Critical race for innovation between adversaries and defenders

Security has been a heated board room discussion topic since being recognized as not just an isolated IT problem. There have been many eye-catching incidents of late. I am sure you still remember the breach of an adulterers’ website’s server and the dumping of almost 10 gigabytes of data in an easily accessible file about three months ago.

And earlier this year in South Korea, President Park Geun-hye also highlighted the destruction that could result from cyberattacks, against targets such as nuclear plants which are first-class security installations that directly impact the safety of the population, and where even a tiny lapse would therefore threaten national security. Fiat Chrysler announced earlier a voluntary recall of about 1.4 million vehicles, as a network-level security measure, to prevent remote manipulation of the vehicles. And just recently, the US and China Presidents Obama and Xi Jinping had a face-to-face discussion on cybersecurity. All of these are solid proof points that cybersecurity has become an issue that threatens all of us!

Finding the right way to respond is now a major concern for organizations, as they attempt to better protect their assets. An important approach is to understand your adversary, so you can think and act two steps ahead of them. Nowadays, as more effective security defenses are implemented, attackers are developing new and more innovative techniques to compromise users and systems, and evade evolving defenses. And while all this is going on, organizations are scrambling for competitive supremacy. The latest Cisco report is a good read to understand the key threats observed in the first half of 2015, along with insights on current and future trends and advice for organizations that utilize security solutions and services. Below are some key discoveries that businesses should duly note: –

1. Evasiveness of Cyberattacks

Overall, the research reveals that adversaries are refining their ability to develop and deploy malware that can evade detection. The security industry is struggling to innovate at a similar pace. Adversaries are displaying their innovation in a variety of ways: Angler uses agility, Rombertik uses destructiveness, Dridex uses speed and Malvertising uses adaptation. Specifically:

  • Angler: Comprises over 75% of domain shadowing activity since December 2014 and also randomly shifts among multiple IP address to make detection more difficult
  • Rombertik: Floods memory with 960 million useless instructions that overwhelm inspection tools and, if detected, attempts to destroy the master boot record (MBR) of its host computer, making the computer inoperable on restart
  • Dridex: Executes campaigns within 5 hours, well before threat intelligence sensors propagate threat notices
  • Malvertising: Rapidly changes domains and add-on names, e.g. in 2014 more than 4,000 different add-on names and over 500 domains were associated with the threat

2. Critical Need to Reduce Time to Detection

With the upward trend of evasive threats, the report also reveals the critical need for organizations to reduce time to detection (TTD) – the window of time between the first observation of a file and the detection of a threat. The faster you can identify a threat and remediate against it, the better chance you have of that attack doing minimal damage. The current industry standard for time to detection however, is 100 to 200 days, an unacceptable level, given how rapidly today’s malware authors are able to innovate. (In contrast, the average TTD for Cisco Advanced Malware Protection (AMP), with its retrospective analysis of attacks that make it past existing defenses, is just 46 hours!)The longer a breach goes undetected, the greater the likelihood that more data is exfiltrated, and that the resulting impact in terms of bad PR, and ultimately customer trust in your organization, can be even more damaging and long lasting.  

3. Cybersecurity Call to Action

Given the innovation in the malware ecosystem, organizations need to bear some broad security considerations in mind, driven by the need to reduce TTD and prevent attacks.

  • Integrated Threat Defense: A purely preventive approach has proven ineffective, and we are simply too far down the road to accept a TTD measured in hundreds of days. The question of �?what do you do when you are compromised’ highlights the need for organizations to invest in an integrated approach to threat defense, combining visibility, control, intelligence and context, with which to quickly detect any compromise before considerable damage is done.
  • Trustworthy Vendors: Organizations should demand that their technology vendors are transparent about, and able to demonstrate, the security they build into their products. These vendors must carry this understanding across all aspects of product development starting with the supply chain and through the deployed life of their products. Vendors must be able to contractually back up their claims and provide better security.
  • Services Fill the Gap: Organizations need to make sure they have the right support and expertise to respond quickly to attacks, so they don’t end up going it alone. Enlisting third-party expertise offers organizations flexibility to pivot with the shifting threat landscape. Security service providers are well positioned to look at security holistically – the people, process and technology – and ensure that each business invests in and gets the most from its security investments.

There is a great deal at stake for any organization: their brand, their reputation, their intellectual property and their customers’ data – all of these things are at risk. Organizations need to take a systemic approach to minimizing that risk through an appropriate security posture. At the same time, the technology industry must up its game and provide reliable and resilient products and services for detection, prevention and recovery from attacks. Indeed, the innovation race between adversaries and security vendors is accelerating, placing end users and organizations at increasing risk, which is why developing integrated security solutions that help organizations to be proactive and align with the right people, the right processes and the right technology are so important and vital to your business success.

Stephen Dane is Managing Director, at Cisco Security, Asia Pacific & Greater China