In the last year, every single type of cyber-attack on Australian companies increased, with ransomware incursions escalating by 58%.1 This is the result of a worrying new shift in cyber-criminal behaviour, with threat actors forming syndicates, collaborating and sharing tools and information in the underground economy.
Until recently, most organisations have been responding to this onslaught with a cyber security version of ‘whack-a-mole’.
But, now, they’re getting smarter.
According to the 2019 SANS CTI survey, 72% of companies have started using cyber threat intelligence (CTI). This is the area of cybersecurity that focuses on collecting and analysing information about attacks that are being specifically targeted at your organisation. The same global survey also showed more than 80% of organisations found CTI had improved their security and response.
Making the most of CTI
Right now, many Australian organisations are failing to get value from CTI because they are only focussing their efforts on indicators of compromise (IoCs). IoCs are the evidence that a cyber-attack has taken place. The idea is, if someone got in that way before, they can do so again. Monitoring IoCs ensures that particular ‘door’ remains closed.
This is all well and good. But it’s the cyber equivalent of putting a lock on the front door of your home. A locked door is essential to deter an opportunistic burglar. But it won’t stop a sophisticated and determined crime group.
The fact is, no threat actor worth their salt would be caught dead trying the same attack tactic twice. We already know that nation states and criminal groups regularly change and update their tools, techniques and procedures – using new IPs and domains for each attack. They’ve even repurposed old IoCs in an attempt to attribute attacks to another group.
How can organisations fight back?
Start on the inside
Developing effective cyber security depends on obtaining reliable threat intelligence so you understand the security risk before it hits you. You need to determine:
Intent – How likely are you to be targeted by a threat group? Identify your most valuable digital assets. How attractive are they to a crime syndicate?
Identity – Which threat actors will target your organisation? Threat groups specialise by industry and geography. Knowing your enemy is essential to form an effective defence.
Modus operandi – How sophisticated are they? What techniques do they use? Do you need the cyber equivalent of window locks or a full blown security set-up with motion sensors and CCTV?
Make the most of threat intelligence
The over-arching benefit of threat intelligence is that it enables risk-based decision making. To develop an intelligence-led cyber security practice, you need to:
Hire solid threat intelligence talent. Don’t make the mistake of hiring a security technician. That’s like going to your local police station instead of contacting ASIO. You need senior analysts who understand cyber threat intelligence techniques and already have access to deep dark web forums and communication channels. A great way to acquire these skills and leapfrog your threat intelligence capability is to hire ex-defence and government personnel looking to transition into the private sector.
Source quality intelligence from multiple places. No one has all the information. But, just as your adversaries are collaborating, so are the good guys. Information Sharing and Analysis Centres (ISACs) already offer industry-based CTI sharing. Technology vendors, CTI vendors and open-source intelligence (OSINT) are all happy to collaborate to increase industry-wide awareness of changes in the threat landscape. It’s also worth building relationships with your regional peers, as well as with government and law enforcement agencies, and international bodies. Make sure you understand your sources so you’re ingesting robust intelligence.
Package up intelligence insights for different audiences
If threat intelligence is to help people make more informed risk-based decisions, security teams need to provide:
High-level abstracts on critical events and potential threats for senior executives. This is essential for the board and C-suite to truly understand cyber risk and get buy-in for security operations.
Briefings on the latest web application attack techniques for digital developers.
Details of the latest ‘in-the-wild’ threats (those attacking real world companies right now) for infrastructure operations teams.
It’s impossible to prevent every single possible criminal behaviour, but if you know your enemy – if you can see who’s coming and how they operate – you’ll have a fighting chance of stopping them.
Help your organisation stay ahead of the curve. Read Accenture’s 2019 Cyber Threatscape Report.
1Source: Cost of Cybercrime 2019 – Australian data
Copyright © 2019 Accenture. All rights reserved