Targeted attacks will become as prevalent as regular cyber crime threats over the next few years. Cheap and easy-to-use toolkits will continue to proliferate all over the dark web, while firms of all sizes fall victim to this insidious, laser-focused scourge. So if you do nothing else over the next 12 months, let 2015 be the year you finally got to grips with the threat from targeted attacks.
As a CIO you might be asking why you need to get involved in this – after all, that's what your CISO is for, right? Well, let's look at the repercussions. One of the biggest data breaches of the past few years happened when US retailer Target became, ironically enough, the victim of a targeted attack aimed at its POS systems. Cyber thieves got away with the details of around 40 million cards and personal information on 70 million customers. Now it costs around $8 to reissue a new piece of plastic. Times that by 40 million and you begin to understand why targeted attacks need to be treated as a board-level issue.
Focusing boardroom minds
In Europe, as consumers we're not as desensitised to such breaches as our transatlantic cousins appear to be. This is bad news for CIOs. It means that in the event of a breach, we're even more likely to take our custom elsewhere, or read the headlines and make a mental note never to use your services or shop in your stores. These indirect costs can be more damaging to the breached company than the initial fines and clean-up costs. As for those, well the coming EU General Data Protection Regulation – which is mooting penalties of up to €100 million or 5% of global annual turnover – should also focus C-level minds on the security of your systems.
Why are we talking specifically about targeted attacks? Because they're incredibly difficult to spot, bypass most traditional security defences and can happen today to pretty much any organisation. Those cyber criminals who once wrote mainstream malware are now turning their hand to developing targeted attack toolkits. The reason is simple economics. Desktop operating systems are pretty well protected from mainstream viruses these days. Users, meanwhile, are increasingly spending their time on their smartphones and tablets – with the majority of data typically stored in the cloud, not on the device. In short, cyber criminals can make a much better RoI by launching targeted attacks against companies or verticals.
They don't even have to be particularly sophisticated attacks. When they first surfaced, Advanced Persistent Threats (APTs) were mainly the preserve of nation states. We're talking seriously advanced technology, like Stuxnet, for example. Most targeted attacks today don't even use zero day threats – they just exploit software vulnerabilities they've found out you have.
Back to school
I'm not suggesting that CIOs aren't aware of the issue of targeted attacks, more that many still assume that they can get by with existing security systems: firewall, IDS/IPS, anti-malware etc. That stuff is still important for keeping out mainstream malware and attacks – in effect, cutting out the 'noise' your infosec team has to deal with. But it won't stop that targeted attack which ends up with a key customer database or a piece of critical IP falling into the hands of the bad guys.
So what do you need? Well, vulnerability shielding is a good start. It'll keep your systems safe in case you can't apply patches quickly enough. The vulnerabilities which these patches are designed to shore up are very often the same flaws exploited in a targeted attack. It's also important to have some kind of breach detection system. You need something that features sandboxing to spot and block spear-phishing emails – which typically form the first stage of an attack – and which will scan ports and protocols to spot if an attack has already penetrated your network.
If you need any incentive, these are the tools which an insurer is likely to ask if you had following a breach.
Another approach I think will gain more traction this year is that of whitelisting for the most critical systems. Work out what you want running on them and then disallow anything else that isn't on this list. It's time consuming having to manually approve each new programme individually, but worth it for the peace of mind and it'll make it easier to spot when something's not quite right.
CIOs should see the start of 2015 as an opportunity. Get familiar with targeted attacks, how they work and how you can stop them. Then it's a case of persuading the board to release enough funds to enhance your cyber security defences. Ask yourself how much it would cost the firm if a key customer database were breached. Take 5% of that figure and you've got a rough estimate of how much to ask for.
If that doesn't get the attention of the board, nothing will.
Raimund Genes is CTO of Trend Micro