As the threat of invading malware increases (viruses, worms, Trojans, bots, just to name a few), companies, small and large, will continue to utilise technology as a means of defence. The anti-virus industry is extremely large and continues to garner major investment. As with any technology niche, there is both good and bad within what’s called “advanced endpoint security” but it will continue to be installed as a means to protect against modern malware and other possible threats.
It is interesting to me that the term “virus” has become the way most people understand how computers or enterprise systems become infected. I think it is because people understand the flu and the common cold. And they generally understand how to protect against “catching the flu” or “catching a cold.” The most important protection is information. People have to inform other people that they have a cold or flu or, in a mass media sense, details have to be share about a new flu strain that is “out there.” Once informed, the basic elements of defence are isolation (stay home or stay away from folks who are sick) and cleanliness (cover your nose or mouth for a cough or a sneeze, continually washing your hands). These protections work well for your everyday common viruses that produce a cold or a flu.
In the world of cybersecurity, just as in public health, there are viruses and then there are VIRUSES. The mean, nasty ones. They are persistent, versatile, severe, and can spread like wildfire, just like all influenza viruses, but there are some viruses that can cause pandemics and, left unattended, can become catastrophic and cause large number of deaths. In the cyber world, catastrophe can be defined as damage, disruption, data theft, or in general, the infliction some other “bad” or illegitimate action on data, hosts, or networks.
As in the case of the common cold or flu, information becomes paramount, and despite advances in security technology, and the widespread use of such technology, you can not underestimate the importance of people expertly trained in collecting and disseminating information when there is a massive cyberattack. These attacks can be described as “Immediate Threats.” Providing an established method of handling an immediate cyber-attack campaigns (like WannaCry or Petya/NotPetya, among others that are widespread enough and severe enough to get a “name”) is an important service for any company devoted to the cybersecurity vector. It may not even be the first thing “on the table” when soliciting clients but it is significant nonetheless. And it involves smart and highly skilled people.
The intention is provide an immediate solution or work-around for any new cyberattack. There are two different aspects to it. The first is developing an intelligence team and a network of software developers. An intelligence team is constantly working to secure and update information from every aspect regarding a new attack. Some are conventional and some may be less conventional. In this line of work, it is important to have connections with a number of known and perhaps “unknown” operatives within your cybersecurity footprint. Black hat, white hat, you name it. It is also critical to continually browse various websites (and those in the business know which ones to monitor).
Once discovered, there are some campaigns (like WannaCry) that are so big and hit so fast, nobody can miss it initially and it gains an immediate identification. Other campaigns develop much slower and can take longer to figure out what’s happening or to even give it a name. Why is this important? The NotPetya campaign was called several different things within the first 48 hours. This hinders communication. Just like in public health, there is a recognised utility in quickly deciding upon and disseminating a name for an epidemic. The same utility applies to cybersecurity for the same reason.
The next step is to analyse that attack method, what were the vectors used, how they operated and is there a known mitigation or workaround for it. The unit that is doing this should be comprised of top reverse engineers, penetration testers and programmers. The primary role is to uncover flaws across a variety of vectors, and continuously search for new vulnerabilities and exploits. The “story” of an in immediate threat needs to be discovered and told quickly. You improve the chances of having comprehensive visibility into a particular threat with a collection of folks from diverse backgrounds encompassing private security, intelligence experience, and even military training combined with the understanding of how a business works. Fighting off immediate threats requires continually monitoring and analysing the cyber threat landscape and maintaining a globalised view of emerging threats, zero-day vulnerabilities, and the tactics, techniques, and procedures (TTP) of advanced threat actors.
This is the final aspect where a cyber “epidemic” resembles an emergency public health effort. However, it must be made clear that there is no such thing as a “vaccine” for any particular cyber-virus. But, similar to a vaccine, pieces of the “virus” can be used to develop the files, patches, work-arounds or simple configuration recommendations that are eventually distributed. These distributions are ultimately what protects a business from being exposed during a cyber-attack campaign. It is also important to develop dozens of different, additional tangential threat scenarios based on the intelligence and using algorithms from previously known threats or attacks. The idea is to keep building, keep updating and, possibly, even creating new and more potent threats and corresponding antidotes all in the service of being prepared as much as you can be.
In a public health setting, a severe outbreak of a stomach flu may immediately require mitigation that blocks the symptoms of the flu but doesn’t immediately address the infection. Solutions to an immediate cyber threat may also be provided in “stages.” But as soon as a warning of an immediate threat comes through, it is incumbent upon security officers incorporate the initial suggested actions (to treat the symptoms) and then test their entire network in order to gain an assessment of whether they are exposed or not exposed to the specific effects of the attack. If the possibility exists, then you would need to wait for a full mitigation, which is sometimes in the form of a patch or other options.
It goes without saying that security officers benefit when they are in a position to test their networks for potential infiltration as often as possible. And, as mentioned earlier, it is incumbent for any company providing this kind of immediate threat assistance to act like hackers do. That means internally looking for new or develop even more lethal variants based on previous viral attacks. Every once in a while, a new campaign shows up in the wild, based on previously used malware that is adjusted slightly by the hackers.
In dealing with immediate threats, it’s all about thinking ahead, providing options and being prepared. Senior management executives are showing much more interest in cybersecurity than they did two, three or even five years ago. Security officers, who used to be alone on an island within most organisations, now are expected to have the straight answers to basic questions. Are we exposed? Do we know how to fix it right now? Knowing if a company is or isn’t in the danger zone of a major cyber campaign during the early hours of a crisis, before it has the opportunity to reach your network, is crucial information for a security officer to have in his or her hip pocket. But, ultimately, the key is self-assessment. You have to constantly test and verify all that is needed to protect your organisation.
Eyal Aharoni, COO, Cymulate
Image Credit: JMiks / Shutterstock