As the anniversary of the massive Sony breach approaches, the magnitude and devastation of the hack continues to reverberate with the threats U.S. government agencies and enterprises consistently face. We should be cognizant that Sony was not alone.
A recent Trend Micro report, “Cybersecurity and Critical Infrastructure Protection in the Americas,” polled more than 500 CISOs from Argentina to Canada and revealed an ominous phenomenon. Forty four percent of respondents acknowledged that they have experienced a “delete and destroy” attack in 2015. Within the Western Hemisphere it’s clear that punitive attacks have metastasized. In a hearing earlier this month, U.S. Director of National Intelligence James Clapper stated that he believes “the next push on the envelope is going to be the manipulation or the deletion of data.”
Director Clapper is well aware asymmetrical cyber capabilities are being distributed widely. The major dark web forums are exporting destructive payloads including Shamoon, Destover and Cryptowall. As a result, cybercriminals are devising sophisticated and damaging attacks. We have observed that secondary infections are manifesting in numerous targeted attacks. These secondary infections have the capability of deploying disruptive or, often times, destructive malware that could destroy the integrity of information. This punitive tactic is employed to counter incident response.
Security analysts are left wondering if destructive secondary infections are a reaction by adversaries to try and “burn the house down” after it has been pilfered. Alternatively, detonation might be the hallmark of hacktivists purposefully attempting to destroy and/or manipulate the integrity of data. Without question, there’s a movement afoot to hinder, if not completely disrupt, the capacity of incident responders to react to cyber events.
The free fire zone of cyberspace has become dramatically more hostile. In order to successfully thwart this ominous phenomenon, the ‘dwell-time,’ or the amount of time an adversary resides in a system, needs to be dramatically decreased and incident response times improved. The only way this can be accomplished is through integrating breach detection systems with SIEMS and IPS systems.
Rather than having human beings sitting at terminals, machine-to-machine integration would be much more effective. Furthermore, immediately terminating command and control is not always the solution, considering most campaigns include multiple and dynamic C2. Termination of the initial C2 will alert the criminals that they are being surveilled.
Offense must inform defense. Cybersecurity professionals approach these adversaries with stealth to defend against an attack. By adopting more surreptitious monitoring and isolation methods to keep perpetrators at bay, security teams can be better positioned to gain an advantage in the ongoing cat-and-mouse game that continues to evolve in sophistication and aggression. When suffering a virtual home invasion, it is sometimes best not to make your presence known.