Plugging the gaps in today’s threat landscape

• There are common weaknesses that make organisations vulnerable to APT attacks
• ‘Every time we raise the bar, the attackers will raise theirs,’ says FireEye CTO

IT is a new world out there, a scary one in which hackers are not mere mischief-makers but actual cybercriminals out to target and bring down whole organisations, and with them, entire nations too.
 
It’s a world of nation-state versus nation-state aiming malware, advanced persistent threats (APTs) and cyber-espionage attacks at each other, with businesses and individual users caught in the crossfire.
 
There are some common weaknesses in organisations that make them vulnerable to attacks by APT actors, according to FireEye chief technology officer Grady Summers (pic), who spoke at the RSA Conference Asia Pacific & Japan (RSAC APJ) 2015 in Singapore last week.
 
The first is the lack of instrumentation and collection of data on incidents or network activity in many companies, which result in incomplete or non-existent logs.
 
“There’s this notion that attackers don’t leave a trace and are difficult to detect, but there are things you can look for. Attackers always leave footprints, but we’re often not watching,” said Summers.
 
The second is a lack of network segmentation, which he said makes it “way too easy” for attackers to gain access to the entire organisation by just compromising one user account.
 
Another is the use of single-factor authentication for VPN (virtual private network) and Outlook Web Access, which Summers said was a “pet peeve” of his.
 
“If you’re using single-factor authentication still, I suggest you leave now and start working on it. Because it is going to be abused and is very difficult to detect,” he told the audience at RSAC APJ 2015.
 
Summers later told Digital News Asia (DNA) the fact remains that personal email accounts have better protection in place then most work email.
 
“Two-factor authentication (2FA) should be easy to deploy but in one conversation I had with the CIO (chief information officer) of a pharmaceutical company, he mentioned that they had plans to do so but never acted on it because it was such a ‘pain in the butt.’
 
“So that’s the thing: Despite this being this a low-hanging vulnerability, it goes back to human nature being the No 1 challenge to cybersecurity,” he said.
 
Poor credential management is also another weakness that organisations need to solve, with many still prone to leaving the credentialed accounts of staff who have left unchanged and undeleted – an asset hackers love to get their hands on.
 
“Once attackers get the credentials of a domain admin, it’s basically ‘game over.’ But the thing is that changing or upgrading account management, especially in a large organisation, is difficult and can disrupt operations.
 
“IT budgets are still being cut even while security budgets are going up, and that’s a tension I see, because security guys can’t fix security, it’s more a business problem than an IT problem, and unless that's aligned then you’re never going to win,” said Summers.
 
The last area of weakness is the inability to detect or prevent spear-phishing, which forms the first point of attack for many APT groups.
 
Summers admitted that while user education is key to mitigating the risk of spear-phishing attacks – or those aimed at getting information or credentials from a specific target – it is not a fool-proof solution but “it can’t hurt.”
 
“I worked with one company that phished its own users as part of the education process. When it first started, about 20% of its users would click on a phishing email,” he said.
 
“After spending a lot of money and two years later, that number dropped to 8%. But while it’s an improvement, the problem is that all it takes it one.
 
“And the difficulty lies with the fact that these attackers are really good, and I guarantee that even you or I would fall for them [at some] time.
 
“It gets to the level where they even hijack email threads taking place and jump in mid-conversation, which we would click on because, why would we not?” he added.
 
Asked about tools such as email filtering and intelligent scanners to remove phishing emails from even getting to the user, Summers noted that no tool is perfect, but at least it can help “stop an awful lot.”
 
“Even if it doesn’t, it can help inform an organisation that they’re under attack. What we’ve noticed is that these things move in waves, so IT can be put on high alert.
 
“It’s a great ‘canary in the coal mine’ for detection, and I expect more companies to be buying these phishing detection tools in the future and be successful in stemming attacks,” he added.
 
Summers’ advice to organisations struggling with coming to terms with the need for more robust security is to realise that it is not a battle that can be won overnight.
 
“It is a decades-long battle and any organisation or region that’s starting to deal with APTs has to realise that it needs to be a sustained investment – as every time we raise the bar, the attackers will raise theirs.
 
“That’s why it’s important for the board of directors, C-level and senior executives to get involved, to ask the tough questions and support long-term investments because it’s not just about buying some box,” he said.
 
Previous Instalment: Asia in the crosshairs of APT attackers: FireEye CTO
 
 
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.