In the past, it was much easier for firewalls to detect significant threats to the network. This was because traffic could be classified based on specific protocols and cyber-hackers were not as sophisticated. However, cyber threats are now designed to avoid detection by bypassing traditional firewalls with ease.
Businesses in the Asia-Pacific lost an estimated $US81.3 billion in revenue due to cyber-attacks in the 12 months to September 2015, compared with $US62.3 billion in Europe and $US61.3 billion in the US, according to London-based consulting company Grant Thornton.
According to Rajesh Maurya, Regional Director, India & SAARC, Fortinet, “To defend against cyber-hackers, one must know how they attack. By gaining threat intelligence and understanding each difference phase of a cyber-attack, enterprises could build a better cyber defensive posture against the threats. Threat intelligence, when complemented by risk analysis and best security practices, will ensure a robust cyber security environment.”
Fortinet outlines 7 phases of a cyber-attack and prescribes precautionary steps to counter each of them:
Phase 1 Reconnaissance - In this early phase, the attacker attempts to gain understanding about an organization, its network and business partners. Identify “watering holes” or common websites that employees may go to not only for business purposes, but also for leisure. Monitor these sites closely with content filtering and/or proxy tools. These sites are often researched and identified by cyber hackers who then plant malware in these legitimate websites. It is also important to review vendors and take note of the level of access they are accorded. Build a template with key questions and considerations to assess the security of any third party, and determine the minimum access requirements.
Phase 2 Weaponization - This is the phase where an attacker selects, and sometimes even builds malicious code to exploit identified vulnerabilities within the target. One needs to know which type of attack is likely to be underway. If a nation-state attack is imminent, focus the efforts and resources on putting processes and technology in place to respond to zero-day threats. Segmenting your network architecture is also a good way to at least minimize the impact of a potential breach. When it comes to zero-day threats, the key is detection.
If the threat is likely to emanate from cybercriminals, concentrate on developing a good vulnerability and patch management program. Consistently patching known vulnerabilities will increase the chance of keeping criminals from compromising a network. When researching vulnerability and patch management technologies, ensure solutions can identify all assets, operating systems, applications, and vulnerabilities.
Phase 3 Delivery - As threats come from both inside and outside an organization, and can be either intentional or accidental, a comprehensive scheme of programs and processes need to be put in place to identify threats and risks. Phishing emails are by far the most common method of malware delivery. Implement a training program on phishing that makes employees aware of the increasing levels of sophistication these attacks often use. Employ content security technology for email and web traffic designed to identify and remove malicious attachments. Solutions that include sandbox tools are especially important as they can detect previously unseen or sophisticated malware.
Phase 4 Exploit - Since many exploits occur through a phishing attack, a strong vulnerability and patch management system is key. Standardize on one browser for the workforce, and ensure it is patched and updated regularly and limit the use of plug-ins such as java or flash. Most malware employ evasion techniques to circumvent traditional AV technology. Utilize sandbox technology to move suspicious content to a secure area where its behaviour can be safely triggered and analysed.
Phase 5 Command and control - To defend at this stage, application control at the perimeter is a must to inspect application streams and detect malware communicating back to their malicious infrastructure. Malicious communication tools often tunnel through other protocols. SSL inspection tools is the best defense as it can intercept, open, inspect, and then forward encrypted traffic once it is deemed clean. A good approach is to typically use a combination of application control, reputational databases, and URL filtering to monitor, inspect, and secure traffic.
Phase 6 Internal reconnaissance – No defense strategy is guaranteed to stop every attack. Implement a good incident response plan. When an incident occurs, people tend to panic, so a proper plan detailing steps to take and people to contact could avoid a knee-jerk reaction.
Once an attacker is inside a network, they have bypassed any edge protection layer. However, there is still chance to minimize the impact of the beach by segmenting the network into security zones. This will create various choke points to help isolate the breach and monitor and secure traffic as it moves between security zones. It will also result in more granular visibility inside the network where most organizations traditionally have little to no threat intelligence.
Given that a threat has managed to circumvent your defenses, there was most likely no signature available to detect it. At this stage, adopt anomaly-based and behavioural-based detection. This technology leverages big data analytics and machine learning tools to understand what normal traffic looks like so that unusual or unexpected traffic patterns and device behaviours can be quickly identified.
Phase 7 Maintaining – At this point in the attack chain, the malicious “visitors” will try to extend their visit for as long as possible to siphon data from your network. Document company’s servers that contain sensitive data and make sure they do not have access out to the Internet. This will make it more difficult for cyber criminals because they will need to find a staging server to transfer data onto before exfiltrating data to their destination. Identify all attack paths into and out of servers with sensitive data, and monitor these paths more closely. Pay particular attention to the ones that have access to servers that then have access to the Internet.
To avoid an attacker going undetected for long periods of time, consider Operational Threat Intelligence (TI). Sophisticated malicious code is designed to remain undetected by traditional AV scanning. Do not just rely on a clean scan results, instead invoke more detailed forensic procedures to truly identify whether or not the machine is clean—especially if the device contains sensitive or compliance-related data.
BW Reporters
Yashvendra is Executive Editor in BW CIOWorld. He has over 15 years of experience in journalism. Starting his career in 2000 with the Press Trust of India, he has worked in organizations such as The Indian Express, IDG (International Data Group) and Business India. During the course of his career, he has covered a range of sectors, and has been instrumental in launching several brands