The Truth about Hacking
Your perception of cyber attacks is probably wrong
Cyber attacks can be performed for either criminal, terrorist, activism or political gain. In the end though, they all use similar Tactics, Techniques and Procedures (TTPs) to achieve their ultimate goals. From a criminal point of view, finical institutions have often bared the brunt of the hacker’s target sights.
However, now we are seeing hackers expanding their scope to include healthcare organisations, retailers and even universities with no sign of slowing anytime soon. As a security organisation, we often see that security teams believing in preconceived misconceptions of hackers’ TTPs and reasoning behind their attack which prevents them from building effective security programmes to defend against complex cyber attacks.
Misconception 1: Security solutions prevent hackers penetrating your organisation.
Fact: No organisation is an impregnable fortress, it’s inevitable.
Although new technologies are brought out frequently to combat hackers penetrating organisations’ networks, this still isn’t enough to combat the threat. Whereas organisations have to defend against a myriad of threats, the hacker’s only task is to find or develop a single vulnerability. No organisation is perfect and hackers know this. With a little persistence from hackers their efforts will eventually pay off.
Suggested remediation: An effective perimeter defence is important. However, organisations should build their security architecture with the assumption that it will be breached, backed up with appropriate incident response and fast learning plans. Knowledge, sensitivity and patience is key for any good cyber security team – the more you can understand your network, traffic flows and business activities, the better you will identify anomalies – technology can only do so much.
Misconception 2: Hackers only target vulnerable organisations.
Fact: Hackers aim for targets based upon their own goals, not weak organisations.
The common misconception that hackers only target weak organisation that are easy to penetrate and unprotected is false. In reality hackers aim to reel in the big fish, the big organisations that perceive they are well protected. Hackers choose targets that fit their overall end game goal, whether this is to steal money, obtain private data or damage an organisation’s reputation. Often the hacker’s aim can be a combination of these things. Often, the organisation that is attacked is not the final target, but a route into another organisation.
Suggested remediation: Analyse what hackers would aim for within your organisation. For example, sensitive information such as critical company data that drives revenue. Develop strength in depth – not all data is created equal and some deserves greater controls than others. Prioritising what you would consider most ‘sensitive’ and create mitigating controls to help prevent hackers gaining access to your most sensitive information. External organisations that you rely on and share networks or information with should also be prioritised in order to help prevent hackers intercepting or penetrating your networks/information.
Misconception 3: Hackers only gather information on the IT and security systems in use by an organisation.
Fact: Hackers gather all-source intelligence and data on a target in order help them understand the targets response.
As any hacker worth their salt knows, knowing how the target will respond to an attack can give you the ultimate edge in achieving the end goal incentive. Hackers will spend a large amount of time building up an intelligence picture of an intended target, which goes far beyond what a target uses in terms of IT systems. Hackers will gather information on employee data, salaries, work habits, business connections, travel calendars and any data that will help build the intelligence picture and profile of key personnel within the organisation, such as security personnel.
Suggested remediation: Although this can be difficult, social media training is an essential prerequisite for all staff and especially staff of privilege. Getting them to understand how the world can use their online information and presence against them can be your most effective defence. Put in place a clear classification scheme and highlight the types of information that should not be shared outside of the company.
Misconception 4: Hackers rush in grab what they want then quickly leave.
Fact: Hackers like to keep themselves on the ‘down low’ and spend as long as possible within your network.
Hackers purposefully move ‘low and slow’ in order to avoid detection. It also increases the hacker’s chances of prolonged exposure to your organisation’s sensitive information. In order to remain undetected, hackers perform a minimal amount of actions per day so that they do not attract the attention of the security team.
Suggested remediation: The ‘low and slow’ technique can work to the advantage of an organisations security team as it gives the team a significant amount of time to stop the hacker’s actions. Detection of the ‘low and slow’ technique can be difficult, however there are advanced behavioural systems that can help to identify and stop these threats.
Misconception 5: Effective response to an identified hacker’s operation equals fast response.
Fact: Hackers perform several decoy operations to feint the actual real operation.
Security teams often have an incentive to stop a threat/incident as soon as it is identified. This can lead to rash decision making and not understanding the bigger picture. Whilst a quick reaction to an incident is encouraged, security teams should also take a step back and observe the bigger picture as often hackers use decoy tactics to distract you from the real attack.
Suggested remediation: An organisation should always plan to be deceived by a hacker. When closing incident tickets, always be a bit sceptical, and make sure the incident is fully contained and remediated. Look for wider patterns of behaviour and take nothing for granted, no matter how small or insignificant.
Overall, in order to deal with the ever evolving cyber attacks, organisations should implement an effective detection and response plan that is moulded by the discussed five facts and the following important steps that should at least be included within the plan:
- Preparation across the entire company
- Invest in detection as well as responsive processes
- Hold test runs
- Check the alerts that appear benign
- Create a consolidated data repository
As long as organisations are aware and accept that hackers will or have infiltrated their network, you can begin to deal with the threats and understand the hacker modus operandi.
- Identify measurements and matrices
- Don’t overlook industrial controls
- Containment and remediation
- Plan for a follow-up budget and resources
- Follow-up across the organisation
To speak to us about any aspect of cyber security, email us or call 0800 772 0625.