Growing business complexity makes the task of cybersecurity staff difficult to begin with. But challenges are often exacerbated by the organisational sophistication of the criminal underworld.
There are now entire shadow companies, complete with payrolls and call centres, that have emerged to take advantage of the political climate, explains Andrew Useckas, CTO and CISO of cybersecurity provider ThreatX.
“These are sometimes billion-dollar operations,” he says, and it is these organisational structures that allow criminals to perform and finance the kinds of large-scale cyberattacks that hit headlines with increasing frequency.
Such organisations structure themselves the way legitimate businesses do, Useckas says. They have people specialised in particular functions and they can finance prolonged, complex operations without members concerning themselves with immediate profit.
“It’s not just five people communicating on the Dark Net and deciding to attack some company,” Useckas says. In such contexts, unless they are already successful and sitting on proceeds from previous campaigns — criminals need returns on their investments as soon as possible.
But when you are in an organisational structure of considerable size, the dynamic is different. “You can afford to pay people for six months, or maybe a year, and you can either use someone else’s code or develop your own,” Useckas says.
Criminal organisations can hire people. They can maintain full-time staff. And evidently, governments, particularly Russian authorities, are not interested in enforcing against this, the CISO explains.
Such organised criminal enterprises have become a feature over the past decade. For Useckas, this is one of the main reasons that attacks are now more problematic. The criminal underworld has developed a form of professionalism that requires a corresponding step change from the security industry.
Attack vectors
Another noteworthy trend is the move towards attacks on web applications and APIs, Useckas believes.
At the high level, there are two main attack vectors, the CISO explains: the first is based around the familiar phishing attack.
Criminals insert malicious links into emails sent to high-permissioned individuals within the organisation. If accessed, these spurious links infect the computer with malware through which attackers then propagate and escalate their access until they achieve their objectives within the network.
The second attack method works by targeting web applications and APIs, the area where ThreatX specialises.
“That is our bread and butter,” Useckas says. The company protects organisations from attacks that target the code developers put into cloud services like AWS, databases, and the passwords that people leave or give out without thinking, he explains.
The company’s solution is designed for modern cloud environments. It combines behaviour profiling and collective threat intelligence with analytics to protect web applications and APIs from advanced threats, such as botnets, account takeovers, and denial of service attacks.
Despite this, some of the organisations responsible for these kinds of attacks, by consequence of their considerable resources, have 500,000 hacked computers or IoT devices. Because of this they can replicate authentic user behaviour, adding to the challenge of recognising activity as nefarious.
Attackers will try a few logins through one device, then change the access point, and try again, Useckas says.
The arms race
“Our goal is to make it just painful enough for the attacker, where it’s too expensive for them to attack particular customer assets. So, they go away and focus on something else,” Useckas explains.
The cloud model, while useful, is responsible for many new challenges, Useckas admits.
Among them are persistent organisational issues that undermine the efforts of security professionals to keep their businesses safe.
“You have to set the policy,” Useckas explains, offering an example — “You want to deploy something in AWS, fine; but you have to use this web application firewall in front of everything you deploy.”
Business models based on rapid R&D processes and constant siloed innovation see different departments of a business creating new vulnerabilities as part of their day-to-day operations.
One tactic for mitigating issues in the cloud model is for enterprises to engage in vendor management policies, the CISO advises. Every time R&D engages a vendor, a review should take place, making sure there are no security risks.
“But it’s still hard to do,” he admits. With platforms like Workable streamline hiring processes, sensitive company information can be quickly ceded to external platforms.
“HR jumps on the application side of things right away because it makes their life easier,” Useckas acknowledges, noting that from a security perspective it can be challenging to secure this kind of data.