As the capabilities of cyber criminals grows, companies need to put themselves in attackers' shoes in order to defend.
Ensuring that your business is as prepared as possible for a cyber event is no longer optional: it has become a strategic imperative. That’s the view of KPMG partner Mike Daughton, who says that cybercrime is now estimated to cost businesses €330 billion a year worldwide. “Cyber risks are among the top issues businesses have to consider when it comes to their resilience and continuity planning,” he says. “Businesses have to become more cyber resilient if they are to survive in this increasingly challenging environment.”
The threat level is increasing all the time due to the growing capabilities of cyber criminals; the increased resources available to them – often free or at very low cost on the public internet as well as the so-called dark web; the vastly increased connectivity of devices as a result of developments such as the internet of things; the growing reliance of organisations on third parties and supply chains; and resource constraints on IT departments.
Daughton says this has created a readiness gap where companies are struggling to keep pace with the increase in risk. “Cybercrime is a risk that every organisation must be armed against. Every institution needs to be able to detect and respond to the cyber security threat – and boards must take the lead in equipping the organisation in this battle.”
The best way to prepare is by knowing your enemy, he believes. The first step is to consider the different types of cyber attacker and which ones are most relevant for your organisation. These include criminal gangs, hacktivists, corporate competitors, nation states and disgruntled employees. The next step is to identify what they might target and how they might mount an attack.
“Put yourself in the attacker’s shoes,” Daughton advises. “They are likely to invest quite some time researching your organisation, its security posture, systems and employees. They will also be able to use publicly available search engines to identify potentially vulnerable corporate devices, and exchange information with other groups of attackers. Tools such as open-source intelligence and forensics applications enable them to collate and analyse the huge amounts of data they have collected – the big data of hacking, if you will.”
And don’t overlook the physical threat, he warns. “Gaining access to your premises could be a quick way to gain access to your data.”
Having done their research and identified their target, the hackers will make a plan around how to reach it. “They will seek to establish a virtual foothold within your organisation as a base camp,” he says. “Likely methods of gaining this foothold include sending phishing emails with links that have malware embedded or attached to members of staff, or setting up a ‘watering hole’ – finding a site that is commonly used by staff and compromising it by embedding malware there. Once they have tricked some victims, they can then digitally ‘move around’ within your organisation and find ways of reaching their target.”
It’s then a question of defence. “It’s crucial to know what are your most valuable assets, your crown jewels, and where they are located,” he says. “Thinking about what you are defending also means thinking about the dependencies: what do your systems rely on, have you given copies to anyone externally or in the cloud? That’s key to resilience.”
Organisations should map out possible routes of attack and make a matrix of actions to defend against them based on the “five Ds”: detect, deny, disrupt, degrade and deceive, Daughton says.
There are certain prerequisites for a successful defence strategy, he adds. “You will need to be able to capture all of your data in order to analyse and learn from it. In the same vein, you will need to build a knowledge base – logging phishing emails, for example, creating a database that you can interrogate and analyse.
“It’s vital, of course, to have the necessary in-house skills – a capable cyber security team, and perhaps the services of outside consultants who can be called in as and when necessary. And, finally, there is no getting around the fact that you will need to make the right amount of investment in order to do all of this – which means that it is essential to get the board on side.”
Having developed the strategy, it’s then a question of implementing it. “You have to test your systems through drills and realistic attack simulations. This may involve hiring a ‘red team’ of external attackers from your advisers to put your systems through the mill and identify weaknesses and areas of priority – while your ‘blue team’ of defenders seeks to repel the attacks.
“If you don’t test your defences, then you are effectively closing your eyes and hoping. Testing will open your eyes as to where you really are and what you need to address and provide the evidence that cyber resilience must be a significant priority for the organisation.”
This article was originally printed in The Irish Times on 26/10/2017 and has been republished here with their kind permission.