Any company that has a presence on the internet, accesses the internet to do business, or works with a third party who accesses the internet will be subject to cyberattacks. And forecasts for 2021 call for more attacks, of more types, in a business environment being redefined by remote working and technological transformation.
Threat actors are strategic in going after their targets with specific goals in mind. It is important to note that no one in any industry is safe from these actors, who can hail from global criminal networks and nation-states or act as a lone, rogue employee. If you haven’t been attacked as far as you are aware, you will at some point have to respond to a cyberattack.
What to do? At a minimum, companies should have an incident response plan that is periodically tested so that, in the event of the inevitable cyberattack, all responsible parties will react accordingly to minimize the impact of the breach. In many cases, how you respond to a breach can be more important than the breach itself. This article also discusses more proactive defenses, such as multi-layered security controls and business continuity plans.
Who Are Threat Actors?
These are some of the significant threat actors in the cybersecurity landscape:
Threat Actor: Organized Cyber Criminals
Key Driver(s): Making large amounts of money quickly (usually in Bitcoins)
Details: In the last 10 years, a significant threat to many organizations across many industries has been cyber criminals looking to hold data as ransom, forcing companies to make a choice: pay or have your data exposed. This is an easy way for organized criminals to make large sums of money, and it continues to get worse. By hijacking an organization’s data using ransomware coupled with the threat of exposing the sensitive data on the dark web to other hackers for malicious use, they can be the company’s worst nightmare. Reputational, regulatory, operational, and financial risks are constant concerns for companies who could be attacked by these organized cyber criminals, who will demand to be paid.
What you can do: Companies must protect their networks and endpoints by having multi-layered security controls such as intrusion detection and response systems. Anti-malware and anti-virus solutions are traditional ways to thwart these actors, however they are very sophisticated in their attacks and substantially funded. Detecting suspicious behavior is a challenge, but security teams must be diligent and continue to check their endpoint logs and alerts received.
Companies should also have a tested business continuity plan so that if their production systems are impacted, there is an alternate and secure backup option to restore the data or systems to continue business as soon as possible.
If these actors are going to get in, build layers of protection around your data and systems. The security controls at each layer should be able to trigger an alert or alarm if breached. Companies must test their incident response plan at least annually, looking at different scenarios and the responses required of incident response team members.
Threat Actor: Advanced Persistent Threat (APT)
Key Driver(s): Political Manipulation, Intellectual and Proprietary Property Theft
Details: APT groups have become increasingly active as several nations, such as Russia, China, Iran, North Korea, and others, wage cyber warfare operations against their political, economic, and military enemies.
These APT groups are very sophisticated in their attacks, and tracing the origin of an attack can be complicated. The APTs work in their countries as a team, creating and sharing hacking tools going after multiple targets. Similar to organized cyber criminals, APTs will also look to hack companies through their vendors. Financial gain is not the primary incentive for APTs, who instead look to wreak havoc politically and steal a target’s secrets such as proprietary data, intellectual property, and governments’ critical information. APT groups won’t stop their attacks.
What you can do: Defending against targeted attacks from APTs requires that the targets implement counteractive measures to protect themselves, such as those described above for thwarting organized crime. Additionally, targeted companies must also look at the cybersecurity controls of their vendors and hold them accountable to protect themselves from attacks.
Threat Actor: Insider Threats
Key Driver(s): Malicious Intent, Incompetence, Negligence
Details: If there is a rogue employee at your company, the impact to the organization can be crippling, and possibly more catastrophic than the constant attempts of external threat actors. Sometimes there are mistakes, but mistakes can have consequences. Many companies have experienced embarrassing and costly data breaches due to unintentional errors that have impacted their reputation and customer confidence.
It can be extremely difficult to detect an insider threat because the employees have valid credentials, are “trusted,” and have extensive knowledge of the company’s security controls and procedures, especially if the employee has elevated system privileges. With many companies looking to continue remote working due to the COVID-19 pandemic, monitoring and detecting insider threats has become even more problematic for security teams.
What you can do: Companies can ensure that anomalous user behavior is tracked and acted upon when reviewing logs and alerts received. Employees should have the least amount of privilege needed to perform their duties. Companies should also have an effective security awareness program. Employees have to be educated as to how to behave when accessing the network and to be aware of the ramifications if they violate company security policies, whether intentionally or unintentionally.
Anyone can be breached. It’s just a matter of time and all companies regardless of industry have to be prepared for these threat actors and others looking to penetrate their networks.
Companies need to have a security team, whether employees or an outsourced security firm, as the first step to thwart cyberattacks. The security team must have skilled professionals who understand how to implement measures to protect the company as best as possible and, if breached, deploy the mechanisms to effectively respond to the cyberattack. Testing your incident response plan is paramount and must be done on a regular basis.
Four key steps to implement an effective incident response process are:
- Detection and analysis;
- Containment, eradication, and recovery; and
- Post-incident analysis and remediation.
If you have to respond to a cyberattack and are able to contain, eradicate, and recover from it, the post-incident activity is a critical step to review what occurred and how effectively your company responded. Key questions to be asked for a lessons-learned perspective could be the following:
- Exactly what happened, and at what time(s)?
- How well did you perform in dealing with the cyberattack?
- Were the documented procedures followed?
- Were they adequate?
- What information was needed sooner?
- Were any steps or actions taken that might have inhibited the recovery?
- What would you do differently the next time a similar cyberattack occurs?
- What corrective actions can prevent similar cyberattacks in the future?
- What precursors or indicators could be watched for in the future to detect similar cyberattacks?
- What additional tools or resources might be needed to detect, analyze, and mitigate future cyberattacks?
- Are there any changes required to your policies, standards, procedures, manuals, training, and cyber practices?
Worst case: A lack of preparation can be an existential threat to your company. No one should consider themselves safe in today’s threat landscape.