Enterprises must take the word ‘prevent’ out of the cybersecurity dictionary, says a short book published earlier this month by international ICT association ISACA and consultants Ernst & Young.
With the skills of potential internet intruders steadily increasing and the enterprise’s “perimeter” expanding through the use of BYO devices and the cloud, intrusion has become a matter of when rather than if, says the book, Responding to Targeted Cyberattacks.
The book discusses the emergence and structure of the “advanced persistent threat”. This term was originally used by the US Air Force to describe a specific class of threat from “known state-sponsored groups in the Asia-Pacific region that conducted attacks against specific targets at the direction of their government.” One of the first such attacks was launched against Google in January 2010.
“APT” has since been expanded to designate “a new breed of attacker: one who specifically targets a person or enterprise for attack to achieve a specific purpose.” The book outlines the development lifecycle of an APT, from initial research on the target through successful penetration and escalation of an intruder’s false “authority” to broader horizons and finally exporting stolen data undetected.
It then discusses principles for assuming a state of continuous readiness, starting with setting up relationships in advance with people who can help when the attack comes; such as malware specialists, denial-of-service response services, forensic teams and clean-up experts.
Internal relationships and authorities – for example who is allowed to close down any part of the ICT infrastructure – must also be clear in advance.
Teams should be formed that are capable of springing into action immediately to deal with the threat. All devices that touch the network should be identified, as anyone could be a vector for attack.
Regular dummy-attack exercises are recommended to keep skills and knowledge honed.
The book then outlines standard procedures for identifying, characterising and responding to an attack. Keeping appropriate logs of activity continuously is invaluable for forensic analysis of an attack, it says. “Critical log data must be readily available and searchable.”
The intelligence that a potential attacker is gaining can be countered by the organisation gathering its own intelligence on likely attacks and their sources. Cultivation of “robust threat intelligence” should allow an attack to be detected at an earlier stage.
The security team should conduct a complete vulnerability scan of the enterprise regularly, the report says. “A quarterly scan for small- or medium-sized enterprises may be adequate, while larger enterprises may decide on a monthly schedule... Once the scans have been completed, vulnerabilities should be systematically addressed,” many by updates provided by the vendor.
ISACA members can download the book free from the organisation’s website at www.isaca.org.