Viruses, worms and simple malicious code were the most frequent threats to the IT landscape before the turn of the new millennium. A signature-based protective mechanism in the form of an anti-virus program was sufficient to provide adequate protection against standard cyberattacks. Today’s IT threats on companies are far more sophisticated and require special layers of protection, especially for critical infrastructures. COMPAREX expert Anja Dörner shows how companies can take five meaningful steps to equip themselves in the face of cyberattacks.
An article by Anja Dörner, Specialized Sales Symantec at COMPAREX
The current Internet Security Threat Report by Symantec has shown that attackers proceed in an increasingly purposeful manner when targeting their victims. They have their sights set on large and medium-sized enterprises in particular. The security industry speaks of an Advanced Persistent Threat (APT) . The Symantec report indicates that attackers compile detailed information on the companies before proceeding. The aim is to find out how the company is structured, which employees are likely to have the most extensive access to the systems, which websites the employees use to obtain information on a daily basis, and so on.
A mere glance at the example of the “Dragonfly” attack shows what an ATP may look like:
Fig. 1: The Dragonfly attack as an example of APT, source: Symantec
The diagram shows how the complete “Dragonfly” attack campaign unfolded. From 2013 it affected energy companies in the following countries:
Fig. 2: Top 10 countries according to active infection, source: based on Symantec
Dragonfly is a hacker community that most likely is situated in eastern Europe. After initially concentrating on airlines and defense companies, it switched its interest from 2013 onwards to industrial enterprises involved in the energy sector. Here, Dragonfly proceeded in an extremely professional way, infecting software used in industrial control systems with a specific Trojan. It entered the IT environment of the energy companies via software updates (shown green in fig. 1), giving the hackers unfettered access to the networks.
The hacker group also conducted other cyberattacks. First they targeted selected employees in the companies, sending them phishing mails (shown blue in fig. 1), while at the same time performing so-called watering hole attacks (shown red in fig. 1) that infect websites with malicious code. Dragonfly succeeded in using the malicious code to export system information, copy documents and view addresses in Outlook or the configuration data of VPN connections. The Symantec Security Report states that the data was then encrypted and sent to the hackers’ command-and-control server.
There is no doubt that the hackers not only succeeded in siphoning off all information, but that they also managed to inject their program code into the control software, thus placing the technical systems at their fingertips. A worst-case scenario would have involved substantial disruption to the energy supply in an affected country.
Reason enough to reflect on how to protect IT systems against cyberattacks
This example demonstrates clearly that an Advanced Persistent Threat can continue over several months, sometimes years, and that it might involve a broad array of different attack channels. Would companies today be able to quickly detect this kind of threat and assess the risk to their operations based merely on their regular security software?
– Our experience has shown that “No” is the answer to this question.
A study conducted by ISACA reveals that 33% of companies are not convinced that they are properly protected against cyberattacks or able to respond appropriately to an APT. Protection against these versatile threats requires a multi-level solution and intelligent security.
Companies should adhere to the following five steps to ensure sufficient security
Fig. 3: Five steps to protect against cyberattacks, source: Symantec
Step 1: Prevent
Companies need to remove their blinkers and get prepared for a genuine emergency. It can hit anyone. They must prepare strategies and emergency plans, and become familiar with their vulnerabilities. After all, they would know exactly how to proceed if a fire breaks out in the building, is that not true?
Note: Risk analysis
Step 2: Implement protective measures
A well-guarded endpoint is the best method to protect against cyberattacks, or rather APTs. Here, an array of different defense mechanisms should ensure that threats cannot even penetrate the IT network. With increasing frequency this concept is complemented by a coordinated security setup in which a variety of solutions communicate and share context information. This can speed up detection and automate responses.
Step 3: Detect
A large number of different methods for malware identification already exist. Current knowledge must be exploited to make a reasoned decision on which strategy is best for deployment.
Step 4: Respond
Malware needs to be completely removed leaving no residual traces if a network is infected. It is then necessary to guarantee that the endpoint is secure. In order to prevent similar cases in the future, it is imperative to identify when and how the malicious code gained access to the network.
We recommend the following solution to deal completely with items 2–4:
- Symantec: Advanced Threat Protection Endpoint, Network & Email
- Sophos: Next-Generation Endpoint Protection
- Trend Micro: TippingPoint Advanced Threat Protection Family
Step 5: Recover
Suitable backup software should be used to restore the data once the system has been cleaned up.
We endorse the following vendors:
I frequently hear that finding suitable IT security experts and creating adequate resources needed to analyze data from various solutions present significant challenges to companies.
Many companies struggle with the same difficulties as shown in the following diagram.
Fig. 4: The IT security challenges facing companies, source: Ponemon Institute 2015, "2015 Global Study on IT Security Spending & Investments"
There are plenty of opportunities to ensure sufficient protection against cyberattacks in companies, whether it is training to sensitize employees for the issue of data protection or to conduct an extensive IT security audit. IT service providers like COMPAREX can help in this respect.