By Mark Sayer, APAC Cyber Defence Lead, Accenture; Joseph Failla, Security Lead, Accenture Australia and New Zealand.
Australian organisations are entering a new era in the fight against cyber crime, typified by deep collaboration between threat actors, the formation of cyber crime syndicates, compromised data sharing and pre-distributed malware designed to quickly knock out company-wide IT systems. This year, targeted and devastating attacks have already caused significant disruption for Australian organisations spanning logistics, healthcare and infrastructure.
Cyber criminals are becoming increasingly sophisticated and relentless in their pursuit of security weaknesses and new vulnerabilities. The cost of ransomware attacks alone increased by 40 percent in Australia from 2017-2018, and companies spent around $10 million dealing with cyber threats during that same period, according to Accenture’s 2019 Cost of Cybercrime Report.
Although conventional cyber crime continues to dominate the threat landscape, Australian organisations are now facing more targeted intrusions, with intricate relationships forming between threat actors and the underground economy allowing cyber criminals to sell access to an organisations’ data from dark web marketplaces. These augment traditional attacks and make it challenging for organisations to know their enemies. In fact, some businesses may have already been exposed to malicious software, sitting dormant until activated for the right price.
The disruption for Australian businesses, and their employees, partners and customers caused by these intrusive attacks highlights inadequacies within organisational cyber security. The traditional ‘whack-a-mole’ style approach to cyber threats, where successful and attempted attacks are dealt with one-by-one, is clearly no longer effective against the onslaught of these sophisticated and high-profile attacks.
Changing tack with cyber threat intelligence
Fortunately, Australian organisations are now moving towards a smarter and more integrated approach to cybersecurity. Rather than responding to attacks as they occur, organisations are leveraging valuable intelligence to gain a better understanding of the cyber threat landscape.
When analysed correctly, cyber threat intelligence (CTI) allows companies to identify intelligence gaps and develop proactive strategies for responding to cyber threats. However, many continue to take a siloed approach to this information, using the intelligence as an indicator of compromise to shore up areas of previous vulnerability. Whilst useful for closing gaping holes in an organisation’s front-end, this will do little to deter sophisticated actors, determined to find a more insidious pathway inside.
For organisations to succeed with CTI, they must recognise what information they need to successfully fight back, develop models for risk-based decision making and provide actionable insights for departments across the organisation.
Fighting back with a strategic approach to cyber security
As a start, organisations should use intelligence to create a better understanding of their individual threat landscape and determine the likelihood of an attack. This requires an inward look at digital assets and third party vendors to analyse how valuable they may be to cyber criminals.
More broadly, determining what types of actors commonly attack an organisation’s geography can provide important insight into location-based vulnerabilities. For example, ransomware incursions increased by 58 percent in Australia from 2017-2018, highlighting a trend toward lock-out style attacks which can cause serious disruptions even if data is backed up and secured safely offline.
Beyond this, the modus operandi of threat actors operating in an organisation’s industry should be explored. For financial services, an industry traditionally reliant on value chains and vendors, Accenture observed supply chain vulnerabilities advertised on underground marketplaces to be primarily affecting the sector, according to Accenture’s 2019 Cyber Threatscape Report. This represents a unique tactic by cyber criminals targeting financial services, who aim to route around strict security protocols. Just this year, an Australian bank suffered a data breach via a third-party vendor with attackers gaining access to its server during a routine upgrade – a time of known vulnerability for servers.
Recognising how sophisticated attacks may be and what techniques they use will allow organisations to develop models better suited to realistic potential threats. Why set up the cyber equivalent of a full-blown motion sensor and CCTV system when the attacker is simply looking for an open window?
Making the most out of CTI
In addition to useful threat intelligence, optimising an organisation’s threat knowledge base and developing a core team equipped to handle any cyber crisis will inform a more responsive and measured strategy based on the intelligence.
In order to make the most out of CTI, Australian organisations must hire the most qualified experts, for example, those from ex-defence or government backgrounds. They may have deeper insight into current cyber threat intelligence techniques and can better foresee attacks before they arise.
Further, information should not come from one source. Rather, organisations should leverage industry-based CTI sharing such as from Information Sharing and Analysis Centres (ISACs.). Collaboration between industry, government and research sectors is key. Often organisations conduct information collection alone, which results in a fragmented industry understanding of the threat landscape. Collaborating with peers, government and law enforcement will broaden industry knowledge and ensure a unified response to potential attacks.
Finally, threat intelligence should be comprehensible by a long list of stakeholders. Painfully detailed diagnostics of an organisation’s cyber flaws won’t help the c-suite create a compelling case for spending money on security operations. Instead, security chiefs must develop high-level abstracts on critical events, potential threats and vulnerabilities designed to be easily understood by senior executives. For other tech-dependent departments, relevant overviews should be developed. For example, briefings on the latest web application attack techniques for digital developers or details of the latest real-world threats for operations teams.
Know your enemy
As organisations grow their reliance on new technologies, high-profile cyber attacks are set to become even more devastating, disruptive and costly. For Australian organisations to protect themselves and their customers they must know themselves and their enemies.
This means more than simply collecting intelligence. Organisations must also leverage this information for actionable insights about themselves and the broader threat landscape. It is essential that organisations also work together to create a broader ecosystem of awareness and bolster industry-wide cyber protection.
The prevalence of sophisticated and insidious cyber attacks will only grow in Australia and across the globe. However, with more efficient use of intelligence and more strategic approaches to cyber security, Australian organisations can stay protected and will be better equipped to respond effectively when the enemy strikes.