Cybercrime is neither rare nor isolated these days. You no longer need to be a major bank, retailer, credit card company, social media site, or government to become a target. Every company with an online presence, or even a connection to the Internet, has become fair game.
Symantec has reported that, year over year, malicious Internet attacks are steadily increasing. Their most recently released report (2012), showed that in 2011, these attacks had increased by over 81 percent, and unique malicious software (“malware”) variants increased by 41 percent, compared with 2010. It is no longer a question of whether a company will be hacked, but when. Attacks are also increasingly “targeted.” For example, in January The New York Times was targeted through a technique called “spear-phishing,” where innocuous-looking email or social media messages were tailored to individual employees and designed to install code that could access, monitor, or steal information.
Obvious targets, such as financial institutions, credit card companies, and defense contractors, have often already “hardened” their defenses. Thus, cyberattacks have steadily increased against other targets, such as cloud services providers—where reams of data can be accessed through a single attack—less obvious commercial targets holding valuable information, and companies in the supply chain with access to a primary target’s systems through authenticated connections. Becoming an attack vector against a primary target can be extraordinarily costly, with significant reputational implications.
Given the potential loss of the most sensitive assets, information, and trade secrets, and the collateral risks of such an incident, companies must develop an integrated, proactive strategy involving technological features, law enforcement partnerships, and private legal enforcement, to prevent, respond to, and deter the massive and growing problem of cybercrime.
Integrated Defenses, Planning, and Investigative Capabilities
Network security historically consisted of a firewall between the Internet and internal networks. Like a proverbial Great Wall, the “crunchy” exterior protected the “soft” interior from the marauding horde. As the chief security officer of the Times recognized in the attack on the newspaper, attackers “no longer go after [the] firewall,” but instead “go after individuals.” With targeted techniques, companies must assume that computers will become compromised and cannot rely on security software and hardware to stop attackers. For example, in the Times attack, the attackers installed 45 pieces of custom malware, but antivirus software was only able to detect a single instance. Therefore, companies must implement multi-tiered security throughout their networks, not simply border checkpoints, and educate employees to create a security-aware culture. Companies should widely deploy the strongest commercially viable encryption to protect their data.
But security technology and awareness alone are not enough. Companies must build investigative capabilities into their technological presence, rather than trying to “bolt them on” as an afterthought. Proper investigation can provide intelligence about methodology, techniques, and attack patterns, provide guidance as to potential future attacks, or lead to the identities of the attackers. Evidence-gathering protocols established on the front end can pay dividends on the back end. For example, monitoring intrusions may involve “honeypots”—traps that appear to be legitimate network nodes—which isolate attackers and afford time to investigate attacks as they occur.
Built-in data markers, extensive logging, and methods of parsing this mountain of information are also important. Breach response plans should include securing compromised systems without alerting the attacker, cloning of compromised machines to maintain forensics, and tracing of connections to determine the true origins of attacks. Given the sophistication and motivation of the adversaries, security firms, such as CrowdStrike, have responded to this need by offering sophisticated proactive monitoring, investigation and intelligence services, and also offensive techniques such as surveillance and reconnaissance, counter-espionage, and denial-and-deception.
Whether handled in-house or outsourced, these strategies raise legal implications that potential cybercrime victims need to understand if they are going to seriously consider the more aggressive of these approaches.
