As reported by ZDNet, attackers are now exploiting a SharePoint vulnerability to run arbitrary code, while E&E News notes that the Department of Energy has confirmed an attack on U.S. power grid controls occurred in March, classifying it as a “cyber event that causes interruptions of electrical system operations.” And that’s just in the last few months — over the past few years, large attacks on British Airways, Marriott International and Equifax have frustrated consumers and cybersecurity professionals alike.
According to Forbes, the situation is dire enough that during a recent Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations hearing, Senators focused on the value of hacker expertise to stem the tide of growing cyberattacks.
What does all this mean for infosec professionals? It’s not a matter of if your company is the victim of a massive cyberattack: it’s a question of when and to what degree.
Here’s how you handle it when it comes.
The anatomy of an attack
First up? Cybersecurity professionals need to keep up with current trends:
- Where are hackers concentrating their efforts?
- Are there any “Heartbleed” or “Shellshock”-level vulnerabilities in the wild?
- What’s the most likely avenue of compromise?
When it comes to attack anatomy the only true constant is change, but as noted by the EC-Council, there are several cyberattack types currently in heavy rotation, including:
Using stolen credentials, attackers compromise common accounts such as business email or social media. This both creates an opportunity for destructive impersonation but may also grant lateral access to more sensitive networks and data if logins and passwords are consistent across multiple accounts.
Distributed denial of service attacks remain a popular way to interrupt business functioning, often as a diversion for more damaging malware attacks. Last year, attacks topping 1.7 Tbps were recorded, and as noted by Tech Republic Q1 2019 saw a 967% increase in attacks over 100 Gpbs compared to the same time last year. One key driver of this trend? The proliferation of insecure IoT devices.
From ransomware designed to hold corporate information hostage to fileless attack efforts deployed to cause network damage, malware remains a top concern for organizations — and is getting harder to detect.
Website defacement and deception
Attackers are modifying the appearance of corporate webpages or creating web content that appears legitimate but in fact contains links to malware downloads or account phishing pages.
You need to plan to fail
The first step in handling the growing scope and complexity of attacks? Plan to fail.
While accounting for every potential outcome is impossible, drafting a comprehensive incident response (IR) plan can help limit the impact of any cyberattack. Here, business benefits stem from familiarity — if there’s a clear chain of command and action plan to assess the nature of emergent threats, IT teams don’t waste time trying to coordinate response efforts during an already-stressful incident. And as noted by Info-Security Magazine, recent data suggests that companies with effective IR plans in place can reduce the total costs associated with a data breach. The caveat? 77% of businesses lack consistent IR planning, often because they’re simply not sure where to start or what to include.
As noted by SC Magazine, the first step is actually writing something down by creating a basic outline of who gets notified, what happens and when you (ideally) need systems back up and running. Also critical? Identifying essential data and services across your network to ensure they’re covered — IR plans aren’t much use if basic systems are left unprotected prior to attacks.
Next up? Testing, testing, testing. Just as attack vectors change, IR plans must evolve to deliver adequate protection. Regular testing every quarter (or every six months, at minimum) helps ensure existing protections and procedures can handle current threats. If possible, have a third-party conduct attack or penetration testing drills to identify potential vulnerabilities that may have been overlooked.
While practice can’t make perfect when it comes to cybersecurity, a robust IR plan can significantly reduce the time and costs associated with a large-scale attack.
Tackle the people problem
External threats are easy to categorize and prioritize because they’re so obviously prolific — news reports and security publications are continually analyzing and evaluating new attack vectors. But there’s a less obvious, far more consistent concern that poses equal (if not greater) risk to your business: insider threats.
As noted by Security Boulevard, 53% of cybersecurity professionals confirmed that they’ve been hit by “insider attacks” over the past 12 months. In many cases, these attacks aren’t malicious; users may accidentally post sensitive information on social media channels or use too-simple passwords to secure critical accounts.
Users are also leveraged as unwitting accomplices in many cyberattacks: Bleeping Computer points out that phishing attacks continue to rise, with 85% of all phishing focused on U.S. companies. These attacks are also getting more sophisticated, with hackers leveraging fake Google Chrome address bars to trick users into trusting fake sites.
