Adapting to the ever-changing threat landscape
Every security professional remembers the day they realized their job is not simply applying patches or plugging in a new security technology, but instead is a daily battle of wit with resilient, creative and adaptable adversaries. My moment happened before joining Trustwave, when I was still working with FBI.
Part of my role at FBI was to travel around and teach cyber investigation techniques to our law enforcement partners. I was traveling to a poverty-stricken area in Kiev, Ukraine, where I worked with a group of intelligent and dedicated personnel. Somehow, limitations such as working on Windows 98 laptops with open source tools did not seem to concern them.
One day after training, the team invited me out for drinks and on our way; they offered to take me to “Cybercrime Alley.” The team proceeded to drive by some of the most lavish high-rise apartments I have ever seen, with Ferraris and Lamborghinis frequenting the street. This juxtaposition of worlds was astonishing, and my hosts explained that this was where the local cybercriminals live.
The 2015 Trustwave Global Security Report cited a 1,425 percent RoI for cybercriminals who use ransomware. Interestingly, many of the top Soviet-era universities were still churning out intelligent technical experts, who faced a clear choice between poverty and luxury, making the draw to cybercrime an understandable, albeit odious, temptation.
While organizations are increasingly turning to MSSPs to solve their security woes, I encourage you to create a hybrid model that optimizes internal security operations with managed services
This made me realize that the cybercrime problem is never going away. It will be constantly driven by sophisticated cybercriminals who know how to adapt their attack paradigms to meet their goals.
The Carbanak Group famous for hacking banking institutions worldwide had stolen an estimated $1 billon throughout 2013 and 2014. This highly profitable string of attacks began to reduce when security researchers discovered and spread word of their modus operandi. Carbanak quickly pivoted into credit card breaches using standard phishing techniques and RAM scraping malware, easily monetizing credit card data on hundreds of online carder forums.
When the standard phishing techniques became ineffective, Carbanak switched to leveraging vendors as third-party entry points into their victims’ networks. Recent high-profile attacks prove this to be an effective method, as third-party vendors are rarely forced to maintain the same internal security standards. Carbanak’s most recent pivot occurred in 2016, when they infected the support portal for the largest vendor of POS systems globally, estimated to have put over 1 million POS servers at risk.
What does the Carbanak Group example mean? Carbanak is a microcosm of a much larger threat landscape. There are hundreds of criminal collectives (both state-sponsored and strictly criminal) working against us, and we must be able to prepare for threats that can change on a daily basis and not settle for a “one size fits all” approach.
My goal is to encourage you and your team to be as agile as your adversaries and move quickly to deploy advanced threat intelligence across networks, actively conduct penetration testing to identify and secure vulnerabilities, and have an incident response plan and team in place to tackle the attacks when they do come.
Spending time listening to experts, talking with leading managed security services providers (MSSPs), and identifying new startups that could change the landscape is invaluable for your own security strategy.
While organizations are increasingly turning to MSSPs to solve their security woes, I encourage you to create a hybrid model optimizing internal security operations with managed services. Focus on forming partnerships that combine external expertise and technology with internal industry knowledge. The day we rest on our laurels, overconfident in our security approach, is the day the attackers bypass our defenses.