In just the last months Ashley Madison, Target, Sony and the United States Office of Personnel Management have been headline victims of highly sophisticated cybersecurity breaches. Customers’ privacy and credit card details have been violated, reputations ruined, top jobs have been lost and billions of dollars of damage left to be explained and assessed.
In the digital era, it’s not just the internet that is growing exponentially. Cybercrime is too. Government agencies are highly attractive targets. Whether its sensitive military, diplomatic, trade or economic data, governments, like commercial enterprises, have vast amounts of digitally accessible intellectual property. And a very large repository of personal data. This information is highly sought after by a range of bad actors: cyber criminals, state-sponsored groups and “hactivists”.
Malicious cyber incidents reported by Australian governments and businesses have more than tripled to 1131 in the last three years and will cost more than $1 billion, according to a recent report from the new Australian Cyber Security Centre.
“Cyber attackers are people, not impersonal nations, companies, machines, or software,” Phil Vasic, regional director for Australia and New Zealand of cyber-security specialist FireEye, said. “When they target nations and government interests, they want what people want: money, industrial secrets, and personal data.
“Almost daily, new security tools are developed and deployed. Just as quickly, hackers devise ways around these safeguards and continue to access networks.”
The internet has spurred innovation and new ways of working. The global network connecting billions of people and many more devices has altered countless industries and touched every aspect of our personal and professional lives.
It has also changed the nature of crime and espionage. As our time, personal information and money have gone online, cyber attackers have quickly followed. Empowered by the same tools and technologies that have transformed countless industries, cyber attackers are constantly evolving. More often, they are way ahead. Targeted, well-funded cybercrime rings have replaced the opportunistic hackers of yesterday.
Put simply, in the internet era, technology is proliferating faster than we can secure it. Our defences have not kept pace with the networked world. In far too many companies and government agencies, cybersecurity is still largely an afterthought. Today’s security architecture remains stuck on a signature and compliance-based approach employed at the birth of the personal computer era, long before the reality of today’s complex internet architecture.
With attackers now stealing personal information, intellectual property and state secrets almost at will, a new approach to security is needed.
“Governments and businesses now have to accept it’s very difficult to keep out the most sophisticated hackers,” said Vasic. “So what you have to do is change the approach to cyber-defence. You have to start with the view: they’re already inside our defences, so we need to have the people, systems and processes in place that can spot them quickly and limit the damage.”
This adaptive approach to defence combines technology, threat intelligence and expertise to anticipate threats and adapt to constantly changing attacks and contain the damage. Key to this solution is continuous network monitoring, which uses a series of algorithms which map what normal networked system behaviour looks like and then flags unusual events.
“An effective analogy is to consider the way the human body deals with infectious disease,” Vasic explained. “The human body is the best defence vehicle we have for keeping bad things out. But we live with the expectation that there are pathogens trying to get in. Some do get in. But nobody thinks you are unhealthy if you sometimes get sick. It is the same with cyber breaches: you are going to have them. But how quickly you respond and how you defend makes the difference.”
The goal is to quickly detect attacks and then respond forcefully to prevent the worst results: stolen data, costly fixes and tarnished reputations.
Conventional security detects threats too late (if at all) and resolves them too slowly. It gives security teams a fragmented, incomplete view into what’s going on in their network. It’s passive and blind to broader threat trends. And it reacts too slowly to new threats and changing conditions.
See threats far into the distance
Organisations need a flexible, deeply integrated framework that offers a far-reaching view of threats and evolves as quickly as threat conditions do. Security architecture must be agile. It must be deeply integrated for an end-to-end view of attacks. It must present a full picture of threats by incorporating internal and external intelligence. And it must take an active, “lean forward” posture that doesn’t just wait for attacks but anticipates them.
Vasic says FireEye responded to hundreds of different breaches last year. An alarming number of those breaches came from state-sponsored cyber-spies wanting access to trade secrets and other high-value intellectual property.
They include groups such as APT1, China’s highly organised and most persistent cyber espionage unit. APT1 has been honing its attack methodology for years and its mission is to steal large volumes of intellectual property. There’s also APT28, a skilled team of operators headquartered in Russia collecting intelligence on defence and geopolitical issues. It also appears to be state-sponsored.
At a recent conference on cybersecurity and internet governance in Washington DC, FireEye president Kevin Mandia spoke frankly of the increasing sophistication of highly organised cyber attacks and the counter forensics measures the cyber criminals are deploying. These include editing log files, deleting malware and relying on user ID and passwords to access networks instead of going through back doors. Mandia recited:
“If you go back 10 years ago the breakdown of breaches was 50% criminal and 50% nation state-sponsored. Now we are seeing far more state-sponsored attacks. And it really does effect the CIO’s job when your biggest threat vector is someone who badges in in the morning wearing a military uniform that is hacking you. It’s hard to figure out what is the right standard of care.”
Governments and their agencies are clear targets for hackers. But so too are those myriad companies and individuals who have trusted relationships with government agencies. Simply doing business with the military or another government is enough to pique the interest of those intent on doing harm.
Attackers consistently find advanced ways to skirt detection and thwart security measures. It results in a constant game of catch-up for those trying to protect themselves; they’re adapting security based on an attack that’s already happened, while the attackers are already devising new ways to access the target.
Governments and their agencies must assess the maturity of their current security measures and determine the level and longevity of impact (such as loss of strategic national security data, lack of trust in their data, or destruction of their systems) they are willing to endure.
“Historically, governments were most concerned with compliance when it came to the level of their security, and not on how a compromise could affect them,” said Vasic. “But compliance does not equal security. Complying with laws and industry standards is important. But alone, it won’t prevent attackers from compromising your environment.”
Effective security in the digital age requires constant assessment. “Honestly assess your level of security, and address areas that need tighter controls,” Vasic warned. “Revise policies to reflect the evolving threat landscape. Understand your adversaries, how they work and how you can prepare for their attack.
“In particular, develop agile acquisition policies to enable you to respond quickly. Once you’ve determined where your cybersecurity falls short, push the industry for the solutions you need, whether it be more specialised technology for network forensics, experienced intelligence to identify and confirm threats, or expert incident response to contain and mitigate a breach.”
