Top Defensive Strategies to Counter Each Stage in a Cyber Attack Chain.
CIOs in Asia Pacific need to analyse and understand the different phases of a cyber-attack to build better cyber defences in their corporate network, according to Fortinet – a leading high-performance cyber security solutions firm.
Businesses in the Asia-Pacific region lost an estimated USD 81.3 billion in revenue due to cyber attacks in the 12 months, compared with USD 62.3 billion in Europe and USD 61.3 billion in the US, according to London-based consulting company, Grant Thornton.
Japan, Australia, Singapore, South Korea and New Zealand have been identified as Asia-Pacific’s most vulnerable countries for cyber-attacks compared to other Asian economies in the region, based on Deloitte’s annual Asia-Pacific Defense Outlook 2016 report. According to the global consulting firm, these countries are "nine times more vulnerable" as they are the most heavily dependent on Internet-based interactions.
Fortinet outlines 7 phases of a cyber-attack and prescribes precautionary steps to counter each of them:
Phase 1 Reconnaissance - In this early phase, the attacker attempts to gain understanding about an organization, its network and business partners. Identify “watering holes” or common websites that employees may go to not only for business purposes, but also for leisure. Monitor these sites closely with content filtering and/or proxy tools. These sites are often researched and identified by cyber hackers who then plant malware in these legitimate websites. It is also important to review vendors and take note of the level of access they are accorded. Build a template with key questions and considerations to assess the security of any third party, and determine the minimum access requirements.
Phase 2 Weaponization - This is the phase where an attacker selects, and sometimes even builds malicious code to exploit identified vulnerabilities within the target. One needs to know which type of attack is likely to be underway. If a nation-state attack is imminent, focus on the efforts and resources on putting processes and technology in place to respond to zero-day threats. Segmenting your network architecture is also a good way to at least minimize the impact of a potential breach. When it comes to zero-day threats, the key is detection.
If the threat is likely to emanate from cybercriminals, concentrate on developing a good vulnerability and patch management program. Consistently patching known vulnerabilities will increase the chance of keeping criminals from compromising a network. When researching vulnerability and patch management technologies, ensure solutions can identify all assets, operating systems, applications, and vulnerabilities.
Phase 3 Delivery - As threats come from both inside and outside an organization, and can be either intentional or accidental, a comprehensive scheme of programs and processes need to be put in place to identify threats and risks. Phishing emails are by far the most common method of malware delivery. Implement a training program on phishing that makes employees aware of the increasing levels of sophistication these attacks often use. Employ content security technology for email and web traffic designed to identify and remove malicious attachments. Solutions that include sandbox tools are especially important as they can detect previously unseen or sophisticated malware.
Phase 4 Exploit - Since many exploits occur through a phishing attack, a strong vulnerability and patch management system is key. Standardize on one browser for the workforce, and ensure it is patched and updated regularly and limit the use of plug-ins, such as java or flash. Most malware employ evasion techniques to circumvent traditional AV technology. Utilize sandbox technology to move suspicious content to a secure area where its behaviour can be safely triggered and analysed.
Phase 5 Command and control - To defend at this stage, application control at the perimeter is a must to inspect application streams and detect malware communicating back to their malicious infrastructure. Malicious communication tools often tunnel through other protocols. SSL inspection tools is the best defense as it can intercept, open, inspect and then forward encrypted traffic once it is deemed clean. A good approach is to typically use a combination of application control, reputational databases and URL filtering to monitor, inspect and secure traffic.
Phase 6 Internal reconnaissance - No defense strategy is guaranteed to stop every attack. Implement a good incident response plan. When an incident occurs, people tend to panic, so a proper plan detailing steps to take and people to contact could avoid a knee-jerk reaction.
Once an attacker is inside a network, they have bypassed any edge protection layer. However, there is still chance to minimize the impact of the beach by segmenting the network into security zones. This will create various choke points to help isolate the breach and monitor and secure traffic as it moves between security zones. It will also result in more granular visibility inside the network where most organizations traditionally have little to no threat intelligence.
Given that a threat has managed to circumvent your defenses, there was most likely no signature available to detect it. At this stage, adopt anomaly-based and behavioural-based detection. This technology leverages big data analytics and machine learning tools to understand what normal traffic looks like so that unusual or unexpected traffic patterns and device behaviours can be quickly identified.
Phase 7 Maintaining - At this point in the attack chain, the malicious “visitors” will try to extend their visit for as long as possible to siphon data from your network. Document company’s servers that contain sensitive data and make sure they do not have access to the Internet. This will make it more difficult for cyber criminals because they will need to find a staging server to transfer data onto before exfiltrating data to their destination. Identify all attack paths into and out of servers with sensitive data, and monitor these paths more closely. Pay particular attention to the ones that have access to servers that then have access to the Internet.
To avoid an attacker going undetected for long periods of time, consider Operational Threat Intelligence (TI). Sophisticated malicious code is designed to remain undetected by traditional AV scanning. Do not just rely on clean scan results, instead invoke more detailed forensic procedures to truly identify whether or not the machine is clean—especially if the device contains sensitive or compliance-related data.