As the technology that powers work continues to advance, so do the methods hackers use to take advantage of the world’s businesses. While there are specific processes that must be put in place to improve an organization’s security posture, business leaders must also be thinking about security at a high level.
SEE: Information security incident reporting policy (Tech Pro Research)
Peter Tran, senior director of advanced cyber defense for RSA, hosted a breakout session in which he provided answers to four high-level questions about cybersecurity that businesses should be asking.
1. Are all hacks created equal?
The short answer for this one is maybe, Tran said. It all depends on how you define the word equal. However, many attacks follow the same anatomy.
Typically, an attacker starts by researching their target on social media or company websites in order to legitimize their email. Then, they develop and deliver an infection to exploit a specific vulnerability. Once they gain a foothold with a malware installation and download additional payloads, they download credentials. Broader network access usually comes next, allowing attackers to target what data they want to extract. The attacker then moves laterally through an organization with different admin privileges before staging the data for exfiltration. Finally, the attacker will seek to cover their tracks.
While these are traditional methods in a standard order, leaders need to understand that hackers don’t follow a standard linear kill chain, Tran said. So, if you try to follow that pattern, you’ll never catch up to the hacker. You’ll “be playing whack-a-mole,” Tran said.
It’s also important to note that the attack surface is closer than one may think. For example, Tran said, a car has many more lines of code than an F-22 or Boeing 787, which makes it a more likely target. IT must make sure it is looking at the right surfaces–it might not always be the big valuable piece of infrastructure people are going after.
2. Why do some hacks make headlines and others don’t?
Why some hacks gain more notoriety than others is a complex blend of geopolitics, geoeconomics, standard politics, and more. Ultimately, Tran said, consumers want to know why a certain hack matters and whether or not it affects them.
Consumer data breaches like Target and Home Depot actually hit consumer credit cards, making them prime examples of well-covered attacks. Some of the nation state attacks, however, are harder to understand, especially when you can’t connect the dots as to how it will affect daily life. Still, those nation state attacks with clear connotations grab headlines as well.
The publicity around a hack also depends on its narrative, Tran said. This is especially true when large numbers are involved, as was the case with the Yahoo breach of 1 billion accounts. Many times, micro-breaches only skim off small amounts of data over time, which isn’t as compelling for a headline as millions and billions of accounts, or terabytes of data.
3. Do we care who hacked us?
Sometimes, businesses want to know who is hacking them, why they’re doing it, and who they’re associated with. But, should IT leaders really care who hacked them?
The answer is yes, but only if the business can prove a net gain by proving attribution. If an organization cannot learn something that will make their security investigation easier–like the attackers previous techniques or common behaviors–then it isn’t worth investigating his or her identity.
If you want to investigate, though, Tran said to subscribe to the old adage “follow the money.” Except, in the case of cybersecurity, follow the malware, follow the authors, and seek to find out what they’re planning to do next in your organization.
4. What can we do about it?
For starters, Tran recommends using VIX to determine the potential vulnerability of your data. According to his slide:
VIX is a measure of expected volatility calculated as 100 times the square root of the expected variance (var) of a given data driven environment’s rate of return. The variance is annualized and VIX expresses volatility/vulnerability in percentage points.
The higher the percentage points, the more likely it is that your data will be exploited.
Additionally, Tran said that discovery starts with breadcrumbs. RAS and event logs, forensic images, and packet capture are all great tools to use. Companies should also move to include open source intel and forensics, static and dynamic analysis, and active defense and OpSec as well. Machine intelligence analytics, local linguistics, and local “boots on the ground” are also tactics that should be explored.