The Snake Campaign
Business and the cyber threat
Pleae Enter a search term
Read our insight and intelligence on the evolving cyber security challenge facing organisations and governments.
Written by: Dr. David Bailey, Chief Technology Officer
This week we look at step 4, our conclusion to capturing the cyber thief:
1. Effective Detection 2. Good Intelligence 3. Robust Investigation 4. Making it Happen
If you missed last week’s post on Robust Investigation, or any of the first 3 steps to catching the cyber-thief, please see below.
Making it Happen:
Due to the nature of business and the differences between them, there is no one size fits all solution to implementing security monitoring. This is why we have come up with five steps to help you devise the capability you need...
1. Identify and quantify your cyber risks Get a picture of; why someone would want to attack you? What would they gain from an attack? What the impact would be on your business? Basing an assessment on scenarios derived from real threat intelligence is a good way to engage the whole organisation in understanding its cyber risk 2. Work out what you need Effective detection, good intelligence, and robust investigation are 3 essential aspects to cyber security. Each aspect should be invested in, proportionately for your business. Getting the right balance is key; too much of what you do not need in one area will be a waste of money and not enough in another area will leave your business exposed. Be clear on how much of each aspect you need, how you will realise the benefits and budget accordingly. 3. Define your roadmap Armed with an understanding of the level of security you need in each area and with an understanding of what stage your business is at in each of the three areas above, develop a roadmap for enhancing your security monitoring. Set clear objectives and map the steps, costs, and timescales and, most importantly, work out how you will measure progress along the way. 4. Consider and select your delivery approach When looking at monitoring, each business faces the same question – should you develop your own security operations, outsource to specialists or look at a hybrid model? The right answer will be different for every business but the overall business process needs to work end to end regardless of whether the elements are internal or external. 5. Identify the right partners Look for partners that compliment you in the three key areas; Detection, Intelligence, and Investigation. When dealing with sophisticated threats, collaborating with trusted partners who can offer their expertise and augment or accelerate your in-house capability.
Security is not a solitary endeavour. This is even truer today, with the complex and global nature of the threat, than it ever has been. To be successful, you should seek out and work with partners, collaborating to mutually benefit from each other’s expertise and insight and work together to stand the best chance of catching the cyber thief.
We can now wrap up our guide on how to catch a cyber thief. Following our three fundamentals combined with the correct implementation will get you on track for the basis of a solid cyber security platform.
To read the full whitepaper on how to catch a cyber thief, please click here.
- Written 26th August 2014
This week we look at step 3, our penultimate step to catching the cyber-thief:
1. Effective Detection
2. Good Intelligence
3. Robust investigation
4. Making it Happen
If you missed last week’s post on Good Intelligence, or you just need a refresher course, please see the previous posts below.
It’s all well and good finding threats using a range of detection techniques and by exploiting the best intelligence at your disposal but without the ability to turn that insight into something the business can take action on, it’s not going to deliver the benefits needed.
In this context, the success of your cyber defence comes down to an analyst’s ability to digest alerts and raise security incidents. You can imagine the cyber security analyst’s job is not an easy one. They need to provide reliable, clear, actionable advice, in time – i.e. before any damage is done. Catching cyber thieves requires analysts to follow a well-defined and efficient investigation process.
Once an alert on a potential threat has been raised, the analyst should be able to pull in information from all available sources and view this in a variety of ways in a single place. This allows for a fast, accurate triage of alerts and for decisions on potential threats to be made in in the timescales required to prevent harm to the business.
For those alerts which require in-depth investigation, the case the analyst builds must result in actionable intelligence, a simple restatement of the basic facts surrounding the alert is not sufficient. This case needs to be put into the context of the business in terms of what has happened, what the impact has been and may become, and what needs to be done to prevent it. This is not an isolated process – for every event, lessons learnt should continually improve your detection approaches and intelligence on the threat.
