By Kathy Gibson – The cyber-threat industry is a massive – and profitable – one and it’s getting more sophisticated thanks to a trickle-down effect of advanced nation state tools being made available to serious organised crime groups, cyber-terrorists and others.
They are even finding their way into the hands of criminal group for financial gain and the development of commodity malware, says Samu Konttinen, president and CEO of F-Secure.
In turn, they become the tools available for hacktivists and even script kiddies who can now unleash very sophisticated attacks.
“The different groups are differently motivated,” Konttinen points out. Nation states could be after information, hacktivists targeting specific causes, criminal groups are in it for the money, and the marginal script kiddy group are still hobbyists.
But perhaps the biggest threat we face today is that criminal groups are so sophisticated that companies are almost powerless to stop a determined attack.
The first step in a defense is the ability to detect an attack, but fewer than 20% of companies have that capability today – and this will grow to just 35% in 2020.
“This means that two-thirds of companies will not have detection capability,” Konttinen says.
This means response times are slow, and this leads to damages. “Almost two-thirds of attacks are undetected for at least a month.”
The sooner an attack can be detected, the quicker the damages can be contained, Konttinen says.
On average it takes 69 days to fully resolve an attack, at an average cost of $3,86-million – and, in some cases, this could be up to 100-times more.
“Our message to the world is that there is paradigm shift and companies should realise there will be breaches, there will be an attack you cannot stop. Then you can start asking the question: how do we make sure we detect it fast so we can prevent the damages and recover from it? So what is our capability to respond?
“Too many companies are still not thinking like this. They are still thinking about how to prevent attacks. It sounds like a small difference, but it’s a big difference.
“The fact is, you cannot stop an attack – there is no way you can stop it. You have to think about how to respond to those attacks.”
African threat actors are now becoming an issue, explains Harry Grobbelaar, vice-president: commercial for F-Secure’s cyber security unit.
The African threat landscape is quickly becoming more sophisticated, with Africa-based cyber-criminal groups now developing and launching home-grown malware.
The South African office of F-Secure supports 18 countries in Africa. It advocates a threat-centric mindset and helps customers to detect and respond to attacks.
F-Secure last year acquired MWR Info-security, a leading African cyber-advisors based in Johannesburg. Today, F-Secure has about 100 people on the ground in Africa
The biggest challenge for security response is the skills gap, Grobbelaar points out. As a global player, F-Secure is able to supplement companies’ skills and help them with skills transfer.
Reacting to a modern cyber-attack requires a high level of skills and analytics, he adds. The right technology, people and processes are vital to doing this effectively.
A typical organised crime attack follows a “cyber-kill chain”, explains John Rogers, incident response manager at F-Secure.
It starts with external reconnaissance, to delivery, then exploitation – all of these re typically carried out by the perimeter breach or access team.
The next step is C2 or command-and-control where particular deices are penetrate and can persist – this is the task of a persistent access team.
Thereafter internal reconnaissance takes place, accompanied by lateral movement – carried out by the attack positioning team.
The final step is attaining the objective, which is done by the attack execution team.
“Unfortunately, most companies don’t’ have adequate detection and response, and only detect an attack once the objective has been attained – this is a little too late.
“You want to drive it as close to the entry point as possible,” Rogers says. “You have to build your capability and go as high up the pyramid as possible.”
Anti-virus controls should be able to pick up some delivery or exploitation actors, he adds. C2 could be stopped by a firewall with suitable analytics.
Rogers agrees that the correct balance of people, process and technology is critical to being effective in attack detection and response – but this can be a problem, particularly in a market like Africa.
He believes there is a huge opportunity for managed detection and response services.
“Unfortunately, for a lot of organisations, cyber security detection and response is often an afterthought until they are faced with a breach – and then it is too late.”