Enterprise Cybersecurity Study Guide: How to Build a Successful Cyberdefense Program Against Advanced Threats

Part IPart I: The Cybersecurity Challenge

The Cybersecurity Challenge

• Chapter 1: Defining the Cybersecurity Challenge

• Chapter 2: Meeting the Cybersecurity Challenge

© Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam 2018

Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams and Abdul AslamEnterprise Cybersecurity Study Guidehttps://doi.org/10.1007/978-1-4842-3258-3_1

1. Defining the Cybersecurity Challenge

Scott E. Donaldson¹ , Stanley G. Siegel², Chris K. Williams³ and Abdul Aslam³

(1)

Falls Church, Virginia, USA

(2)

Potomac, Maryland, USA

(3)

San Diego, California, USA

Overview

This study guide describes effective cybersecurity that

works against advanced cyberthreats;

evolves over time to handle increasingly sophisticated adversaries in an increasingly interconnected world;

is involved as a partner, coach, and scorekeeper for IT, rather than just as a naysayer standing in the way of progress; and

works when you are faced with an adversary who is well-funded, intelligent, sophisticated, and persistent.

Cybersecurity challenges and technologies continue to evolve quickly—attackers and defenders are not standing still.

This study guide describes a cohesiveEnterprise Cybersecurity Framework that integrates

architecture consisting of cybersecurity capabilities organized into functional areas that make capabilities easier to track, manage, and delegate;

cybersecurity policy designed to balance security needs against business priorities;

programmatics involving people, budget, and technology that are allocated to day-to-day operations and projects;

an IT life cycle aligned with IT departments responsible for strategy and architecture, engineering, and operations; and

cybersecurity assessments that are conducted periodically to help prevent cybersecurity program obsolescence.

The Enterprise Cybersecurity Framework is pragmatic, realistic, and designed for battling today’s cyberthreats as well as tomorrow’s next-generation cyberthreats.

Topics

The Cyberattacks of Today

Types of Cyberattackers

Types of Cyberattacks

The Steps of a Cyberintrusion

Why Cyberintrusions Succeed

A New Cybersecurity Mindset

An Effective Enterprise Cybersecurity Program

The Cyberattacks of Today

Context

Compared to today, cybersecurity used to be relatively simple.

Major cyberthreats were viruses, worms, and Trojan horses.

Transformation started to take place.

Cyberattackers started getting inside enterprise networks.

Once inside, cyberattackers operated surreptitiously:

They took control of infected machines.

They connected infected machines to remote command-and-control systems.

They escalated their privileges to systems administration. …

We are using outdated conventional defenses to guard against cutting-edge innovative malware. We are no more prepared to do this than a 19th century army trying to defend itself against today’s weaponry.¹

Breaches in the News

In 2011, RSA’s enterprise was breached, and the security keys for many of its customers were believed to have been stolen.

In 2013, Target’s point of sale network was compromised, resulting in the loss of personal information and credit card numbers for over 40 million customers.

In 2014, a German steel mill was affected by a hacking incident that caused one of its blast furnaces to malfunction, resulting in significant physical damage to the plant and its facilities.

In 2015, Anthem reported its IT systems had been breached and personal information on over 80 million current and former health care network members was compromised.

These examples are but a handful of cybersecurity breaches that are indicative of trends.

The Sony Pictures Entertainment Breach of 2014

In November 2014, an attacker took over the employees’ computers.

The nonfunctional computers displayed a message from the Guardian of Peace.

By the end of the day, most computers had been completely disabled, which impacted the company’s business—or lack thereof.

The cyberattacker published proprietary data to include salaries and personal e-mails of Sony’s senior executives.

Key Lessons Learned

Attackers did what cyberattackers have been able to do all along, but have chosen not to—they put the reality of the Sony hack in full view of the press and public.

It is reasonable to assume Sony’s cyberdefenses were consistent with industry norms, but reflected what is and what is not being done at companies around the world.

Effectiveness of the Sony hack was likely amplified by the consolidation of IT systems administration that has occurred over the past 20 years.

A single systems administrator used to manage a handful of servers.

Today, this same administrator may have privileged access to hundreds of systems or even thousands.

Professional attackers, who understand how modern IT works and how it is managed, can effectively turn an enterprise’s IT infrastructure against the enterprise.

IT infrastructures are largely designed for functionality—not security—and often lack compartmentalization to contain an attack.

Attack underscores the fear factor that devastating cyberattacks can have on an industry or nation.

Megatrend—As further described , such attacks are moving down market over time and becoming more common.

Advanced Persistent Threats

Advanced Persistent Threat (APT) is rising as a new type of adversary.

An APT attacker is skilled in the art of cyberattacks and leverages IT technologies effectively to breach enterprises and systematically bypass all their protections, one at a time.

What makes APT different from earlier cyberattack types is the persistence of the attack.