The investment in behavioural analytics and threat intelligence management is well justified, however it is critical that you don’t neglect the investigation stage and ensure you have well trained, capable staff and integrated tooling to maximise the effectiveness of the process.
To read the full whitepaper on how to catch a cyber thief, please click here or join us next week for a final look at putting it all into practice with, 'Making it Happen'.
- Written 18th August 2014
In our ongoing quest to catch the cyber thief, this week we look at step 2: 1. Effective Detection 2. Good Intelligence 3. Robust investigation 4. Making it happen If you missed step one last week, please see the previous post exploring Effective Detection below.
With a combined detection strategy covering both correlation and behavioural analytics in place, having the knowledge of what the current cyber-crime climate is will help you to prepare for threats that may come your way. Good intelligence on who the latest cyber espionage groups are, why they are attacking, which tools and techniques they are using and who they are targeting are all valuable pieces of information in preparing yourself against attack.
With this insight, security teams can tune monitoring systems to prepare for specific attacks, analytics teams can build algorithms to detect behaviours that correspond to the most significant threats and security architecture teams can address weaknesses in their existing infrastructures that are actively being exploited in other organisations before they become an issue.
There are a number of raw intelligence feeds available to organisations, but in their raw form, they don’t necessarily deliver the benefits above. Gaining value from these sources of intelligence requires consideration of three separate aspects:
1. Generation Intelligence analysts supporting your organization should be able to access data from the operational monitoring environment and link it to internal and external sources. This integrated view can then be used to form a brief to operational teams, management and other researchers. Key to this is supporting the human analyst in generating detailed and comprehensive briefings. 2. Management Having the correct tools to collect, assess, store, and access intelligence is essential to ensure it’s good quality, provides appropriate coverage, is current, usable, and relevant to the business. Processes and standards around threat intelligence sharing and management are fairly new, therefore the ability to use technology to automate processes (where possible) and help analysts identify what information is useful, and what is not, is key to its success. 3. Exploitation Ultimately, all the intelligence that you acquire on potential threats and attacks is only as useful as the action you can take. Turning raw intelligence into processed product that can be fed into operational systems and processes is essential. Operational staff need to be involved in the end-to-end process to ensure your organisation is truly intelligence-led.
In summary, integrating “good intelligence” into security requires joining up people, process, and technology. Being on top of the generation, management and exploitation of threat intelligence is critical in developing an intelligence led approach to security operations.
To read the full whitepaper on how to catch a cyber thief, please click here or join us next week for a look at Robust Investigation.
- Written 11th August 2014
Written by Dr. David Bailey, Chief Technology Officer
The ever-increasing importance and interconnectivity of the digital world is hugely exciting for businesses and consumers alike. However, it also presents growing opportunities to would-be cyber thieves. This means that now, more than ever, being well informed and prepared is vital to the protection in the connected world.
Building an effective security programme is far from simple. With technology and your business constantly changing and the cyber thief becoming smarter, you need to stay one step ahead.
To that end, welcome to our 4 stage, 4 week guide to being able to detect the cyber thieves who have their eyes on your network. We will take you on a journey through the 3 fundamentals for security monitoring and lay out what you need to do to make it happen in your organisation.
This week we will look at step 1 of the 4 steps to outwit the cyber thief:
1. Effective Detection
2. Good Intelligence
3. Robust Investigation
4. Making it Happen
Understanding the data available from network devices, host-based detection and all of the other security tools already at your disposal is a must – what are those devices already telling you about attacks on your network? More importantly, you need to be able to identify threats that do not immediately stand-out within the raw data. Sophisticated cyber thieves will try to hide themselves and you should also have the capability to discover, understand and react to these attacks.
So, what are the key tools that can help you to do this? There are two broad categories - correlation engines and behavioural analysis.
