Recently, two of our Canadian banks became victim to data theft. We should not be surprised as data breaches are not new and we should expect more of them to occur, even with the companies entrusted with our financial information and money. What bothered me the most about the breach was not so much the breach itself but how the banks discovered they were breached.
Their discovery was not because systems or third party monitoring detected the “incident”, rather the bad actors contacted the bank and told them about the attack after it was successful. There will be lots of questions being asked by boards, executives and staff, along with managing affected customers, but of all these questions the most important question to ask will be why was this breach not detected at all? In my experience early detection, and anticipation of an attack is key. It is challenging to defend against an attack when you cannot detect it.
There are often early signs of an attack. The key is knowing what to look for and where to look. To help this process, when advising companies on detection, the simple but well known Cyber Kill Chain is often used. The most popular framework is by Lockheed Martin but there are other versions and interpretations. Basically, they all boil down to the same concept — a set of standard steps that bad actors execute to breach a target. As the target or potential target (or victim), you need to understand where your each of your tools fit on the cyber kill chain, how they would detect a potential attack, how would they alert to a potential attack. Once alerted, what procedures and processes are initiated, what is the decision matrix and many other tasks and processes involving containment, analysis and recovery.
Ideally, any security architecture will have in or have derived from it effective detection at all points along the Cyber Kill Chain. The earlier in the chain you detect the attack, the better your chances of containment and mitigation. Depending on the client environment, using this framework can initially seem too simple for such a large problem, but in my opinion, is is a good place to start, not services and products. As a tool, it can help start the discussion to answer very necessary questions. Does your organisation have a clear detection plan throughout their infrastructure in the data centre, in their cloud infrastructures, with third parties who access their systems? Can their security teams or managed security service provider clearly explain how they detect compromise within the infrastructure at each point in the Cyber Kill Chain? Are the answers substantial and detailed enough? Are they backed by appropriate processes and procedures? Is all this documented and is there a team that clearly and in detail understands threat detection and what would happen in your organisation?
If the answers to these questions are not known, or not sufficient from your security teams or managed service provider it is prudent to seek those answers. From there you can develop a plan that takes the Cyber Kill Chain to concrete tools, steps, processes and procedures to detect an attack earlier, and stop before key intellectual property, data and or money exits the organisation. This of course is most effective if you engage a third party to help. A third party that is not influenced by vendors, their products, or wants to sell you additional services or products.
I recently saw this article on how banks are adopting Military-Style tactics to Fight Cybercrime. Of course to effectively execute these tactics, a framework such as the Cyber Kill Chain and how it applies to your organisation is a necessary first step that unfortunately, is often skipped or not thorough enough in my experience.
As many organisations will continue to discover, detection of a potential attack is the first step to prepare, minimise, contain, and hopefully stop valuable assets from being stolen.