It is rare for a week to go by where a global cyber-security issue has not made the headlines. The latest one has been the Meltdown and Spectre vulnerabilities that many are still struggling to patch.
This bags the questions – organisations are spending more and more resources on cyber-security, yet the breaches and associated losses grow constantly. Why is this happening and what can be done to stop or reverse this trend?
Add to this the fact that the Mandatory Data Breach Notification Laws come into effect in a couple of weeks and it gives us the compelling event we need to change our approach to cyber-security.
Within this paper I will try and present a some points that I believe may help address this.
As mentioned earlier, organisations are spending an ever-increasing amount of resources largely on technology that they believe (or have been led to believe!) will improve their cyber-security posture. Many of these investments are driven by security strategies that have been developed in light of one of the globally accepted security standards available.
To be clear, I am a big believer in these standards myself and have used them multiple times myself to produce security strategies. However, using these standards on their own and in isolation lacks a key ingredient – context. Context in this instance refers to the following:
- Why is the organisation being attacked and what do they have to protect?
- How are they being attacked and what controls could be put in place to address this?
Lets look at each question in turn:
- With this question, a detailed consultation with the business needs to occur. We need to gain an understanding of what the business is doing, and what assets and IP it has that needs to be protected. Once we know this, we know what we have to guard
- The second question gets a bit trickier as there are multiple methods that an organisation can be attacked by. I will cover one that I believe is the most common now and then try and highlight a simple method to apply controls that may help stop this type of attack.
Read more: Intel dangles $250k award for bugs worse than Meltdown-Spectre
Arguably, the method of choice for attackers now is phishing. They use this method to trick users and get access to their device. Once the user has taken the bait, the attacker will get into the organisation’s IT environment with the intent of finding and exfiltrating critical data and information.
I have depicted this attack methodology below and have explained it in simple terms:
- Email or web based attack – initially the attacker will send an email with a link or an attachment that will either contain or direct a user to malware.
- Malware download – Once the user opens the attachment or clicks on the link, the malware will be downloaded to the user’s device. This usually exploits a missing patch on the device
- Local device takeover – Once the malware has been downloaded to the device, the attacker will look at taking over control of the infected device
- Privilege escalation – the attacker will then look to move laterally within the network and try to gain higher privileges. Once this is attained the attacker will then start looking for critical data that they want to exfiltrate
- Data Exfiltration – once the attacker the found the data, they will try to copy it off to another location under their control.
Now that we have discussed how an attacker can get into an organisation (please note this is not the only way), lets look at how we can come up with controls that can help stop this type of attack.
Controls within a cyber-security context generally falls into four categories. I have illustrated and described the categories below:
Read more: Poor patching, user education leave healthcare providers sitting ducks for cyber attacks
- Predict – systems, tools, policies and procedures that help detect vulnerabilities in systems and predict potential avenues of attack
- Prevent – systems, tools, policies and procedures that prevent threats affecting your systems. An example would be the corporate firewall
- Detect – systems, tools, policies and procedures that give you the ability to detect threats that may be affecting your system. An example here would be an Intrusion Detection System
- Respond – systems, tools, policies and procedures that allow you to respond to threats and contain / eradicate them. A policy example would be the corporate Incident Response Plan and associated tools such as a Security Information and Event Management (SIEM) system.
Now comes the important part – what we must do is look at all the steps in the attack methodology and apply controls for each category of control for each step to help stop the attack. The simplest way of doing this is in a table as illustrated below:
| Email & Web Attack | Malware Download | Device Takeover | Privilege Escalation | Data Exfiltration | |
| Predict | Dark Market Scanning; Web / Email Filtering; Next Generation Firewall (NGFW) | Web / Email Filtering; Advanced Endpoint Protection; NGFW | Advanced Endpoint Protection | Advanced Endpoint Protection | Advanced Endpoint Protection |
| Protect | Web / Email Filtering; User Education and Anti – Phishing S/ware and Training; NGFW | Web / Email Filtering; Advanced Endpoint Protection; Patch & Vulnerability (Vul) Mgmt; NGFW | Advanced Endpoint Protection; Patch & Vul Mgmt | Privileged Access Mgmt; Identity and Access Mgmt; Patch & Vul Mgmt | Advanced Endpoint Protection; NGFW; Data Leakage Prevention (DLP) |
| Detect | Web / Email Filtering; NGFW | Web / Email Filtering; Advanced Endpoint Protection; NGFW | Advanced Endpoint Protection | Advanced Endpoint Protection | Advanced Endpoint Protection; NGFW; DLP |
| Respond (Attack Successful) | NGFW (IPS); SIEM; SOC | NGFW (IPS); SIEM; SOC | NGFW (IPS); SIEM; SOC | NGFW (IPS); SIEM; SOC | NGFW (IPS); SIEM; SOC |
Please note that the above table is an example only and the controls / technologies listed is not an exhaustive list. I have also concentrated on technical controls in the above example. This does not negate the need for policy and people controls.
For the technologies listed above, appropriate policies and procedures should be documented on their use and deployment. Technical staff must be trained in their use, general users must be provided with user awareness and training so that they can spot attack attempts and not fall for them.
Once you have identified the assets you need to protect, apply the controls noted above to them and the locations they reside in.
The process above should then be augmented with a risk analysis based on one of the globally accepted security standards such as the ISO 27000 series to provide a complete and detailed assessment of the organisation’s cyber-security environment.
Within this paper, I have tried to illustrate a method that can give context to security controls implementation within an organisation that is based on understanding how attacks can occur and what to do to protect against them.
By understanding this context, applying the relevant controls and augmenting this with a detailed risk analysis, we increase our chances of staying ahead of the attackers and hopefully can start reversing the trend of ever-increasing attacks. Without knowing how you are getting attacked and what is at risk, it is a bit like shooting in the dark if you are not using this information to drive your security strategy.