Correlation is used in Security Incident Event Management (SIEM). It recognises proscribed series of security events that are known to form part of attacks. This approach is great for spotting patterns that have been seen before and triggering immediate alerts. However, longer term, more complex attacks which do not confirm to a known pattern and may not be recognised by SIEM and remain a threat to your network.
The attacker’s ability to slip by correlation engines is where behavioural analysis comes in. This analysis does not rely on signatures and fixed patterns of events derived from historical attacks. Instead, it pulls in large volumes of data from sources across the network and uses sophisticated risk-based algorithms to identify anomalous and malicious behaviours over extended periods of time to detect an attack. This approach is more adaptive to changes in the attacker’s specific tools and techniques and provides a more enduring, less brittle approach to detecting threats.
Combining both correlation and behavioural analysis therefore gives you the best strategy to detect both immediate threats and sophisticated attacks.
To read the full whitepaper on how to catch a cyber thief, please click here or join us next week for a look at how to obtain and exploit Good Intelligence.
- Written 4th August 2014
Written by Dr David Bailey, Chief Technology Officer
The story about the recent eBay data breach was followed by advice to users to change their password as soon as possible, not only on eBay but also on other accounts that share an ID or password. It needs to be done – both to protect the users online identity and prevent fraud. But how many people, either because of lethargy, lack of awareness or password amnesia, have yet to do so? Nobody appreciates going through their online accounts and changing passwords but with an understanding of how criminals wring value from stolen personal data, it is possible to construct strong, memorable passwords that put you at considerably less risk when one of your web service providers is hacked.
If you are one of two people being chased by a bear, you don’t need to outrun the bear, you just need to outrun the other person. Grisly though it is, this analogy applies to passwords: criminals can apply their computing power to work through possible passwords until they guess the right one. The question is, will yours be discovered first? The weaker the password, the faster it can be cracked. Weak passwords can be cracked in hours by a standard PC yet strong passwords require decades of computing power to crack. This costs money and criminals - driven to make an economic return – will apply the 80:20 rule by focusing on the weakest passwords then move on.
To give an example, analysis of the password list by The Tech Herald relating to a well publicised breach in 2011 reported that it was possible using basic computer tools to crack nearly 10% of the released password hashes in less than 5 hours. To a large part, this was due to poor password choice by users and no enforcement of a strong password policy by the site in question, both fairly easily addressable with the right tools.
As a user, if you can’t contemplate using more than one password then at least make it a strong one. The easiest way to construct a strong password is to make it a long one containing many letters. There are arguments for using upper and lower case alpha, numeric and other characters (eg ABC, abc, , 123 and @~#) but such passwords are harder to remember.
Padding passwords with characters can also help: for example, the password SP1D3Rm@n - an example ‘strong password’ used on the UK Government’s own website Get Safe Online which would take up to 2 months to crack using a PC, could take up to two centuries to crack by adding 2 extra characters and 2 million years by adding 4 extra characters.
An easy way to construct a strong, memorable password is to use the first letters of a lyric, poem or memorable phrase and pad it. For example, using the rhyme ‘TheGrandOldDukeOfYorkHeHad10kMen’. If you want to use numeric and other characters, this could become with padding ‘Tgodoy,hh10km……………’, (although don’t use this or the Get Safe Online example for your password as they are easily guessable by virtue of having been published online).
It is with optimism that we can look forward to password management being consigned to the age of inconvenience. Passwords are slowly being replaced more usable solutions that incorporate multi-factor authentication and bring more to security than simply remembering a string of letters, digits and symbols. New technology can help with this, for example by taking advantage the wide array of sensors on your mobile phone to help authenticate access to online accounts. Techniques like this are part of the future and should hopefully consign the days of mass password resets to history.
