Cybersecurity Risk and Resilience: Hunting the Hunters

Successful cyber attacks against the financial sector have steadily increased over the last 10 years however, we have seen a sharper increase in threat actor sophistication. Regardless of motivation, advanced threat actors have been evolving. The Deep Web and the criminal undergrounds that occupy it have been hosting the communication and collaboration behind nearly every targeted attack seen this decade. Threats have been capacity building in recent years and are executing multi-stage and multi-vector attacks at will.  In fact, a recently published Trend Micro research report found that 76 percent of organizations have seen an increase in sophistication of attacks.

In the early stages of attacks, we are discovering a significant rise in the use of exploit kits in watering hole attacks, marking a possible shift to target more secure victims. In the latter stages, we have seen an increase in sophistication around counter detection tactics through the use of polymorphic and metamorphic malware and the use of covert channels such as DNS, steganography and cloud services for command and control, and exfiltration.

Even in the face of the quantity and quality of these attacks, organizations still face a fundamental lack of effective and comprehensive enterprise risk-management strategy to combat them. In fact, according to the 2014 Global Information Security Survey, 56 percent of organizations are unlikely to detect a sophisticated attack. Additionally, 74 percent say their cybersecurity programs only partially meet their needs, with 37 percent having no real-time insight.

Information stored by financial services companies is ‘big game’ to cybercriminals, but what happens when the hunters become the hunted?

I spoke with Roland Cloutier, vice president and chief security officer at ADP, who is responsible for ADP’s cyber, information protection, risk, workforce protection, crisis management, and investigative security operations worldwide. ADP is one of the world’s largest providers of human capital management solutions with more than 50,000 employees servicing more than 100 countries. Under Roland’s leadership, the ADP Global Security Organization protects ADP businesses and drives security as a top priority to protect its clients’ data and funds as well as maintain ADP’s position as a leader in the industry.

I asked Roland a few questions in order to gain his real-world insights regarding which threat actors concern him the most in the financial sector, which strategies his company develops and deploys to successfully combat attacks, and what challenges he faces in the future regarding cloud, mobile and Internet of Things (IoT).

Threat actors come in all shapes and sizes and you really have to break down critical elements such as their intent, means, and capabilities as these align to your go-to-market and the business or agency that you are accountable for. Specific to our business, we are a human capital management diversified services firm which means from a data processor perspective we have a lot of individual information from SPI to financial to health data. If I had to look at the categories of threat in order I would be most concerned with organized economic criminal elements, nation-state and espionage actors, and terroristic entities with a national economic infrastructure target agenda.

Multistage multi-vector attacks are often misidentified because they are not necessarily “outright aggressive malicious hacking.” In fact, as we all know, the illicit use of good credentials for bad purposes and the manipulation of a good business process for criminal means is a large part of how these threat actors are being successful.

One of the most critical risk tools we have available is our business operations process mapping exercise. Designed to understand how the business operates, how data is moved, which controls are implemented at what part of the process, and what our capabilities are in preventing, detecting, and investigating some optimum business processes, this service creates end-to-end visibility and transparency into the business process. The output of these exercises supports threat engineering, critical incident monitoring and response, and risk tracking and prioritization programs. In today’s diversified business environment with integrated ecosystems internally and externally of your business, how can you possibly understand what an attack looks like if you don’t know what your process looks like?

I see two critical challenges in the future of exponential data creation and usage by businesses because of the explosion of those items mentioned above. The first is how do you protect it? The integration of structured and unstructured data, the movement between ecosystems, and the lack of assignable, addressable, or transferable controls on that data between ecosystems is extremely problematic. Also, as data elements are merged with others to create net new information, intellectual property, and business assets, providing auomated protection at the speed of information development is a real hurdle we have to overcome.

The second major area is in the use of data as a part of our next generation analytical applications for threat and incident prevention and detection. I’m not worried about collection or storage as those elements of consumerized IT are getting cheaper and cheaper. It’s the diversification and use specific needs of analytics for multiple disciplines such as threat detection, fraud prevention, user behavior monitoring, business process assurance monitoring, in other like up-and-coming specialties that require unique data sets with specific analytics that are not yet available. This is going to take a massive industry push as well as changes in the way our businesses build our products and services.