Maksim Kabakou - Fotolia
Security Think Tank: Situational awareness underpins effective security
As attackers begin to use multiple command and control systems to communicate with backdoors and other malware, how can organisations ensure they detect such methods and that all C&C systems are removed, including ‘sleepers’ designed to be activated at a future date?
We know that malware can be downloaded inadvertently from phishing emails and drive-by infection. Often these infections start off simple, but then can lay down new command and control systems that will run, patch and manage themselves, like legitimate software, turning an initially simple infection into something much more complex and sophisticated.
On other occasions, malware components already in existence within the hardware at point of purchase – like a sleeper cell, sat under the radar – are activated. In other words, those systems or devices were never secure in the first place, so it was simply a matter of time before they were invoked in some nefarious way.
Of course, as you installed them, it is possible that the time to discovery will be increased, as is the time they have to do damage. A good example of this is how some of the SWIFT banking attacks have unfolded.
Targeting a major organisation and hopping into an ecosystem means that attackers will find a way in through the supply chain and not try a direct assault on the target company, which may have excellent outward-focused security, but perhaps is not as vigilant about what happens inside its networks.
We must also be aware of the complex nature of modern supply ecosystems. Many cyber attacks are not necessarily seeking to exploit the initial victim, but instead view it as a foothold in a weak, poorly defended environment from within which to launch further attacks up and down the supply chain.
We must become better aware of our connectivity, not just our mainstream IT, but all of our peripheral systems and the systems they then connect to. Research carried out by Kaspersky indicates that the costliest breaches start with third parties.
Read more Computer Weekly Security Think Tank articles about malware comms
State-sponsored intelligence capability and motivation is high. But high levels of success are not just about their capability, it is about businesses’ inability to understand the threat, to design effective layers of security to provide defence in depth, to implement appropriate protective monitoring strategies and to have business continuity and forensic readiness capabilities that minimise the reaction time from detection, isolation, investigation and recovery.
An example of this is US retailer Target. There is no point having a full-time alerting system with no one to respond and no plan.
Very few attackers, apart from those highly motivated ones, go to these lengths or put in this much effort just for fun. That means that, as businesses, we have to ask ourselves: what are they after? But to know what they are after, we need to truly understand the threat actors we are seeking to protect ourselves against.
We need to understand the assets that each threat actor is seeking to exploit, steal, damage or destroy. Then, and only then, can we genuinely apply a granular security model that is proportionate to the value of the assets and that really gives us a system of defence in depth.