- Written 18th July 2014
Written by Scott McVicar, Managing Director, Cyber Security
Samuel Johnson’s house faces one end of a shadowy cobbled courtyard in London’s West End, not far from a client of mine. He wrote a journal called ‘The Rambler’ which provided to the rising middle-class of the 18th century with the social fluency they sought to converse in aristocratic social circles. Had cyber security been a topic of conversation in Regency salons, the following quote would have made the sayer seem exceedingly wise:
“Fear is implanted in us as a preservative from evil but its duty, like that of other passions, is not to overbear reason, but to assist it. It should not be suffered to tyrannize the imagination….”
Dan Gardner cited this quotation in his book ‘Risk: the science and politics of fear’ which explains how humans are pretty poor at evaluating risk. He cites a variety of psychological experiments that demonstrate how we allow our instincts or emotions to unwittingly undermine our rational ability to assess risk. These are explained in the first 100 pages of the book. Here, I summarise them for you: • The Example Rule: attaching excessive risk to the things we can vividly envisage and fear (eg murder, terrorism, aircraft disasters) and underestimating the risk of events we haven’t experienced or can’t envisage (eg earthquakes, tsunamis) • The Good-Bad Rule: attaching excessive likelihood to the things we fear (eg nuclear accidents) and underestimating the risks related to things we like (eg indigestion at Christmas) • The Anchoring Rule: the impact on subjective judgement of related numbers (eg should it be stated in the press that the cost to of flood damage on a household is £100k, people will base judgements using £100k as the starting point. Such judgements will be half as much as those made by those who read that the cost of flood damage on a household is £200k) • The Rule of Typical Things: falsely believing that events typically connected are more likely than either of the events on their own (eg a hot and sunny day being more likely than a hot day or a sunny day). How do these rules play out when assessing cyber risk? Could it be true that we underestimate risks associated with: mobile computing because they make our lives more convenient, data leakage from organisations because we get on with the insiders involved; or a crisis caused by an electrical grid failure because we have never experienced one before? Equally, could it be true that we exaggerate the risk of state sponsored attacks emanating from China compared to more mundane cyber risks; or that we are excessively concerned about cyber attacks that can disrupt our business, but less so about theft of intellectual property? Companies like BAE Systems that protect some of the most highly targeted organisations. We deal with many of these threats every day. If you would like to discuss your risk management strategy, we would be happy to share our experience with you. If you don’t, you at least have a quote you can use at your next salon conversation. I recommend Dan Gardner’s book to anyone responsible for managing modern day risk (ISBN 978-0-7535-1553-2).
- Written 23rd June 2014
There’s no doubt that Internet security has made it into the public consciousness. The Heartbleed bug last month showed how a single technical issue can affect huge numbers of users due to the interdependencies in the infrastructure the Internet depends on, and the recent eBay breach has potentially compromised the personal information of hundreds of millions of users, leaving them open to identity fraud and other abuses. The time it took eBay to notify customers, and the scale of the remediation required show how businesses have to have comprehensive processes in place to deal with this kinds of incidents.
Written by Dr David Bailey, CTO, Cyber Security
A vulnerability relating to internet security has been disclosed this week which cuts to the heart of the privacy and integrity of many of the web services and applications upon which we as businesses and consumers depend. Vulnerabilities are identified in software all the time – the CVE List (http://cve.mitre.org), which is the standard reference, has named roughly 2,500 new vulnerabilities this year alone – and organisations will have processes in place to update their software and systems to address these.
