5 minute read 8 Aug 2023

Companies cannot afford to focus only on incident prevention as more cybercriminals breach cyber defenses without the victims’ knowledge.

person in server room

Why cyber breach detection is a crucial part of your defense strategy

By Ramesh Moosa

EY Asean and Singapore Forensic & Integrity Services Leader

Forensic and cyber professional. Leads highly talented teams serving multinational organizations. Agile and adaptable in any environment. Aspiring chef. Bike and car enthusiast.

5 minute read 8 Aug 2023

Companies cannot afford to focus only on incident prevention as more cybercriminals breach cyber defenses without the victims’ knowledge.

In brief
  • Substantial investment in incident prevention is not enough as even the most protected public and private companies are not immune to cyber attacks.
  • More threat actors are bypassing cyber defenses without being caught, potentially lurking undetected until the time is ripe for a more devastating attack.
  • Early compromise detection is crucial to identify and address hidden and active threats in the organization’s network and systems to mitigate their impact.

High-profile data breaches and cyber attacks have been dominating the news. We have now reached a stage where it’s no longer a question of whether your organization will be breached or even when; it could have happened already without your knowledge.

Of the more than 1,000 senior cybersecurity leaders canvassed in the EY Global Information Security Survey 2021, 56% said they weren’t sure whether their defenses were strong enough to withstand hackers’ new strategies. 

No defense is impenetrable

Cybersecurity solutions are not bulletproof — some inherently have weaknesses that attackers know how to exploit, such as encrypting malware-laden files to bypass content inspection gateways. There is also no defense against a zero-day attack in the time lag between the public reporting of a new vulnerability and the product manufacturer’s security fix. 

As increasing numbers of well-known brands — including some of the most protected public and private companies — fall victim to cyber attacks, it’s becoming clear that even substantial investment in incident prevention is not sufficient.

The reality is that more and more attackers are bypassing cyber defenses without being caught. We’ve become accustomed to the drama of the immediately apparent ransomware attacks. But more strategic cybercriminals have learned to constantly probe weak targets until they find a back door into the system, where they quietly gather intelligence and prepare an even more devastating attack. 

With some of the most protected public and private companies falling victim to cyber attacks, it’s becoming clear that even substantial investment in incident prevention is not enough.

Escalating damage from undetected breaches

With the global average total cost of a data breach estimated at US$4.35m in 20221, it’s clear that cyber breaches must be responded to swiftly. However, organizations took an average of 207 days to identify a breach in that same year.2 Moreover, this statistic only included breaches that were detected, and sophisticated cyber breaches are likely to go undetected. This means threat actors can potentially lurk undetected in your network and systems, doing reconnaissance, collecting credentials, staging the final attack or exfiltrating sensitive data.

The increasing likelihood of an attacker already being in your system makes a compelling case for splitting cyber defense investment between prevention and detection. In addition to conducting vulnerability assessment and penetration testing, organizations must focus equally on compromise detection, i.e., looking for anomalous activities across the enterprise that signal an attacker’s presence inside the organization’s system. 

Identifying incidents where an attacker has slipped past security defenses 

A compromise detection harnesses the same forensic strategies used in a cyber breach investigation to identify which endpoints and systems have been compromised. By closely monitoring system and network activities to identify unusual patterns and indicators of compromise (attacker footprints), forensic teams will either find hidden attackers or (hopefully) provide comfort that the organization is not facing a breach.

During the assessment, forensic teams deploy solutions in the IT environment, where they collect telemetry data on system and network activities. Digital forensic professionals then analyze these activities to spot red flags suggesting that compromise may have occurred.

Evidence gathered from forensic methodologies is likely admissible in a court of law. Should there be a need to file or defend against a suit arising from the incident, organizations can turn to experienced forensic experts to issue expert reports or provide expert testimonies in court. Forensic teams also prepare forensic reports to support regulatory submissions or insurance claims.

Expanding function of compromise detection

For years, compromise detection has been seen as a niche service as a critical part of cyber forensic investigations to trace and eliminate threats. It is also increasingly conducted under special conditions:

  • When senior IT personnel are terminated for misconduct, digital forensic teams are often called in to check whether the disgruntled party has planted any back doors, time bombs or other malware in the IT environment.
  • Compromise detection is also increasingly conducted in M&As, where acquisition value resides in patents, trade secrets or proprietary technology. In addition, any advanced persistent threats must be investigated and eradicated before interconnecting the acquiring and target entities’ IT networks.
  • An illustration: business email compromise detection in action

    A company in Southeast Asia wired millions of dollars in payments to what it thought were its suppliers. It only realized later that the email requests for these payments were actually phishing emails. The company swiftly engaged cybersecurity firms once it discovered the issue to investigate the problem. However, their cybersecurity reviews — which included vulnerability assessment and penetration testing — did not present conclusive findings or identify hidden breaches. Despite that, the company strongly suspected some kind of data breach and sought a digital forensic team’s assistance to conduct an investigation.

    The company agreed to the team’s suggestion to conduct compromise detection. Within 48 hours of starting the process, the team detected transmissions of a procurement officer’s password credentials from his laptop to a foreign IP address. It was infected with a malware program beaconing to a command and control (COC) server and exfiltrating data on a regular, automated basis. The team immediately stopped the COC communications, blocked outgoing communication ports and searched for similar indicators of compromise throughout the enterprise network. It also eventually identified and eradicated several more breaches and vulnerabilities and helped the company restore security in its endpoints and network.

Furthermore, now that skilled attackers could make cyber defenses porous, all organizations should make detection practices part of business as usual. For organizations that find themselves in a constant state of potential compromise, the best defense is to undertake regular compromise detection. 

Cyber resilience is becoming less about prevention and more about an organization’s ability to detect and respond to breaches as well as recover from them. Companies that invest in both will be able to identify and address threats that slip through security defenses early before hackers can wreak havoc on the system.

Summary

Organizations need to split cyber defense investment between prevention and detection as more attackers are bypassing cyber defenses without being caught. Compromise detection allows organizations to identify and address threats that slip through security defenses early before cybercriminals can conduct devastating attacks on the system.

About this article

By Ramesh Moosa

EY Asean and Singapore Forensic & Integrity Services Leader

Forensic and cyber professional. Leads highly talented teams serving multinational organizations. Agile and adaptable in any environment. Aspiring chef. Bike and car enthusiast.