingly sophisticated ways to penetrate networks. Today, the 2015 Cisco Annual Security Report finds that attackers are more proficient than ever at discretely leveraging gaps in security to hide and conceal malicious activity. Snowshoe spam, spear phishing and malvertising campaigns are just a few examples of new ways that attackers are combining a savvy use of technology and IT infrastructure with a detailed understanding of user behavior to reach the intended target and accomplish the mission.
The result of these evolving cyber threats and defenders’ efforts to foil them defines today’s cybersecurity arms race, which is in full sprint mode, and many organizations are failing to keep up with the attackers. Why? Because most organizations continue to rely primarily on security tools that look for attacks at a singular point in time to detect malicious activity. But advanced attacks do not occur at a single point in time and security technologies cannot detect every possible attack; a compromise is an ongoing and evolving crisis that requires tools and techniques capable of continuous scrutiny. Cyber criminals go to great lengths to remain undetected, continuously morphing and using technologies and methods that result in nearly imperceptible Indications of Compromise (IoCs). Traditional blocking- and prevention-based techniques (e.g., antivirus), and signature and policy-based mechanisms (e.g., firewalls) on their own lack the visibility and control defenders need to implement an effective security policy that addresses advanced threats. As a result, most enterprises are ill equipped to detect and respond to breaches when they inevitably occur, resulting in longer “dwell times” by the attacker and increased compromise of corporate data.
The Attack Chain
With the Industrialization of Hacking, attackers’ techniques are highly sophisticated and often go to extraordinary lengths to mount an attack, following a series of steps known as the “attack chain,” a version of the “cyber kill chain.” It’s not uncommon for hacker groups to follow software development processes, like QA (quality assurance) testing or bench testing their products against security technologies before releasing them into the wild, to ensure they’ll evade the defenders.
Long before they actually execute an attack, hackers enter into the target organization’s IT infrastructure, conducting recon using surveillance malware. Only when they know what they’re up against do they write target-specific malware targeting specific departments, applications, users, partners, and security processes. To ensure the malware works, malware writers recreate an environment to test it against security tools. Some even offer guarantees that their malware will go undetected for weeks or months.
Only then do the hackers execute their attack. In a growing number of cases, they even set up custom command-and-control servers inside the network in order to control the malware without being monitored. Sometimes, the goal is to gather data; in other cases, it is simply to destroy it. Once the mission is complete, the attackers remove evidence but maintain a beachhead for future attacks.
A Threat-Centric and Operational Security Model
So what’s an organization to do to protect itself? For starters, they need to accept the nature of modern networked environments and devices, and to understand how attackers think. They should assume they are in a state of persistent infection requiring “continuous response.” As stated in Cisco’s 2015 Annual Security Report, as organizations embrace BYOD policies, cloud computing, and mobility initiatives, gaining visibility, improved context into connected users and devices, and effectively enforcing security policies becomes more imperative. Cisco security experts predict that CISOs will increasingly turn to more sophisticated endpoint visibility, access, and security control solutions to manage the complex web of connections among users, devices, networks and cloud services.
In addition, organizations need to employ a threat-centric and operational security model that is focused on the threats themselves versus just policy or controls. Organizations need to look at their security model across the extended network and the full attack continuum—before an attack happens, during the time it is in progress, and after it gains access to the network. They need to be able to respond at any time, all the time.
The Industrialization of Hacking is not about to slow down. As the IoE continues to expand, Cisco estimates as many as 50 billion devices will be connected to the network by the end of the decade. In this brave new world of ubiquitous connectivity, information security is foundational to enabling organizations to achieve maximum value from these connections and must be a top priority. Small wonder Gartner Group predicts a surge in worldwide information security spending, from US$62 billion in 2012 to US$86 billion by 2016.
Despite the Industrialization of Hacking, organizations are far from powerless. Technology has advanced so that defenders can become faster, more efficient, and more effective in countering these attacks. Today, they have access to dynamic controls to protect against threats wherever they manifest – from the network to the endpoint to the cloud.