This particular vulnerability, dubbed “HeartBleed”, is different. Not at a technical level – technically similar vulnerabilities have been found many times in the past – but because the software it affects is embedded in websites across the Internet. Netcraft (http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html) estimates that 66% of the SSL services on the Internet use a version that is affected by this. It will also be included in innumerable products and solutions that businesses depend on which will all need to be updated to newer versions of the software. Like many organisations, we have issued an Advisory note to both internal teams and affected partners. You can download our free infographic here explaining how the HeartBleed Exploit works. Lots will be written about this particular issue over the coming days. Websites will rush to update their software, users will reset their passwords and only time will tell whether digital criminals are able to exploit this to acquire sensitive personal data, take over user accounts and identities and steal money. This specific issue will pass but it does highlight an important feature of the modern internet – of the connected world. As a society, our information systems are critically dependent on some key components – these are widespread, highly trusted and often positioned at key points in the infrastructure. Other examples of this include digital certificates – proof that software or websites are who they say they are, but which can be stolen to enable malicious software or sites to masquerade as trustworthy – or highly utilised cloud infrastructure such as Amazon Web Services (AWS) where an outage can affect major Internet services which depend on it, even though the consumer of the service has no idea they are visiting AWS. This dependency is hard to identify and hard to manage. Organisations need a clear strategy in place to identify where these dependencies are and understand the risk they are exposed to. Identifying critical components requires a mix of understanding the business impact – the value at risk, the potential threat – who could exploit it and for what gain, and the technology in the underlying systems. Being able to test systems with a knowledge of all three aspects is vital to being prepared. Having defence in depth – multiple security controls, resilient systems and monitoring, and an effective response plan, is also critical. Not every vulnerability will have the widespread applicability of HeartBleed, but each may have the potential to impact your business just as much if you aren’t prepared. If you need help responding to a suspected compromise then please contact our incident response team on +44 808 168 6647 or email firstname.lastname@example.org.
Keeping your business competitive in today’s connected world requires collaboration with a wide range of organisations and individuals that sit outside of the traditional enterprise. This includes your remote working employees, supply chain, business partners and customers. This in itself isn’t news as businesses have long looked to provide access to their systems and information in order to help improve profitability and drive growth.
Written by: Events
BAE Systems Applied Intelligence joined a stellar array of other luminaries, visionaries, and experts at the RSA Conference 2014 which held a multitude of perspectives and insights last week in San Francisco.
Some of our speakers included analyst briefings with the follow Gartner, Forrester & IDC, press interviews with Bloomberg, MSNBC, WSJ and The Economist, and a reception at the British Consulate in San Francisco that we co-sponsored with BT and Sophos. This made for an unparalleled diversity of industry insight and data based on best practices, real implementation and case studies.
Year after year, RSA Conferences attract the best and the brightest minds in the information security field and across multiple business sectors to share hundreds of game-changing interactions. More than 80% of the 2013 attendees agree: RSA Conferences most definitely stand at the forefront as the leading event in the security industry.
- Written 7th March 2014
Written by: David Garfield, Managing Director, Cyber Security
It has been widely acknowledged that enterprises today face a range of cyber adversaries intent on stealing high-value information or disrupting critical services in order to inflict damage or to gain unfair competitive advantage. Whilst traditional defences such as AV and firewalls remain important (particularly for traditional threats), it should be remembered that these have been proven relatively easy to circumvent by the determined cyber adversary.
Therefore, more and more organisations are responding by proactively monitoring their infrastructure to detect targeted attackers that have successfully gained access. The objective is simple: to find, investigate and respond effectively to attacks before damage is done.
Many enterprises that develop an in-house monitoring capability, by investing in technology and security analysts, often find their efforts are hampered by the limitations of traditional monitoring products, or that they are receiving an overwhelming number of threat alerts to deal with and prioritise. That's why last week, at Infosecurity Europe, we launched our advanced cyber technology, Detica CyberReveal ®, for the first time to the commercial marketplace as an in-house product. This means that companies with their own security analysts will be able to use our defence-grade technology to better protect their organisations from even the most sophisticated and advanced threats.
This is essentially the first time we've ever made our technology – which has been developed over 40 years to secure sensitive Government and commercial information – available for companies to use themselves. CyberReveal technology addresses four key areas where traditional approaches are proving ineffective against the modern cyber threat: efficiency, threat, scale and decision making. It's unique in the level of sophisticated analytics that are deployed over the data collected from across the security estate, and in the advanced visualisation, contextualisation and investigation tools provided to the security analysts.
