Public, private organisations fail the cyber defence test

Governments up the stakes as they turn into cyber adversaries

Tags: Cyber crimeFireEye ( Arab Emirates
  • E-Mail
Public, private organisations fail the cyber defence test Cole: "It’s becoming clear governments cannot protect their own tools if they are utilising them against other nation states."
By  David Ndichu Published  September 14, 2017

In the shadowy world of cybercrime, the line between nation-states and cybercriminals continues to blur, further complicating the war against cybercriminals.

As nations increasingly get into the hacking business, they invariably get to cooperate with cybercriminals. This unholy alliance could be through organised cybercrime lining the pockets of government officials so authorities turn a blind eye, or state attackers that may be moonlighting as cybercriminals, observed Tony Cole, VP, global government CTO, FireEye.

By contracting hacking to organised groups, governments can avoid attribution, said Cole, speaking on the sidelines of the 2017 FireEye Cyber Defence Live event in Dubai.

Over 60 countries are armed for cyber conflict, albeit with wildly varying degrees of sophistication. As this number increases, there will be many more advanced government tools that infiltrate into the underground cyber world and then utilised against organisations, warns Cole. “It’s becoming clear governments cannot protect their own tools if they are utilising them against other nation states.”

Nation-states attacking other states in cyber space will also typically plant false flags by staging similar attacks somewhere else to further divert attention from themselves, Cole said.

On the other hand, other governments are becoming more proactive in defending national digital assets against hackers, whether state-backed or cyber criminals. GDPR, which comes into effect in across the EU next year, will hold private businesses to a far higher standard in protecting public data.  

Information sharing will be an immediate and visible consequence of GDPR as organisations are forced to quickly and publicly identify breaches. Information sharing in relation to such regulations is going to help the security industry tremendously, said Cole. “We need more government to government communication (internally), and government to government with partner nations and those that are somewhat adversarial. Also required is more government to businesses and business to government communication.”

“Although governments are trying to help businesses within their own borders, most of the successful attacks cross geographical infrastructure to get to those businesses. So that information sharing must be put out publicly quickly, and it must be automated,” Cole said.

Automation is critical, Cole said, as the industry cannot afford weeks to vet some information identified as a threat. “That information needs to be provided very quickly because hackers may have moved to some other domain and other tool sets.”

There’s an appearance of success in organisations’ ability to deal with cybercrime.

The 2017 Mandiant M-Trends showed that dwell times (the number of days a threat actor remains undetected within a given environment until remediation) had decreased from 416 days in 2011 to 99 days in 2017. This may seem like an improvement, but it’s still too long, said Cole.

This would become apparent if an organisations decides to hire a red team such as FireEye’s to break into their system. Cole said such an intrusion would require as few as three days to gather domain credentials, which in a real attack would leave months before they are discovered.

Threat intelligence has now become invaluable in cybersecurity.

“We wandered in the dark for a long time trying to detect attacks as they took place,” said Cole.

If an attack takes place in the physical world, law enforcement intelligence agencies resources are immediately put to use to understand the adversaries and what clues they left behind, said Cole. “And yet in the cyber realm, an appliance that picks up alerts from the firewall or the IPS is cleaned up, put back to use and the IT security team moves on.”  

Ideally, security teams should analyse the box, and try to understand indicators of compromise, the attackers’ tool sets and why they became targets in the first place. “Armed with that knowledge, IT security officers can investigate whether user credentials were stolen and used to compromise other boxes,” Cole explained.

This message is now taking hold among both businesses and governments who now want to understand who the adversaries are and why they are coming after them, Cole observed.  “That is why we categorise groups such as APTs, nation states, financial motivated attackers, hacktivists et al.”

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code