RiskUKNovember2017

More documents

Recommendations

Info

Stopping Persistence From Paying Off According to global technology association ISACA, 74% of organisations believe they’ll be targeted by an Advanced Persistent Threat at some point, but only 67% state that they’re ready to respond to such an occurrence when it does happen. Daniel Driver offers salient security advice for professionals looking to prevent cyber criminals’ continued efforts from paying off An Advanced Persistent Threat (APT) is a general name for malware that remains resident within a network, harvesting data over a prolonged period of time without detection by security software. Typically, an APT may initiate by using techniques such as social engineering, causing a user to inadvertently install an exploit on their device. However, an APT could also manipulate a device from outside the organisation’s network. If this is initiated by the user, it’s more likely to subvert the malware protection mechanisms typically in place on a given network. Once network access is gained, the threat will elevate its level of access to systems and data, while covering its tracks to minimise the likelihood of detection. It’s at this point that the malicious actor has access to all necessary systems and can begin the intended task(s). These follow-on stages of the attack could consist of outbound communications with a Command and Control server to receive instructions, perform reconnaissance and exfiltrate data that’s valuable to the attacker. APTs blend into background network activity, making them difficult to identify as malicious behaviour individually. However, when these behaviours are correlated together, they begin to build a picture of suspicious activity over longer periods of time. For example, periodic Domain Name Service look-ups to Domain Generation Algorithm-style addresses, followed by the transfer of data outside of the network, would be a potential indication that some form of persistent threat is operating, whereas none of these behaviours individually are necessarily identified as a threat. To detect this type of activity, an organisation needs good visibility of its network and control of the configuration. An APT will likely be ‘less noisy’ than most malware as they’re often designed specifically for a particular network and organisation, rather than a less sophisticated attack deployed to infiltrate a mass target list. There may be evidence of authentication failures, or user accounts being accessed across multiple devices, as well as unusual internal communications where privilege escalation is being attempted, perhaps alongside unusual outbound sessions and the egress of key data. Correlation of multiple behaviours and data sources can be used to identify activities of interest. However, depending on the sophistication of the attack, detection may be very difficult as an attacker might be using their ‘best tools’ to exploit devices and access data. Plugging the cyber gap Education is always key to making employees aware of the risks associated with clicking on links or downloading attachments. Security teams must also understand their risks in the domain and the APT groups that are likely to attack. Understanding the tactics, techniques and procedures used to attack a network will allow for best preparation in terms of defence. Enterprises must ensure that the basic security measures are in place, such as making certain of adequate patch management, user access controls, user training and tight management of devices connected to the network. Enterprises must then assess their security risk and what level of security maturity they need, both from a risk/cost perspective and a policy perspective. There are many tools available to ensure that an enterprise can achieve all the visibility necessary to monitor the network and the data that resides within it. However, it’s important not to let this result in too much information generating a substantial data monitoring problem, whereby it’s then impossible to find the proverbial needle in the haystack. It’s important to move to an active defence methodology by monitoring all behaviour on a 64 www.risk-uk.com
Cyber Security: Advanced Persistent Threats network and having the right tools to pinpoint the signal from within the network noise. It’s therefore unlikely that you’ll be able to identify the APT by performing simple host-based analysis, since that’s the sort of security APT attacks are specifically designed to bypass. Neither may a standard firewall at the perimeter and anti-virus software on the endpoint be sufficient to detect APT activity, especially so if these are threats that haven’t been seen before. The addition of network behavioural monitoring to complement these more traditional security tools provides a means for detecting ongoing behaviours, even if they’ve bypassed these other defences. Blended security architecture Having a blended security architecture such as this ensures that, even in the event some security layers are subverted, a backstop is in place to prevent ongoing damage. No network will be 100% secure. It’s vital that, in the event an APT is present on your network, you’re able to clearly see when and where it’s active such that you can take the necessary remedial steps with the minimum amount of disruption. Given that APTs are designed to be persistent, if you’re performing long-term analysis and correlation it’s possible to identify the behaviours associated with the APT in order to prevent it from causing real damage. Defences should be regularly tested to ensure that an attacker cannot gain access and also to make certain that the security tools employed are identifying