Pierluigi Paganini May 13, 2016

Azeem Aleem,  Director for the Advanced Cyber Defense Services Practice – EMEA at RSA, shares its vision on the evolution of threats in the next future.

The last 14 months have highlighted that attacks domains are expanding. We have seen the trends with OPM data breach, to sensitive PII information leak at Anthem breach and Vtech breach. The extortion malware impacting organizations, to an advanced coordinated attack at Ukrainian Power grid highlights the complexity around the anatomy of attacks.

To better understand the topic we have been talking with  Azeem Aleem  Director for the Advanced Cyber Defense Services Practice – EMEA at RSA. Azeem is responsible for overall professional services engagement for Global Incident Response/Discovery (IR/D), breach readiness, remediation, SOC/CIRC redesign and proactive computer network defense. Prior to RSA, Azeem was the Director for the Centre for E-crime and earlier, led cyber security consultancy services for advanced cyber threats to the law enforcement agencies, Big 4, public sector and the private financial services.

1. Which are the most targets of cyber attack actually? People, industries or companies? And which differences or similarities in the attack methods can we underline?

Aristotle (Aristotle, 384-322BC) said, “ It must be expected that something unexpected must occur” . The current time is the unexpected as we are passing through an era of phenomenon technological revolution.  From the realm of the international space exploration ( Scott Kelly and Mikhail Kornienko returned on 2 March after spending 340 days in the space ) to the immense growth of the smart tablets (Apple’s iPad 2 rivals the Cray 2 supercomputer, the world’s fastest computer in 1985) highlights how technology is molding our civilisation to the new heights.

Unfortunately, crime follows opportunity and with this technological advancement we are seeing a rise in the advanced cyber attacks . These days the attacks we are seeing are more focused towards Zero day attack bringing in sophistication and complexity. Rogue Nation-state actors are on the rise and have developed a more diverse and stealthy network of operations. They are devising intelligent way of using the leak data for commercial and national security implications. The hunt for these attacks is not an easy phenomenon. Cyber Criminals are not bound with any rules; their attacks are shielded/ hidden across the organization network. Traditional perimeter is melting and the attack service is increasing which requires holistic view of how we protect the echo systems.  Not in my back yard Siloed approach does not work anymore. No doubt there is a long journey for Security industry to cover however, the Security Industry leaps and bound towards maturity – Simultaneously the customer familiarity of security has increased and they now expect from vendors security as an essential discriminator.

2. Which are in your opinion the majors risks facing to cybercrime today for a company?

The threat landscape is shifting fast – every day there is a new threat domain that hackers have utilized to impact the organisations. We can divide the threat landscape around four main areas:

1. OS attacks: OS- Attacks are on the rise, they are becoming and persistent for example, attack on the windows OS PowerShell is continuing as it provides cyber criminals with the organized sophisticated exploitation capabilities. While on the other side MAC OSX leverage by bypassing the Gatekeeper using SSH reverse tunnel is on the rise.
2. Mobile Device: Vulnerabilities in Android OS and now IOS is on the rise- Attacks like stage freight and Xcode Ghost, which allowed malware code execution via text messaging/ video viewing in emails or browsing highlights that  attackers are exhibiting innovative methods of undermining the mobile OS. Non-trusted apps are on the rise and are creating a grave concern among the organizations.
3. Industrial Control Systems : From the days of Slammer, Stuxnet, Shamoon etc to the recent Ukrainian (black energy) Power Grid Attacks narrate the advancement in these attacks. The shift from legacy systems towards process control networks with connectivity around enterprise and Internet is creating extensive backdoors exploit around the industrial control systems. We are seeing that organizations are even not aware of these devices connectivity pattern inside and outside their ICS environment. Attack via cloud service provider at ICS is on the rise and there is a dire need of intelligence correlations / reporting mechanism around SCADA attacks through behavioral analytics.
4. IoTs: The computer vacuum is difficult to get secured. IOTs have created a technological disruption development where it is difficult to contain the gene in the bottle. The revolution of IOT is already underway; businesses are under pressure to accommodate the flux of IOTs. The potential vulnerabilities from IOTs across the organization network to home appliances even stretching to medical devices can be used as additional vector exploit against the organizations. Already we are seeing evidence of IOT connections on corporate enterprise network creating 3rd party breaches frequent and simplistic. From the early days of TRENDnet camera hack, the recent growth in IOT has brought extreme anxiety across the security sector. Gartner predicts that by 2020 there would be 26 billion units installed channeling huge volume of data traffic. This will create a 50 Trillions GBS of data hovering across these technologies.
5. Ransomware: These are not new attacks – they been hovering around for some time. Traditionally these attacks have been targeted against SMES (small to medium size organizations) where the adversary acted on a hit and run strategy i.e. encrypt the business data and call for small amount as a ransom. Recent attacks trends have shown ransomware attacks are becoming more aggressive and diversify by attacking a multitude of attack vectors.

