Anti-Advanced Persistent Threat and Endpoint Detection and Response (EDR) are extremely effective when it comes to countering file-less malwares which are directly deployed on system memory and bypass traditional AVs
The increase in sophistication of cyber defenses has led to an equal and sometimes exponential increase in the sophistication of attackers. It is a matter of when an organization will be breached rather than if it will be breached.
To consider, cyber criminals actually have it easy to launch an attack or commit a crime. It is more akin to asymmetric warfare. In majority of the cases, the criminals are better organized and well informed compared to organizations which spend millions of dollars to get a good night’s sleep. On the other hand, the cyber criminals don’t need much more than a couple of thousand dollars to get the most confidential data and it often starts with an innocent sounding mail.
So the question is, how do we guard our perimeter to make sure only the righteous get in?
Well therein lies the major issue. Organizations still think cyber security in terms of defending a pre-defined border. With the advent of cloud and hyper-interconnectivity, the borders have become blurred.
The real question is, how do you stop an attack from being successful? How does an organization become resilient enough to manage the worst of the attacks?
Here is a 9-step approach that can help protect an organization from advanced threats:
- Understand your own threat landscape
It is imperative to understand how data in your organizations flow. Define sensitivity of the data. Try and quantify the data in terms of what it would cost your company if data was leaked during a breach or was locked in case of a ransomware attack.
Understand and define your threat landscape, which in turn will help you identify weak spots in your security. Identify critical assets and maintain an updated asset inventory.
Understand your digital footprint, the amount of company data present on the net, data unknowingly given out by employees on social media.
- Build a larger picture of attacks faced by the organization
Analyze the type of attacks being faced by your organization and also the targets in your organization. Perform a trend analysis to help build a picture of Tactics, Techniques, Procedures and Infrastructure being used by attackers. Also, co-relate attacks with threat intelligence, which will help build a context around on-going attacks.
A trend analysis will also help in understanding which assets are being targeted the most, which can further help in aligning the right type of protection mechanisms/processes.
- Share Intelligence & threat Intel feed for others
Establish a process between your peers to share intelligence related to the type of attacks faced by your organization and your peers. This would be an invaluable input to understand attacks which your organization is yet to face. Setup a mechanism to conduct regular meetings between mid-level Infosec officers of your organization and peers to exchange details on attacks faced.
Also, real-time threat Intel feeds from different advisories and third party sources need to be integrated with your cyber security ECO system for real-time threat protection.
- Build a response plan
Since the question is when you are going to be attacked rather than if, it is always prudent to have a detailed incident response plan which is separate from your standard IT Security Policy. The response plan should deal with all kinds of scenarios right from trivial to the worst case scenario, the motto here being “Hope for the best, prepare for the worst”. The plan should include playbooks for different scenarios, escalation matrix, definitions and parameters to declare an incident, list of personnel to be involved in an incident and their contact details, law enforcement and regulatory contact details, alternative means of communication, etc.
- Deploy Anti-Advanced Persistent Threat & EDR solutions
Anti-Advanced Persistent Threat and Endpoint Detection and Response (EDR) are extremely effective when it comes to countering file-less malwares which are directly deployed on system memory and bypass traditional AVs. They also help in responding to infections/attacks on systems within a very short span of time.
- Tabletop exercises
Just having a response plan is not adequate. It needs to be practiced just like your fire drills. Practice makes you perfect, being the motto. Everyone should know their exact job description during an incident. Practice will help iron out any kinks in the plan and also provide valuable feedback on an organization’s current resilience status.
- Use deception
Confuse the attackers by creating illusions in your network. Break their kill chain by complicating the attack surface. Above all, make their attack cost expensive by implanting false data. Deception will also help countering attackers who may have entered your network and give a strategic picture as to what are they after, what vulnerabilities are being used, etc. The technology coupled with a proper strategy, can help in stopping ongoing attack in its initial stages.
- Artificial intelligence and Machine Learning
This is useful where the transactions are very high and critical for business and deeper insight is required real-time. AI is vital in cybersecurity because with its assistance, the response time for cyber-attacks is shrinking drastically. AI and ML in data security can assist security analysts in reducing the time taken by authorities to prevent data theft.
- Better decision making
- Quick resolution
- Consistent and stable Root Cause Analysis
- Predictive analysis, diagnosis, and recommendation
- BCP & DR
There should be real-time business continuity planning with near real-time RTO & RPO. There should be proper crisis management plan. This needs to be demonstrated on periodic basis on production environment.
The author is CISO at Bombay Stock Exchange