Here, education and monitoring are critical: even the most vigilant IT professionals can’t stop insider threats in isolation. By regularly training users and evaluating their response to simulated phishing attacks along with monitoring typical end-user behavior, infosec pros can reduce the risk of getting hooked.
Find the right tools
Technology matters in the fight against evolving threats. While effective cybersecurity will always require human oversight to achieve maximum impact, the right tools can help streamline this process. Some of the most effective include:
Perimeter defense and whitelisting are no longer enough to identify and remediate critical threats. Next-generation firewalls are designed with distributed networks in mind, giving IT pros more control over what gets through, what doesn’t and what happens to potentially malicious code. Using resource call evaluation and origin analysis, these tools can help prevent critical attacks and limit the impact of potential breaches.
Apps are eating the world. Runtime application self-protection empowers applications to detect threats during critical runtime processes and take effective action — including code quarantine, limiting overall function and ending user sessions.
What you don’t know could absolutely hurt your bottom line. The result? Real-time, fully-transparent monitoring tools are now critical to assess networks moment-to-moment and notify cybersecurity pros if suspicious activity is detected. From traffic monitoring to data access and new app deployment, monitoring is critical to overall IT security.
As noted above, end-user actions matter. On-demand user analytics can help companies create behavioral profiles of users across the organization and trigger alerts if behavior is too far outside the norm. For example, if a privileged user is suddenly accessing critical data remotely outside of work hours and sending this data to an unknown destination, there’s a good chance they’ve been hacked or have initiated an insider attack. Either way, knowledge is power.
Humans are great at pattern detection and intuitive leaps of logic. When it comes to repetitive tasks and data entry, however, technology is the better choice. Automated tools can both boost the accuracy of security monitoring and reporting, freeing up infosec personnel to monitor networks for more critical threats and improve overall defensive posture.
On-Board the boardroom
Without C-suite support, IT response to massive cyberattacks will be piecemeal at best. But how do infosec pros on-board the boardroom when most members don’t have the time — or inclination — to learn the ins and outs of network defense?
According to CISO Mag, it’s critical to speak their language. This means talking about cybersecurity risk as it applies to enterprise risk management at large: how does increased risk translate to potential lost revenue, PR problems or GDPR compliance issues? It’s also a good idea to avoid highly-technical jargon since it won’t help get the message across and can create a barrier between security pros and C-suite executives.
Last but not least? Draft actionable, practical plans to implement cybersecurity culture at large. In practice, this means avoiding the “ban all 3rd party apps” conversation in favor of processes which allow users to submit their favorite productivity or collaboration apps for IT review, and then work together with technology teams to implement low-risk apps or find an alternative solution that meets end-user expectations. In addition to garnering C-suite and user goodwill, an allied app policy helps limit the growth of “shadow IT”.
Security professionals are under pressure from the growing infosec skills gap. As noted by CSO Online, 74% of cybersecurity staff say the shortage has impacted their organizations “significantly” or “somewhat”: Not only are IT teams tasked to manage threats in the emerging malware-as-a-service market but they’re fighting tooth and nail to onboard (and keep) skilled security professionals.
One option to help bridge the gap is what IBM calls “new collar” talent — staff who show aptitude and interest in security but lack the typical four-year degrees and industry experience. Instead, they have a myriad of soft skills and self-taught abilities that can help companies manage evolving security risk.
Existing infosec pros, meanwhile, are well-served by regular IT training to both keep certifications current and add new expertise as required. Courses such as the Certified Ethical Hacker (CEH), GIAC Security Essentials (GSEC) and Certified Cloud Security Professional (CCSP) offer essential skills to help infosec pros develop better IR plans, address insider issues, leverage the right technology and bring the C-suite on board.
Go big or go home
Attackers are going for broke, using everything from highly targeted attacks to as-a-service malware and phishing techniques to compromise corporate security. The result? Massive attacks are no longer reserved for the enterprise — small and midsize businesses across market and industry verticals are now just as likely to face large-scale IT threats.
How do cybersecurity professionals handle the risk? It starts with recognition and ends with a reimagining of critical infosec posture. Understand the current threat landscape, and draft a plan to account for common attacks. Target the people problem, then leverage new technology to empower security impact. Finally, on-board the boardroom and think outside the box to bring in new talent and shore up existing skills.