3. What can we do to protect the sensible infrastructures against possible attack? What Ukrain case has shown and what we have learned, if we have

Two areas where we are going wrong are: Preventive Mindset and Analysis Paralysis Syndrome.  In the first case we need to understand the attack telemetry; while there is an agreement on the complexity of advanced attack, what we see is that organizations are still trying to protect them using traditional controls around signature based framework.  Organizations are lacking in the right visibility and still relying on the traditional tools like SIEM for advanced monitoring  – which is only able to detect 1% of the Advanced Attacks. We are witnessing that traditional prevention approach has become a failed strategy. You will be get breach and it is the move towards proactive defense that will enable organizations to preempt where the next attack would be forthcoming from. Comprehensive visibility for full packet capture to gather what is happening in your network is the way forward. In the second aspect what we see as those organizations that understand rational of collecting the data from end points, network flow/packets, cloud based apps and network perimeter are facing a problem flux of data. To detect the pattern they have a task of finding a needle in the haystack; they lack the capability to integrate into a single normalized platform to detect the behavioral classification of these cyber criminals.

4. What kind of suggestions, projects or good practices could you share or could you speak about to help people and company to implement awareness into the cybersecurity topics?

Security programmes solely focus on compliance won’t work. There is no such thing as an isolated incident and there is a need to manage the whole incident space by developing the threat intelligence capability – pervasive visibility is essential but they need to develop the capability to tackle TTPs (Tactics, Techniques & Procedures). The element of time has changed  its now a matter of minutes and seconds on how do we respond to an attack.  Nurturing threat intelligence  capability will enable them to act as hunters, and help them classify the behaviour and pattern of cyber criminals. The value of the threat Intel is how we use it and put it to action-  operationalize the platform- automating the raw data into a tangible Intel is the key.  Developing the niche capability will help unveil the opponents and force the adversaries to change/edit their strategies which in turn enhancing the ability to respond.  Organization requires a mindset change to develop hunting methodology and enable their staff. Breeding the right culture is very important. To nurture the hunting capabilities you need to accept mistakes. Our industry is building itself on illusions (one fix work all)- organizations need to develop filters to chalk out the white noise and follow patterns of attacks that are specific to organizations.

Changing any culture is not easy. Within the security department, training, education and new norms for doing security hunting need to be established. This may also require bringing in new staff members fresh to the new ways of doing things. It is also necessary to evangelize the new approach to those more senior staff in the organisation, to ensure that they understand and support the new approaches, as well as to those personnel and departments that interact with security. Central to this is promoting the metrics ( whether security is working or not ) so that the success (or the failure) can be clearly seen by all. Azeem Aleem has been staunch supporter of convergence and been actively writing  to highlight the need for converged methodology to tackle these advanced attacks

5. What is your opinion about the future scenario in the cybersecurity field related to trending topics?

Development of educational route is very important to develop talent career progression. The recent move of recognizing Masters degree by GCHQ for selected 10 UK universities will enable the students to take security as a career. We need a stronger partnership among academia, public and private sector – universities students final year MSc project and PHD  thesis could be  an excellent route  to work on Industry live work case examples. Element of research needs to be enabled by developing this partnership. For example at RSA we are working with number of universities such as Brighton, Napier and Macquarie University to develop various areas of research where  university researchers can contribute towards our efforts in fights against advanced adversaries. From technology viewpoint  organizations are overwhelmed with legacy technologies. This is creating an impact around productivity and creating a dizzying whirlpool of reality (that we are secured). They are getting all the alerts but no real credibility and tangible intel. Traditional Perimeter have melted away and this requires holistic view of how we protect the echo system. Closer integration of the supply chain is very important- continuous monitoring needs to be done and silted approach needs to be taken out.

About the Author Emma Pietrafesa

Dr Emma Pietrafesa (Ph.D.) researcher and communicator. Postgraduate specializations in management and public communication, international relations and diplomatic studies. She has been working in the field of research and communication for over 12 years, focused on: ICT and social media, open source, cyber harassments, cyberbullying, international relations, gender issues, health and safety at work. She is Author for Italian digital magazines www.TechEconomy.it and www.girlgeeklife.com.

Twitter: @EPietrafesa

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Azeem Aleem, cybercrime)