Many vendors are creating products and services to help counter the threat. Organizations are deploying sophisticated virus detection tools, intrusion detection systems and data leakage prevention appliances. Organizations are also implementing sophisticated vulnerability management programs to identify and remediate vulnerabilities in a timely manner. Despite this array of available technology solutions, attackers continue to find a way through, resulting in high-profile and damaging breaches that continue to be publicized in the media.
As media reports of significant breaches indicate, the challenge lies in detecting evidence of an intruder and taking steps to stop the attack before your data is stolen and real damage is done to your business.
The current cyber threat landscape has a wide variety of threat actors with a multitude of specialized attack capabilities at their disposal. EY’s cybersecurity compromise diagnostic services are a set of services that are built to help detect those threat actors via a set of diagnostic assessments.
Today’s silent intruder
Many attacks, such as Distributed Denial of Service (DDoS), are noisy and disruptive, making them hard to overlook. However, the most impactful attacks tend to be perpetrated by cyber threat actors that are commonly referred to as advanced persistent threats (APT), who use sophisticated and stealthy methods to carry out system breaches that go undetected for extended periods of time.
While every attack is different and is unlikely to follow the same approach (cyber criminals don’t exactly follow a rule book), it is possible to map the majority of attacks to a simple 10-step process as outlined here. Mapping the attack life cycle in this manner allows an organization to not only understand how an attacker might perpetrate an attack, but also what controls are in place to sense, resist and react to an attacker at each step. It’s these opportunities to terminate an attack early in the process that lead to the mapping process being called the “kill-chain.”
The example here depicts a typical APT attack that starts with spear-phishing. However, the techniques to gain that initial foothold are many and varied, ranging from exploiting vulnerabilities on internet-facing systems through physical breach of defenses and plugging straight into your core systems. We have also included a high-level view of the types of evidence that might exist, and can therefore be detected, at each stage of this example attack.
Challenges of managing cyber risks
Cyber risk is different than traditional IT risks and presents a unique set of challenges:
- The lead time in detecting attacks can be significant due to blind spots and the advanced techniques used by attackers to hide their presence.
- Traditional prevention and detection methods (such as signature-based anti-virus) won’t detect sophisticated attacks, which have been tailor-made for your environment.
- Preventative technologies, such as firewalls and various intrusion prevention systems, do not prevent your most sensitive information being sent over the internet if the activity is instigated by what appears to be a legitimate user on one of your systems.
- Understanding and establishing a baseline of “what is normal” on your network can be challenging, making it difficult to spot anomalous activity, or indicators of compromise, which require further investigation.
- The increasing sophistication in the ways attackers gain an initial foothold can make it very difficult to detect attacks in the early stages — such is the sophistication of phishing techniques that it can be almost impossible to spot a malicious email from a real one, making it difficult to educate your organization’s people on how to spot an attack.