05
Threat Defiance Report

Proactive Cyber Defense: Innovation and Collaboration

Data breaches increased 40% in 2016 compared to 2015. Within that increase, 62% of breaches came from small and medium-sized businesses that weren’t properly protected or prepared for the breach. The attackers are getting more cunning in order to gain access to sensitive information. As the first quarter of 2017 draws to a close, we have already seen a rash of cybersecurity activity and data breaches at commercial real-estate and asset management companies.

A significant number of those breaches in 2017 were a variant of what we call CEO-fraud—where someone pretends to be a high-level executive and emails the payroll/accounting department asking for copies of W2s. In many cases, that employee satisfies the request. During the first quarter of the calendar year, companies need to be on guard for this kind of fraud that exposes their employees' personal information.

Cybercrime in various forms will continue to plague companies. Following are some ‘hot topics’ in cybersecurity for companies to consider for the rest of the year and into 2018.

Ransomware: We’ve all heard of this—encrypting your data, or holding your device hostage until you pay some amount, typically in bitcoin; CEO-fraud: imitating the CEO or another senior executive and convincing the finance/accounts payable department to transfer money somewhere, or to send employee personal information; and of course, Credit Card theft and Identify Theft. I believe that Ransomware will start to migrate from your standard Windows workstations and servers to more IoT devices. What will a consumer do if someone holds their smart-TV hostage or their smart thermostat? What will a business do if their access control system (door swipe system) is held hostage? Some companies have predicted that ransomware will go away in the second half of 2017; I disagree; I think it will evolve and target inherently less secure systems, and due to business impact and lack of backup controls, I predict many organizations will unfortunately pay the ransoms.

The Internet-of-Things (IoT), cyber-physical systems, and Industrial Control System (ICS) security: These are likely to get worse before they get better. Many of these systems are ‘designed to work’ and only afterwards is security a consideration—if it ever is. We will see more hijacking of devices: holding some ransom, using some for bot-nets that will in turn be used to launch a distributed denial of service (DDoS) attack against others. These devices will be used to steal personal information. All of these potentially apply to smart buildings. What happens if someone ‘takes over’ your HVAC system in San Antonio in the summer and disables the A/C until you pay a ransom? Or they seize control of the elevators in a New York high-rise? A recent study of over 3000 companies across 20 countries shows that 84% have already experienced some sort of IoT breach.

Passwords and Authentication: Somewhere between one billion and three billion accounts were compromised in 2016 (depending on the source). If a user’s account credentials are included in any of these breaches, then that account is effectively compromised everywhere else, since many people re-use passwords. If a system only uses username & password for authentication, it will only be a matter of time before a compromise occurs. Unfortunately, many IoT devices and building management systems (BMS) have no option for two-factor-authentication—leaving them ripe for attacks.

Talent Shortage: Nearly every security team lacks enough personnel to adequately defend their networks. Tools can only fill so much of the gap; well-trained, well-equipped individuals are required to successfully defend the networks. A recent analysis of Bureau of Labor Statistics data showed that over 209,000 cybersecurity positions are currently unfilled. Analysts expect the demand for security professionals to increase by 53% through 2018. 

Emerging Trends: Now let’s turn and look at some of the emerging trends, or things I believe are going to gain traction during the remainder of 2017 and into 2018.

HUNT operations are continuing to gain in popularity. Organizations are realizing that they cannot sit back and wait for their automated, passive network security systems to alert them to attacks or breaches. It is too late once those systems detect the problem—the attacker has probably already accomplished their objective. Organizations will begin to engage more proactively, seeking the attackers in their network to thwart them before they accomplish their goals. This process is evolutionary and takes some time to mature, but a recent survey shows that those organizations that have implemented HUNT approaches have seen their time to detection improve by 61%.

Newer defensive tools will continue to move away from the signature-based approach to more model-driven and behavior-driven approaches to identify attacks. Frequently, there are activities or behaviors that are ‘abnormal’ that by themselves do not raise the red flag, but provided the right context and analysis, should raise the alarms. This applies to user activity as well as machine/software activity. To do this at scale will leverage machine learning techniques, as that technology continues to evolve and improve. 

Two-factor and alternative forms of authentication (for example, behavior-based) will replace password-based authentication. Two-factor authentication will become the norm, first for the more standard IT systems, but eventually making its way into IoT and BMS devices. The principal should also apply to physical security within commercial building management solutions: is the equipment room protected with ‘swipe access’? The days of only supporting username and password authentication (without a second factor) are numbered.

With the talent shortage, organizations will work to combine efforts to gain economies of scale and work to overcome the talent shortage. Many attackers use similar TTPs (Tactics, Techniques, and Procedures) and target similar organizations (similar industry verticals). If you are facing the same adversary as others in your industry, why not combine your efforts to improve your collective defense? Organizations can work together to better thwart these adversaries. We are going to see more industries stand up their own cybersecurity collaborative organizations. Even more so, I believe you may see some combine their security operations centers (SOC) into a collaborative SOC that defends multiple organizations simultaneously, especially in light of the talent shortage.

The theme you see in these trends is one of innovation and collaboration. The attackers have had the advantage for years—they are innovative and keep coming up with new ways to breach our networks, whether through technical means or social engineering. For years, we in the IT or cybersecurity community have deployed ‘next-generation’ devices that are really next-generation in name-only—just another passive solution designed to be ‘faster’. Given enough time, the attacker figures out how to circumvent these passive, purely-automated approaches. Organizational security teams are beginning to realize they have to be proactive, they have to stop blaming the users; they need to be innovative like the attackers. This requires a fundamental change in the approach to cybersecurity—the realization that the attacker will get in; a breach will happen. By first accepting that fact, you can now innovate new methods to detect and catch the adversaries. You have to actually HUNT, you have to collaborate with your counterparts in other organizations to leverage new machine learning capabilities, new analysis techniques, and other innovative technologies to identify anomalies and prevent the attackers’ objectives. Now you’re being proactive.

Cybersecurity is an important and timely topic we will be exploring in-depth at Realcomm | IBcon 2017, which will be held in San Diego on June 14-15 (June 13: Precon | June 16: Innovation Tech Tours).