Data is all around us, from the way doctors use it to better understand patients to online retailers collecting data on customer interactions during a transaction.
Confronted by conversations around how to make the most of the data available, there has been an urgent need for businesses to look at how they can protect and meet the privacy demands of consumers.
Indeed, our very own ‘Tech in a Transforming Britain’ report revealed a fifth of the UK public think cybercrime is the biggest challenge facing the UK today – above both global economic uncertainty and the skills gap.
From WannaCry to Equifax to Uber making 2017 a year all about security, this concern comes as no surprise.
But with the looming General Data Protection Regulation (GDPR) and Network & Information Systems (NIS) legislations fast approaching, what will businesses and organisations alike be doing to safeguard their business, employees and customers against cyber-attacks in 2018?
Here are our top five predictions:
1. Using CTI to support a back to basics approach
Cyber threat intelligence (CTI) can be defined in many different ways and it can simply be a threat feed. In the coming year, it will be important to use threat intelligence to provide an early warning system to customers and context to threats.
In short: by doing the hard work so customers don’t have to be dependent on the service and level of access, suppliers can actually block threats before they have a chance to do any damage.
In most cases that threat intelligence is simply providing guidance on ‘protecting’ using basic defences such as patch management. It’s challenging in any corporate environment expressing the severity of a vulnerability not only as a technical risk, but also a financial, human and business risk.
In a perfect world we would patch all the things, but reality dictates an alternative practical world. More often than not, patching a financial system for a critical vulnerability in Java the day before the end of the financial year will not whet many appetites through fear of breaking the system, despite successful pre-production patching.
Combining vulnerability management with threat intelligence is a great use case for protecting corporate environments. Customers are right to be worried about the next strain of global cyber-security incidents, but with last year’s Petya and Wannacry outbreaks, the malware used an SMB vulnerability for propagation known months earlier that simply needed patching.
For example, here at Fujitsu we actually provided a threat advisory on that patch to CTI customers three months before Petya spread.
What’s more, we also provided our CTI customers with a threat advisory of the Apache Struts vulnerability Equifax was exploited with several months earlier. And we observed exploits in the wild for this attack, so there was clearly a high impact.
2. Political eggshells
The line between cyber security and politics is distorted with continued reports of election tampering or breaches of government agencies and departments.
Investigations surrounding the US Election will rumble on into 2018 with core concerns around the manipulation of security controls and ‘sleight of hand’. There were reports of similar inferred disruptive activity during the 2017 French election.
In recent years, senior members of political parties around the world became all too familiar with concepts such as ‘Phishing’ and ‘Incident Response’. In the case of the Democratic National Committee (DNC), the infamous compromise that Crowdstrike traced back to Russia, the monthly cost of the incident response to remove the attackers from the DNC network was reportedly $50k a month.
Nation States continue to grow in cyber security expertise with the skill, will and resource to monetise from their endeavours or disrupt their neighbours.
Not every threat model needs to protect against adversaries that seek to destabilise a nation, but with the increasing adoption of digital services and frequent attribution of cyber-attacks to Nation States, attacks against commercial entities to support political objectives will only continue to increase.
3. Zero day danger
Boutique Zero day sellers such as Zerodium offer significant bounties to researchers, such as the $1.5m offered in 2017 for an iOS exploit.
Initiatives by the US Government such as ‘hack the Army’ demonstrate a willingness for researchers to find exploits in the US digital services. This is an ethical approach where the US army accepted the risk of vulnerabilities being exploited and more importantly rewarded those who reported them.
Shadowbrokers rose to prominence in 2017 as a group who released exploits reportedly stolen from the National Security Agency in the United States. The group released multiple zero day exploits such as ETERNALBLUE and DOUBLEPULSAR that were subsequently weaponised in cyber-attacks such as WannaCry and Adylkuzz.
The political confirmation of ‘hoarding 0days’ by the US Government was made public in 2017 in the Vulnerability Equities Policy (VEP). This policy essentially means the government can choose to withhold a disclosure if it believes it is in the interests of safety and security.
Fortunately, for the major attacks observed in 2017 patches were available for the numerous vulnerabilities exploited, allowing an element of protection or mitigation against significant damage.
The alternative landscape where boutique sellers or Government agencies are compromised for their hoarded zero day exploits is unthinkable, particularly where there is no known patch or protection.
4. Effective Security Monitoring
As data and our digital lives continue to grow and connect, there is an expanded internet with increasingly blurred lines for network perimeters. A consequence of this is more data to manage and an increase in cyber-attacks to detect and analyse.
A fundamental prerequisite for any business is security monitoring, but in order to address and keep pace with the continued rise in cyber-attacks, organisations must continue to be innovative to monitor effectively.
The threat landscape continues to grow in velocity and complexity and Security Operations Centres (SOC’s) are finding it difficult to keep up with the range of attacks facing modern day businesses.
Traditional technologies using a manual approach are no longer sufficient and a fresh, proactive approach is required to counter the modern day cyber-criminals.
These include analytical services such as user entity and behaviour analytics (UEBA), endpoint detection and response (EDR) and managed detection and response (MDR) in a strong advanced threat eco-system.
Blended approaches of human analytical skills underpinned by security automation and orchestration (SAO) will be necessary to address real issues facing SOCs such as alarm fatigue.
In future SOCs will leverage artificial intelligence, machine learning and an API, playbook-driven model for effective security monitoring. Automated threat intelligence enrichment for incidents freeing up valuable analyst time will be necessary as the industry faces up to the increasing cyber-skills gap.
5. Incident response metrics for the win
Whilst a service-level agreement (SLA) will always be the measuring stick for any delivered services, organisations will increasingly adopt new metrics to measure incident response.
UK Government guidance defines the ability to react to cyber-attacks as follows:
“An effective response to an attack depends upon first being aware that an attack has happened or is taking place. A swift response is essential to stop the attack, and to respond and minimise the impact or damage caused.”
An incident response metric that will be gradually adopted and used for this is mean time to respond (MTTR) in order to see demonstrable reductions over time.
Incident response and, more importantly, how fast organisations can respond to incidents will be increasingly important with the looming General Data Protection Regulation (GDPR) and Network & Information Systems (NIS) legislations.
A notifiable breach has to be reported to the Information Commissioners Office (ICO) within 72 hours so reducing MTTR will become critical and businesses must have a robust incident response plan.
Mean time to dwell (MTTD) is a term used to describe the number of days an attacker is inside a network before being detected. A study by FireEye across EMEIA organisations found the average MTTD was 489 days. This adds weight to the view that the current approach of traditional SOCs is not as effective as it could be.
Attackers are continually finding innovative methods of attacking and exfiltrating data through network layers. The security industry must continue to be innovative to reduce the overall MTTD.
Latest posts by Paul McEvatt (see all)
- The Year Ahead: Five Key Thoughts on Cyber Security In 2018 - January 5, 2018
- Petya, Medoc and the delivery of malicious software - June 30, 2017
- Artificial Intelligence and automation is the obvious solution to defend today’s businesses - March 24, 2017