by Simon Young
Is your organisation still treating advanced persistent threats (APTs) and targeted attacks as a technology problem? From Target to Home Depot, it has become clear that the bigger and more visible your business becomes, the greater the risk that sensitive customer data and corporate IP could be compromised.
If 2014 has taught us anything it’s that it’s time to elevate these threats as a strategic business risk to your CEO.
Bad guys getting smarter
Whether it’s financially motivated criminals, hacktivists or nation states, online attackers today have a much greater understanding of where your weakest points are. So-called “island hopping” attacks, in which partners and suppliers are targeted, have become increasingly popular as they offer a potentially less well-defended route into the corporate network. It’s why IT leaders must hold all parts of their virtual supply chain to the same high security standards – be they cloud service provider, law firm or even their PR consultancy.
The attack surface has been made even broader and more complex with an explosion in the use of personal mobile devices at work (BYOD) and of mobile malware written for Android and iOS. Employee training and awareness programs are an increasingly important tool in helping to spot spear phishing attacks and the like. But even improvements here cannot fully protect against watering hole attacks, where legitimate sites and pages are booby trapped by attackers looking to infect specific users, and in so doing infiltrate the corporate network.
A strategic issue
The truth is that targeted attacks and APTs are not strictly a technology problem but a strategic business issue. Plausible deniability is getting harder to pull off, and executives are increasingly being hit with lawsuits in the wake of major breaches.
The massive Target breach was technically caused by a lack of network segregation and limitation of privileges, and a basic failure to test and understand attack paths. However, more fundamentally it was down to mismanagement from the retailer which had huge unexpected strategic impacts.
These included damaged reputation, erosion of market value (profits are said to have dived 40% in Q4 2013) and even professional repercussions, with the CEO and CIO leaving the company in the aftermath of the incident. The firm would have been in a much stronger position to withstand such an attack if proper attention had been paid to cyber security and risk management, from the top down.
Even among those firms which understand the strategic business-level importance of defending against APTs and targeted attacks, there are some misconceptions about how to do this effectively. Many still rely on building perimeter defences that only tackle web and email channels, and fail to take a risk management approach.
Here are a few pointers on responding to targeted attacks and APTs:
- Find tools which give you as much situational awareness of the attack as possible – you need to know where, when, how and what the attacker’s objectives may be.
- Consider technology which scans all network ports and over 80 protocols for maximum visibility
- APT/targeted attack detection tools need to interoperate with other platforms like SIEM as breach alerts are only the first step.
- Understand your supply chain and where the weakest points are. Make sure any partners follow the same security policies and standards as you mandate internally
- Low cost, easy-to-install and manage technologies are available. Extra time spent on research and due diligence will pay off in the long run.