Cybercrime is changing. Your business needs to be resilient
What’s the biggest problem with most existing approaches to internet security? Many would say that it only guards effectively against known, easily-identified threats, and takes too long to respond to new ones. Hackers are nothing if not inventive when it comes to finding and exploiting new ‘zero day’ threats, whether in applications, operating systems or the software infrastructure that underpins websites and services. They’re attacking vulnerable endpoints and using them to move laterally across to other systems. They’re attacking third-party suppliers or exploiting the weaknesses of employees to find a way into the network. They’re finding modes of attack that don’t get caught by traditional anti-malware tools.
That’s why the focus on protection and protection alone is not enough to protect enterprises and their data. Instead, businesses need to adopt a more balanced strategy; one that backs up protection with resilience. This isn’t about lowering your perimeter walls and opening the gates, but accepting that, eventually, some attempts will make it over or through, and having systems in place to deal quickly with any threats and minimise their impact.
Leading security researchers have understood this for some time. As Simon Schiu and Boris Balacheff of HP’s Security Labs wrote at the end of 2016: “The security profession is finally accepting this axiom: given enough resources, an attacker will eventually be successful. This means designing not only security protections, but also mechanisms that detect when protections fail and help recover devices or infrastructure to a good state, at both machine speed and at scale.”
Coping with a new threat landscape
Why is the conventional approach, based on strong perimeter security and anti-malware detection, blocking and remediation, no longer effective? Partly, it’s a question of how the nature of cybercrime has changed. While there are still hackers operating alone for personal profit, the real danger comes from organised collectives, some state-sponsored, some affiliated with other forms of organised crime. These form part of a criminal software ecosystem where well-funded teams develop both zero-day exploits and simple, effective toolkits to make use of them. What’s worse, exploits and toolkits developed for cyberwarfare and espionage have a nasty habit of making it into the criminal underground – only last year it was widely reported that the CIA had lost control over an arsenal of hacking tools which are now being used for cybercrime.
Secondly, hackers are no longer relying on straightforward malware attacks or assaults on servers and network infrastructure. According to figures from McAfee Labs, the use of so-called ‘fileless malware’ based on PowerShell scripts rose by 432% during 2017. Kaspersky’s annual Threat Predictions bulletin for 2018 highlighted the rise in supply chain attacks, where hackers infect updates for common utilities or third-party software libraries at source, so that companies that use them on their business systems install them unsuspectingly. Last year’s infected CCleaner update is a great example. Perhaps the biggest danger with such attacks is that they’re not always designed to have an impact there and then, instead sitting quietly and working later as part of an advanced persistent threat (APT attack).
Phishing attacks continue to be successful. Verizon’s 2018 Data Breach Investigation Report noted that while 78% of employees in the companies they surveyed weren’t taken in by a single phishing email all year long, some 4% of employees will still click on a link or button in any given phishing campaign, and the more phishing emails someone has clicked on, the more likely they are to click again. The survey found that the interval between a phishing email arriving and the first click was, on average, 16 minutes. The first report from a savvy user didn’t arrive until 12 minutes later.
Meanwhile, hackers are attacking routers, webcams, security video systems, smartphones and printers in order to gain a foothold on the network, or to form botnets that can launch Distributed Denial of Service (DDoS) attacks that act as a smokescreen for a more targeted assault. Commercial-grade UEFI malware, which infects a device’s firmware, has been known to exist since at least 2015, and it’s only a matter of time before it’s used in a focused attack.
And the really worrying thing is that existing perimeter protection strategies can’t always ward off such attacks, and that many signature-based anti-malware tools can’t either. After all, you can’t spot a signature on fileless malware or detect a threat that no-one’s seen before. A recent Endpoint Protection Response survey by the SANS Institute found that while antivirus tools were the most commonly used to detect an initial attack, only 47% of attacks were actually detected in this way. Plus, while companies were investing in tools that detected attacks through behaviour modelling or predictive analytics, many weren’t implementing them or using them effectively day-to-day.
The resilience requirement
Nobody would suggest that this means protective measures don’t work at all, or that it was time to discard them altogether. Instead, the solution is to continue with these measures to guard against attacks, but to back these up with additional measures that enable your enterprise to detect a successful attack, minimise its spread and impact and take remedial action quickly.
You can see this in HP’s more holistic approach to security, and in the mechanisms and tools at work in HP desktops, laptops, printers and multi-function devices (MFDs). On the one hand, HP offers protective tools that guard against intrusion. HP Sure Click is a secure browsing technology that puts each browser tab in its own hardware-isolated browsing session, preventing a foolish click on an infected website installing code that might infect other tabs or the system. HP has secure, multi-factor authentication technologies built in to prevent stolen credentials giving hackers a foothold inside the network, plus tools to prevent intrusions through storage plugged into a USB port. HP also has management tools for both PCs and printers that make it easier for companies to manage updates and enforce strong security policies across the fleet.
Yet HP has also invested heavily in technology that makes devices more resilient. Now in its fourth generation, HP Sure Start combines runtime intrusion capabilities with a hardware security controller to detect unauthorised changes to the firmware, prevent a PC booting with infected firmware and roll back to a last known good firmware should this happen. BIOS setting protection features look for any attempts to modify firmware settings, then logs these events and notifies admins and users. All security settings used within the firmware are backed up and run against an integrity check on every boot. Meanwhile, HP’s whitelisting checks any new firmware against a secure whitelist and allows only authorised firmware to be installed.
This stops such an attack having any real impact and prevents any firmware infection spreading laterally to other systems. Nor is Sure Start technology restricted to PCs and laptops; it also works across HP’s business LaserJet and PageWide printers and MFDs, preventing them from being infected and used to launch a wider attack.
These are features that make devices more resilient, and when combined with drive encryption, robust disaster recovery and an effective Security Information and Event Management (SIEM) solution, can go a long way to doing the same for the organisation as a whole. Protection isn’t enough anymore, but put it together with resilience and you have enterprise security ready for the modern world.