News of targeted cyber-attacks affecting large multinational corporations is becoming more and more commonplace. The fact that the hacks have taken place cannot be a surprise as cybercriminals increasingly look to exploit any IT security weaknesses on the corporate network in pursuit of monetary gains. However, these attacks do highlight three worrying challenges that even technology giants can find difficult to overcome – the time it takes to:
1. Detect – breaches, if discovered, are often discovered long after they have taken place
2. Investigate – investigations are painstaking, the slower the detection the more difficult the forensics
3. Disclose – the rate of disclosure is increasing as regulators tighten up the rules mandating disclosure.
Detecting a breach is by its nature a reactive process and typically involves users reporting a “funny thing keeps happening with my laptop”, administrators see “unusual server activity” in the logs or multiple pieces of security software issuing seemingly unconnected alerts. Unfortunately ‘Targeted Attacks’ are typically designed to be ‘slow and low’ and involve an element of luck to spot.
The majority of targeted attacks over the last year started with spear phishing, making email the number one threat vector. A recent survey revealed that 51 percent of people believed that their organisation was targeted by a phishing email designed specifically to compromise their own users, and crucially 17 percent believed that an attack had compromised user login credentials or access to corporate IT systems.
Once an IT security breach is detected, forensic investigations take time as they have to be conducted carefully, often by external third parties, to ensure the integrity of any evidence collected. For example, discovering the extent of the Sony Network attack in 2011, perpetrated by members of hacking collective LulzSec, took time, with Sony commenting at the time:
“There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised”.
Even now Microsoft continues to investigate how malicious software made it onto their computers.
Companies have long had a legal duty of care to prevent breaches but also to disclose them to affected customers, partners and increasingly, regulators such as the Information Commissioner’s Office (ICO) in the UK within a reasonable time. However, issues with companies being slow to disclose, if at all, continue.
At the end of 2012, Coca Cola admitted to being the victim of a spear-phishing attack in 2009 that went undetected for a month. In Europe at least the proposed new EU General Data Protection Regulation will make these responsibilities and reasonable timeframes more explicit.
Article 31 proposes that organisations be required to disclose any breach to the supervisory authority (e.g. the ICO in the UK) within 24 hours while Article 32 proposes disclosing to affected users “without undue delay”. In tandem Article 79.4 introduces fines up to €1m for public sector and up to 2% of world-wide annual revenue for private sector organisations.
The invisibility of targeted attacks and the widely recognised need to detect, contain, investigate and disclose as quickly as possible raises a key issue for businesses. Companies must now consider: how can they deploy a ‘rear view mirror’ that, when a new attack becomes known, allows them to immediately see if that attack hit their organisation in the previous weeks or months, who it hit, and whether there is a latent vulnerability. As the proposed changes to EU legislation come into law, having an answer to this will become even more important for businesses.