APT cyberattacks are much more focused and effective because they are under the control of an intelligent actor who has an objective to achieve.

If their objective is to break into a company and steal corporate secrets, attackers persist until they succeed.

If their objective is to break into a government and steal national security information, they persist to find a weakness to exploit.

Conventional Cyberattacks

Defenses only need to block the malware and the attacker will move on to other targets.

Simply having defenses is no longer effective when an opportunistic attacker can exploit a single mistake.

An APT attacker constantly adjusts the attack to get past the latest round of defenses.

Given enough time, an APT attacker eventually gets through.

To stop an APT attacker, the defenses have to work perfectly and be maintained perfectly.

An APT attacker will exploit any mistake.

APT requires a new type of defense method—one that adapts to the attack as quickly as the attack adapts to the defense.

Waves of Malware

Over the past 20 years, there have been a number of generations, or waves, of malware technologies.

1.

Static Viruses

a)

Propagated from computer to computer via floppy disks and boot sectors of hard drives

b)

Had little impact on system operations

2.

Network-Based Viruses

a)

Propagated across the open Internet from computer to computer, exploiting weaknesses in operating systems or configurations

b)

Were effective because computers were often directly connected to each other without firewalls or protection

3.

Trojan Horse

a)

Propagated across the Internet via e-mail and from compromised or malicious web sites

b)

Can infect large number of victims, but does so relatively arbitrarily since it is undirected

4.

Command and Control (C2)

a)

Allows attacker to remotely control its operation within the target enterprise

b)

Enables compromised machines to become footholds within the enterprise

c)

Allows footholds to be manipulated by the attacker

5.

Customized

a)

Developed for a particular target

b)

Sent directly to specific targets via phishing e-mails, drive-by web sites, or downloadable applications such as mobile apps

c)

Is not not recognized by signature-based defenses since this malware is customized for each victim

6.

Polymorphic

a)

Designed not only to take administrative control of victim networks, but also to dynamically modify itself so it can continuously evade detection and stay ahead of attempts to remediate it

7.

Intelligent

a)

Analyzes a victim network, moves laterally within it, escalates privileges to take administrative control, and then extracts, modifies, or destroys its target data or information systems

b)

Does all its actions autonomously, without requiring human intervention or external command and control

8.

Fully Automated, Polymorphic

a)

Combines the features of polymorphic and intelligent malware

b)

Takes control autonomously and dynamically evades detection and remediation to stay one step ahead of defenders at all times

9.

Firmware and Supply Chain

a)

Takes fully automated, polymorphic malware to its logical conclusion by delivering malware capabilities through the supply chain, either embedded in product firmware or software products before they are shipped

b)

Is virtually undetectable

c)

Is difficult to differentiate the supply chain malware from the other features coming from the factory

Many people are familiar with malware waves 1, 2, and 3 because they represent the majority of consumer-grade cyberthreats, and many of the attacks are covered by the mainstream press.

Enterprises are experiencing malware waves 4, 5, and 6 on a regular and increasing basis, but few outside of specialized cybersecurity fields understand the malware.

Nation-state attackers use malware waves 7, 8, and 9, which require significant resources and expertise.

Types of Cyberattackers

Context

Who are these mysterious cyberattackers hacking into systems and causing media headlines?

Cyberattackers are people who choose to create, distribute, and use malware or other tools and techniques to do things on computers they shouldn’t be doing.

The graphic shows five groups of cyberattackers grouped by their intent and objectives:

Commodity Threats

Hacktivists

Organized Crime

Espionage

Cyberwar

Note: There can be significant overlap in the tools and technologies used by these groups.

Commodity Threats

Commodity threats include random malware, viruses, Trojans, worms, botnets, and ransomware.

Commodity threats are propagating on the Internet all the time. Commodity threats

are undirected and opportunistic;

may exploit cyberdefense vulnerabilities;

do not adjust or adapt in order to work their way around protections that are in place;

can be destructive, but limited;

can be a starting point for more dangerous, targeted threats; and

be stopped if defenders block the commodity threat’s attack vector, making the defenders safe.

For other cyberattack threat categories, simply blocking the initial attack vector is only a start.

Targeted cyberattackers

These cyberattackers may start their efforts by going to botnet operators and purchasing access to computers and servers that are already compromised inside the target environment.

Purchasing access can make the attackers’ initial entry into the enterprise easier and save them valuable time and money.

Hacktivists

Activist hacking , or hacktivism, consists of targeted attacks that

make public or political statements;

are used against individuals, enterprises, or governments;

seldom set out to hurt anyone or do significant physical damage;

are simply looking to get a message out and draw attention to a cause;

tend to use mostly commodity tools and techniques that are widely available on the Internet; and

take advantage of vulnerabilities that are unpatched or open.

Defenses to protect against these tools and techniques are also usually widely available.