Paperjam, October 2018
The holistic approach to cyber defence
Too many organisations take only a partial approach to defending themselves against cyber attacks. New technologies must be embraced (including artificial intelligence), but just as importantly, crisis management plans featuring senior management must be well understood and stress-tested.
Standard intrusion detection systems and firewalls only take us so far. For effective protection and detection we need to look at new ways to achieve a better detection, leveraging sophisticated technology.
As an example, artificial intelligence can probe potential vulnerabilities and reveal hidden clues of an attack taking place at a very early stage.
The most prevalent and serious cyber threats originate from well-funded, professionally operating and organised cyber criminal groups, sometimes originating from governments. They have the resources to plan attacks, directly targeted at individual organisations or whole industries, probing specific human and technical weaknesses. The IT infrastructure within businesses should be equipped with robust firewalls, but employees can still be fooled, including by emails designed to look like they come from a trusted business partner or a manager, which is an attack vector often used in ubiquitous ransomware attacks.
Being better prepared.
The first step to being better prepared is to understand everything that the criminals can find online about your organisation and key staff. Are your people, partners or clients posting sensitive information about you on social media? Has your data been hacked and is it for sale on the dark web? Scanning this open source intelligence is increasingly important as it will warn you about potential attack vectors. Cyber criminals love reconnaissance, and you may want to know what they already know about you.
Despite the best preparation, there is no guarantee that a cyber attack won’t be successful. Moreover, modern hackers are not necessarily interested in acts of cyber vandalism. They may want your systems to run as smoothly as normal, enabling their IT tools to scan your systems for sensitive data that can then be exfiltrated. If this process can continue for weeks or months, then this is all the better for the criminal.
AI to check for anomalies
This is where AI tools come in. They scan the mass of network traffic and compare it will historical norms. Your organisation might send petabytes of data across the world to thousands of IP addresses, but AI tools can alert you if some of this is being tapped by an unusual internet resource, maybe in a potentially unusual location.
This can trigger intervention by a member of staff in a Security Operations Center who will check the validity of this data flow. If there is an innocent explanation, the AI system will “learn” not to trigger this false-positive warning in the future. However, it might point to the illegal exfiltration of sensitive data to an unknown location at a very early stage.
The data gathered by the AI engine can further be used in the conduct of a forensic investigation, tracing data flows through your organisation to locate which workstations or servers may have been compromised, what malware was involved and if it self-replicated, whether administration rights or which data have been stolen. Because the AI tool works continuously, this breach detection system can generate response mechanisms within seconds.
Solid crisis response plan
Then an organisation-wide crisis response plan has to swing into action. Cyber crisis management is not just an IT challenge, but should be a priority issue for the whole organisation, which needs to be ready to respond.
The AI tool will help the IT department block the communication of more data and will help quarantine infected machines and networks. But this is just a minimum requirement. You need to have a broader plan if personal data has been compromised, particularly passwords, private communications and personal data protected by the respective legal framework.
Clients and product vendors will need to be contacted as soon as possible. You will need to inform partners of the potential for them having been infected. Financial services businesses will need to notify their respective regulators, as well as the National Commission for Data Protection (CNPD), the state-run Computer Incident Response Center Luxembourg, and even the police.
You wouldn’t want the information about the breach to leak out in an uncontrolled way, so you will need to be up-front and communicate clearly to the media. You will also need key executives ready to take decisions quickly. If your data has been locked by ransom ware, do you take the risk and pay the ransom, or can you rely on backups? You may also need to spend cash urgently, and you will need to be able to access this 24/7. In other words, as well as the CIO and CSO, the CEO, the CFO, internal legal, the head of communications, and more will need to be able to respond in an orchestrated way at any time and on any day.
Incident response plans need to be thorough, well understood and tested, so that everyone will be able to respond appropriately given different attack scenarios. These plans will need to take account of the potential for absences of key people in the case of illness or holiday. Your plans need to be simulated as-live in real time so that if the worst happens you can have a methodical, reflex response.
Cyber criminals are so resourceful that it is unrealistic to believe you can protect yourself from attack. But clients and shareholders expect you, and rightfully so, to have deployed the most effective technology and have effective crisis-response plans in place. And it’s all about being better prepared.