by Bharat Mistry
The cyber attack and subsequent breach of UK ISP and phone company TalkTalk has dominated the IT headlines over the past few weeks. It’s already predicted to cost the firm an estimated £35 million and is just the latest example of a growing threat that is undermining CISOs’ efforts to keep IP and customer data safe and secure: targeted attacks. We’re not talking about limited nation state activity here. The ability to launch laser-focused data-stealing attacks designed to lift your company’s most sensitive data right from under your noses, without tripping any alarms, is now in the hands of the many.
Under the radar
The problem with targeted attacks is they’re designed to be as covert as possible. Many begin with a spear phishing attack, tricking the user into opening an innocent looking but malicious email attachment or following a malicious link. The malware download crucially begins in the background, without the user’s knowledge, and is often crafted specifically to circumvent the security tools a particular victim organisation has in place. Some even use zero-day exploits, which have an even better chance of evading detection.
Once inside the network, targeted attackers will escalate privileges until they find the data they’re looking for. Many such campaigns will use malware with obfuscation capabilities designed to maintain secret persistence inside the organisation – sometimes for weeks or months. The longer they’re allowed to remain inside, the worse the damage and resulting costs. Targeted attacks have the potential to wreak catastrophic damage on a firm by stealing highly prized customer PII and financial data or sensitive IP. The result will not just be significant remediation and clean-up costs, industry fines and a nasty hit to the share price, but potentially follow-on legal costs, lost customers and damage to the brand in the eyes of consumers and shareholders.
As an example of the potential costs involved, US retailer Target – which haemorrhaged details on 110 million customers – settled $10m in court this year after a lawsuit was brought by some of those customers. The firm has claimed in filings that its costs have already reached $252m since the attack in late 2013.
The examples we hear about most often are from the US, in part because they have mandatory breach disclosure laws there. It’s possible that even if firms in the UK do know they’ve been successfully targeted and attacked by cybercriminals, that information is never made public.
A troubling picture
That’s why we polled 600 IT leaders from across Europe, including 100 in the UK, to find out levels of preparedness for targeted attacks. Unfortunately what we found was not reassuring. Some 31 of the 251 firms that said they’d been targeted didn’t know whether data had been taken or not, while a further six didn’t know how much data they’d lost. This lack of readiness and visibility is surprising given that complacency about breaches has dropped from 26% in 2013 to 6% this year.
Although UK firms did better at staving off breaches compared to their European counterparts, it should be added that six made the top 40 of worst hit organizations in 2015, including the number one and two spots. These firms all have IT security teams, operations centres and/or managed security service providers in place, so how can they better manage the problem?
Here are a few quick tips:
- Regular pen testing to discover unpatched vulnerabilities
- Apply vendor patches to key systems immediately to reduce attack surface
- Advanced sandboxing can help spot malware in spear-phishing emails
- Log inspection and file integrity monitoring will keep an eye on unusual behaviour inside the network
- Design and test incident response plan involving key stakeholders from legal, HR, PR etc
- Tighten access controls and reduce the number of privileged accounts
Remember, targeted attacks are no longer the exception. It’s time we moved from a focus on prevention to one of detection, remediation and effective response.