Targeted Attack Defence Mechanisms
How effective are your cyber security defence measures?
With 90% of large organisations and 74% of small organisations suffering a cyber security breach according to the latest HM Government Information Security Breaches Survey, becoming a cyber security victim seems a near certainty. We know that many UK organisations are not taking cyber security as seriously as they should, but this also tells us something else. Those that are taking it seriously are still not effective at stopping breaches.
Organisations that have been most successful at defending themselves have moved away from just relying on defender-oriented approaches to using more attacker-oriented approaches. For an example, take a typical organisation that has just implemented a vulnerability management programme. Organisations using this approach are seeking to defend themselves based on what they perceive bad to be. They search their networks and systems for known vulnerabilities using predictable enumeration methods. This is not to say that vulnerability scanning is a bad thing as such, but hackers just don’t think like that.
An upgrade on this methodology could be the use of penetration testing which seeks to add human creativity to the testing process and move slightly closer to the attacker-oriented perspective. Even this approach has some drawbacks. Firstly, even to ethical hackers, some tools and techniques can be out of scope. Denial of service attacks and exploitation on production systems are rarely done under a penetration testing engagement. Furthermore, commercial decisions often compress the engagement timescales and this leads to shrinking scopes or high levels of test automation.
Traditional defensive approaches simply do not work because hackers do not play by these rules.
One alternative approach is to engage testing against your organisation using more realistic attacks, based on specific threat actors and their tradecrafts. One such framework is the Bank of England’s CBEST testing methodology. Launched in May 2013, the CBEST scheme was launched as a way to provide more intelligence led and bespoke security tests to the financial sector. It provides a very considered and well established way to test cyber security maturity, but has yet to break out of contexts of the financial sector. For others there is little else quite so developed as this, so there is a gap in capability available to these sectors.
So what can other organisations do?
One approach is to simply start considering threat intelligence as part of your testing regime. We know that many attacker tools, techniques and procedures are designed to target specific industries, or even specific configurations of technologies employed within these industries. For example, the on-going cyber espionage campaign dubbed ‘Energetic Bear’ initially targeted US defence and aviation companies in 2011, before shifting attention to US and European energy firms. It did this through phishing campaigns using PDF documents embedded with an Adobe Flash exploit, and in latter stages, utilised complex watering hole attacks tailored to specific employees in the energy sector.
Such attacks are difficult to defend against unless you are actually trying these same techniques against your enterprise. This requires the access to the threat intelligence in the first place to know about them, but also the management will to use tools, techniques and procedures which may not always have confidentiality, availability and integrity in mind.
Like all offensive techniques, there is often an ethical dilemma. Take the Sony PlayStation Service distributed denial of service attacks (DDos) that hit the organisation over Christmas last year. Under the targeted attack defence methodology, it could have been worthwhile Sony actually buying a subscription to the Lizard Squad’s LizardStresser tool to test their own DDos defences, before other nefarious buyers of the tool did the same and used it against them. Clearly this is abetting the enemy, but nation state defence contractors do the same today. Even overcoming these moral issues, such techniques also require CISOs to convince the board that more aggressive approaches can actually be trusted not to introduce risks which outweigh the benefits, which is the crux of the issue; management sponsorship.