Here at Detica we've been using our CyberReveal technology for many years in our work protecting some of the most exciting and valuable IP around. We also announced at Infosec that we have been chosen as the official cyber security partner of Vodafone McLaren Mercedes, where we use CyberReveal to ensure McLaren Group's rich and varied IP remains protected. We even managed to get one of their F1 cars onto our Infosec stand, something which earned us a special mention in Infosecurity Magazine's show wrap up.
The few days at Infosec provided us with interesting insights into some of the key innovations in the ongoing battle against cyber crime. The event was used as a platform for some of the industry's most high profile cyber security advocates to update on the true scale of the threat. All in all, it was a thoroughly enlightening event. It's hard to see how we'll top the F1 car, but doubtless we'll start putting our heads together to see what we can come up with for our next show.
One of the top cyber stories of 2013 has undoubtedly been the disclosure in February of alleged connections between a clandestine espionage group and a Chinese military unit in Shanghai. Whilst we can't comment on the validity of this connection, we can state that the espionage group in question went immediately quiet on the day of this revelation and that neither we nor our contacts have seen activity since.
Until now that is - when Detica researchers picked up the first signs that the group may be re-starting their espionage campaigns. Detica researchers have obtained a copy of malware that has all the hallmarks of being crafted by this espionage group. This malware was created in the last week and contains a PDF (opened as a decoy when the recipient of a spear-phishing email clicks on it) which contains the agenda of an upcoming US defence conference which is consistent with the mode of operation of these particular attackers. The conference, taking place at the end of this month fits with the style of event which is commonly used as a 'lure' for this group, and others of its kind.The activity we have detected indicates that the espionage group was lying low until the attention around their activities died down before getting back to 'business-as-usual'. This group typifies the persistent nature of the modern cyber threat - highly motivated to steal sensitive information from organisations across the globe, and lacking any real risk to themselves or their operation.
At Detica, we’ve long advocated the importance of education and of raising awareness around cyber threats, so it was encouraging to see the announcement that a global centre for cyber security will be opened at the University of Oxford. The centre will work to help countries develop comprehensive plans to deal with online threats and share best practice, and is an important addition to the UK’s growing cyber security operation. Having active research and academia more formally engaged in cyber security is a key component to developing an effective response to the malicious cyber threats that exist
The UK’s cyber security operation should not be viewed in isolation, and as we’ve argued previously, international collaboration is an imperative, not an option. It’s important then that the centre has been designed to help other countries develop strategies to deal with cyber threats. Whilst there is still a significant way to go before we level the playing field between the attackers capabilities and our defences, the UK is one of the most mature nations in the world for cyber security and has a lot to offer countries looking to develop their own policy and capabilities.
The UK centre is also particularly timely considering that when the EU Directive comes into force, other nations will be forced to set up national authorities for cyber security even if none currently exists. Hopefully this will act as a catalyst for other nations to follow the UK’s lead.
The opening of the global centre demonstrates how seriously the UK government is taking the importance of bringing security to cyberspace. The significant rise in volume, complexity and intensity of threats and attacks is being more consistently reported now than ever before, and this is indicative not just of the real growth in the problem but also that the topic is moving from being a specialist technical one to becoming a mainstream concern. The increasing prevalence and awareness of targeted attacks, coupled with the emergence of cyber warfare has given the UK government little option but to heavily invest in cyber security.
Increasing awareness, understanding and knowledge is critical to us ensuring that we can provide a safe and secure environment for industry and society, and the global centre for cyber security will support other government initiatives such as the Cyber Security Information Sharing Partnership (CISP), announced at the end of March.
Please note that the material set out herein has been created for discussion purposes only and does not necessarily reflect the position of BAE Systems Applied Intelligence on these subjects.
For further information or to talk to an expert, please contact us.
+44 (0)1483 816000
Copyright (c) 2014 BAE Systems. All rights reserved