The thrilling and terrifying thing about working in the cyber security industry is the rate at which threats evolve. It seems like just yesterday we were talking about large scale worm outbreaks like Conficker and Storm. Infecting corporate and personal machines in their millions, these big name attack campaigns garnered plenty of headlines and caused a fair amount of disruption. But what has increasingly taken their place is far worse, and requires a much different, cross-organizational response.
Targeted attacks first came to light in a major way when Google announced in January 2010 that it and dozens of other companies had been the subject of a major, long term campaign aimed at stealing data. Following this so-called ‘Operation Aurora’ campaign, a growing flood of similar attacks have been spotted by researchers, including those on the TrendLabs team, in all quarters of the globe.
This is a different kind of threat to the one we were all used to fighting. Its aim is to infiltrate a network by stealth – perhaps through a malicious link or attachment in a spear phishing email. Once inside, the malware, which often exploits a known vulnerability, will move around laterally escalating privileges until it finds what it’s looking for. Stealth techniques mean the attacker is able to lie hidden for long periods, exfiltrating sensitive data – customer details, IP, trade secrets, and so on.
Make no mistake, the tools to launch these attacks are no longer the preserve of well-funded, state-sponsored actors. They’ve hit the mainstream of the cyber crime underground and firms of all sizes are at risk.
A coordinated response
So what do we do to fight back? Well, organizations need to change their mindset. It’s no longer about defending the perimeter at all costs. IT admins must assume they’ve been compromised already, even if no malicious activity has been detected. Working from this point, they can configure networks to better detect unusual activity, such as the ‘callbacks’ hidden malware makes to a C&C server. Data classification is also a vital step in protecting your organization’s ‘crown jewels’ – the data that will be of most interest to attackers.
But beyond that, an incident response team is a critical control that every enterprise should implement. To help you with some ideas on where and how to start, Trend Micro has released a handy guide. Enterprise Fights Back (Part III): Building an Incident Response Team includes loads of best practice advice on the risks facing organizations from targeted attacks; why incident response teams are so important; and how to go about building one.
Ideally, they should be able to jump into action when an attack is suspected, allowing the rest of the IT department to stay focused on operational efforts. They should get to the root cause of a suspected attack, deal with the legal and compliance issues that may arise and address customer notification.
Here are a few tips from the paper to get you started:
- Make sure the team is composed of experts across the organization, including: technical, threat intelligence, human resources, legal, public relations, and executive management.
- Roles and responsibilities should be documented and cascaded to each member.
- Each member should undergo appropriate training.
- During an attack the team should keep track of the investigation and keep the board updated.
- Don’t wait until a breach occurs, build a team now so you’re ready when an attack occurs. Remember, it’s not a case of ‘if’ but ‘when’.
For more tips, and to read the entire guide, download the free whitepaper here.