Advanced Threats and the Human Factor – The Register

Notes I took from today’s The Register webcast with Proofpoint, Freeform Dynamics and Fujitsu.

  • People want to be productive so will find ways around cumbersome security processes and procedures.
  • Organisations often don’t take the time to explain why the procedures are in place and what the consequences are of ignoring them.
  • Have rules that can be bent a little and are flexible and realistic.
  • Top targeted industry is Finance.
  • Volume of messages with malicious attachments has increased 17x in the six months from Jan 2015, and is now significantly higher than URL-based attacks.
  • Top 3 most common email lures: communication notification, financial corporate, financial personal (in that order).
  • 1 in 25 malicious messages are clicked.
  • Sales, finance and supply chain staff (in that order) are three times more likely to click than IT staff.
  • Staff and management are twice as likely to click vs executives.
  • You should measure systems, user behaviour, data flows and network connections. Monitoring for exceptions to normal behaviour and traffic is key to identifying problems.
  • Attackers understand both people and technology, and don’t mind failure. They’re persistent, they only need one attack to work to breach the organisation’s security.
  • Cyber kill-chain and attacker framework, knowing this helps you mitigate against some of the techniques and processes that attackers use against you.
    • recon (linkedin, facebook, etc. give lots of info)
    • weaponise (selecting the type of attack)
    • deliver – how to deliver the attack
    • Exploit
    • Install
    • Command and Control
    • Action
  • Once access to a system has been gained, the attackers often don’t just grab data and go. Some attacks last for month.
  • Examples of attacks:
    • email received “from VP” inside the company sent to the PA of another VP. The PA then got a phone call from the “sender”, sounding authoritative and asking her to open the spreadsheet attachment and follow up urgently. The PA opened the attachment and her PC was infected. The attack was only discovered after the PA reported suspicions later after she’d had time to reflect.
    • Email was received containing a link that did different things depending on the platform it was launched from (e.g. Windows vs Android vs anything else)
  • Some malware now can detect if it has been sandboxed, e.g. if running in a virtual machine it will not trigger, so is hard to detect and diagnose how it behaves.
  • Rise in macro-based attacks in recent months. People see the “enable protected content” and know that legitimate files won’t work properly if they don’t enable it, so always do, despite the warnings.
  • People are known to be the weakest link in the security chain.
  • Intelligence aggregators (e.g. proofpoint) check data across multiple organisations to see if (e.g.) an email received in one organisation has also been received in another, or if a new outgoing connection has been detected across multiple organisations and thus could be a C&C channel. Makes management by exception more practical. Know what “normal” looks like.
  • Next generation security techniques:
    • Prepare – understand risk posture
    • Prevent – block known threats
    • Detect – detect unknown threats
    • Respond – respond to incidents
  • Plan how to respond before you need to! You need to have a process in place to prevent knee jerk reactions.
  • Don’t reply on other people/news media to tell you when there’s a problem.
  • Keep the security training/information transfer short and to the point, and keep it regular.

Links

This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s