the attack in progress. Business continuity procedures should also be regularly reviewed and exercised. Consider all options of an attack and have measures in place to identify, limit and remove the threat, recover quickly from the episode and limit service interruption for the business overall. APTs are evolving to become more stealthy, for example by cleaning up any event logs that have been made by operations performed. They’re also often aware of virtual machines, so sandboxing techniques are now proving to be less effective. APTs tend to use any resources that they have available on the exploited host in order to reduce the ability of detection. This applies to any attack, whether it be from an APT or mainstream malware, as they’re always developing to ensure they remain undetected on a network or device for as long as possible. File-less malware has become more prevalent of late, meaning that existing security solutions watching for evidence of exploit from activities such as malware installation on to the hard drive and/or registry changes are no longer detecting occurrences. “Defences should be regularly tested to ensure that an attacker cannot gain access and also to make certain that the security tools are identifying the attack in progress” Many APTs are aimed at highly sophisticated organisations with advanced security, meaning that gaining ‘legitimate’ access through techniques such as social engineering or credential theft are a ‘must’ for them. For example, it’s often the case that users re-use passwords which may be exposed in unrelated data breaches. Attackers can then employ them to gain access to the network. There’s no magic trick to shortcut the detection of APTs, and don’t assume that APTs are going to be detected in a short timeframe, either. It can often take a significant amount of time, resources and tooling to identify the threat and then perform the forensics needed to understand what actually happened. Technology developments such as the Cloud and BYOD add convenience to an organisation, but at the potential risk of security. Steps can be taken to secure sensitive data such as issuing secured devices and making sure some areas of the network are ‘air-gapped’. Some enterprises react to the threat by installing the most advanced and expensive tools, without fully understanding what they offer and how to use them effectively. Equally, enterprises may install tools simply to meet policies and ‘tick the box’. It’s always the case that an organisation should implement a strategic and measured approach to security. Persistence can pay off when trying to gain access to a network, and it’s likely that someone who’s determined to break in will almost certainly be successful in doing so. Organisations must architect a network to minimise the impact should a breach occur. Have a backstop in place. Should the APT make it through your primary and secondary security defences, its time on the network and resulting damage can be limited. Network behavioural monitoring can play a vital role here. The staged and covert nature of APTs means correlation of behaviours over time is critical in their identification and isolation. Using more traditional network security tools to deliver anomaly detection or using the latest reputation feeds are helpful, but they will certainly not be enough to allow you to identify the threat and reduce your exposure. An educated approach to security is crucial, ensuring Best Practice is in place such that all networks, endpoints and services are secure and all end users suitably trained. Daniel Driver: Head of Perception Cyber Security at Chemring Technology Solutions 65 www.risk-uk.com
Page 1 and 2:
November 2017 www.risk-uk.com Secur
Page 3 and 4:
November 2017 Contents 31 Fire Safe
Page 5 and 6:
Texecom Connect App New smartphone
Page 7 and 8:
News Update Home Office announces p
Page 9 and 10:
News Analysis: National Cyber Secur
Page 11 and 12:
News Special: ‘Creating A Securit
Page 13 and 14: SkyHawk AI The hawk is back and sma
Page 15 and 16: Opinion: European Union General Dat
Page 17 and 18: Opinion: Security Business Sector I
Page 19 and 20: BSIA Briefing Biometrics is the tec
Page 21 and 22: ENCRYPTED HIGH SECURITY CLASS 5 Enc
Page 23 and 24: Risk and Security Management Nation
Page 25 and 26: Security Management in the Extracti
Page 27 and 28: Continuous Availability for Securit
Page 29: The New Camera Line Mx6 Creates Mor
Page 32 and 33: FIRE SAFETY “The professional qua
Page 34 and 35: FIRE SAFETY “Learners successfull
Page 36 and 37: FIRE SAFETY Kentec explains how cut
Page 38 and 39: FIRE SAFETY Frederick Koons, market
Page 40 and 41: FIRE SAFETY Audible and Visual Prot
Page 42 and 43: Venturing into the Datasphere To mo
Page 45 and 46: Remote Monitoring for Video Surveil
Page 47 and 48: We’ve Got You Covered Update to t
Page 49 and 50: Physical Security Information Manag
Page 51 and 52: Security in the Transport Sector: A
Page 53 and 54: Multi award winning security servic
Page 55 and 56: Meet The Security Company: Omni Sec
Page 57 and 58: The Security Institute’s View and
Page 59 and 60: In the Spotlight: ASIS Internationa
Page 61 and 62: FIA Technical Briefing: Amendments
Page 63: Security Services: Best Practice Ca
Page 67 and 68: Training and Career Development Fir
Page 69 and 70: Risk in Action ievo provides biomet
Page 71 and 72: Technology in Focus Compact four-ch
Page 73 and 74: Appointments Paul Barnard Ward Secu
Page 75 and 76: “ You have to be here if you want
Page 77 and 78: CCTV CCTV Rapid Deployment Digital
Page 79 and 80: SECURITY ANTI-CLIMB SOLUTIONS & SEC
show all

RiskUKNovember2017

Create successful ePaper yourself

Delete template?

Save as template?