Maintaining Cyber Resilience Through Detection And Cyber Threat Analytics

The concept of Cyber resilience merges cybersecurity, business continuity and enterprise level cyber resilience. The primary goal is to detect threats and respond to them quickly to minimize and contain damage, resume operations and protect confidentiality, integrity and availability of data against future attacks. An effective and real time cyber defense mechanism is driven by knowing your adversaries and acting upon mitigation factors well before damage is done. A well-established Cyber Threat Analytics platform derived from all the available data could help in achieving intelligence into threats and creating a central threat repository which can help in protecting critical infrastructures and organizations critical in the running of nation.

The next cyber-attack isn’t a matter of if, but when, so it’s imperative to minimize the amount of time between when systems are breached and when a threat is detected in order to minimize damage. The key to detecting a threat can come from anywhere, so having a complete picture of what’s going on across all systems in real time matters- and that’s where cyber threat analytics platform comes in. The goal of this paper is to create an intelligence driven security approach by setting up a cyber threat intelligence platform which can help in quickly search data to spot or anomalous behavior by placing priority on minimizing the time from detection to mitigation.

The focus is not just providing alerts but actual answers, shifting from reactive to proactive mindset. What that means is not just detecting the threat but preventing, analyzing and responding to the threat as well. This is driven by the realization that cyber resilient nations are better positioned to introduce innovations and bring in more business prospects and investors to market without having to backtrack or suffering from negative news headlines due to security mishaps or data privacy violations.

Introduction

The ever-evolving pace of technology continues to grow and so does the opportunities and challenges it brings in. We are at intersections as we move from society already weaved with internet to the coming age of automation, Big Data and the Internet of things (IOT). But as a society that runs largely on technology, we are also as a result dependent on it. And just as technology brings ever greater benefits, it also brings ever greater threats. By the very nature of the opportunities it presents it becomes a focal point for cybercrime, industrial espionage and cyberattacks. Therefore, protecting it is of paramount priority. Cybercrime comes in a variety of forms ranging from denial of service attacks on websites through to theft, blackmail, extortion, manipulation and destruction. The tools are many and varied, and can include malwares, ransomware, spyware, social engineering and even alterations to physical devices (example ATM skimmers). Its no surprise then that the sheer scope of possible attacks in vast, a problem aggravated by what’s known as the attack surface. We are now in an age where governments, political groups, criminals and corporations can engage in cyberespionage, cyberwarfare and cyber terrorism. We live in a world where warfare can be conducted entirely virtually- though the consequences will almost always have repercussions in the physical world. To ensure lasting success, nations need transformation while developing new digitally enabled opportunities at the same time. But, will increase the attack surface and make nations vulnerable to the threat of cyberattacks.

As people and organizations around the world depend more heavily on technology, the ability to shut down or destroy infrastructure, take control of machines, networks and directly cause loss of life has become a reality. Majority of business today are battling with the challenge of protecting their enterprises in today’s increasingly complex and dangerous threat environment. Traditional security measures are not up to the task. As such a strategy build on resilience increases visibility into cyber-attacks, anticipates them, and mitigates their impact, without impending necessary business functions.

This paper looks at a proactive approach to cyber resilience using detection and threat analytics method to help in proactively mitigate most of the concerns facing us now and in near future that includes:

• Attack vectors such as DDoS, Malwares, Spywares, ransomware and autonomous cars.
• Threats including data manipulation, identity theft and cybercrime.
• Contiguous issues such as data sovereignty, digital trails and leveraging technology talents.

The effect of not being Cyber resilient

In past 3-4 years, there has been cyberattacks and cybercriminal activities being carried out on business or government institutions, some of which has being reported and investigated whereas most of which has not been reported or investigated. We are constantly being introduced to revelations of new ransomware strains, new botnets executing denial of service attacks, and the rapid expanding use of social media as a means of defamation, disinformation and propaganda platform. The motives behind these attacks are not know and one can simply explain this as an awareness issue but there is more to it. These frequent attacks raise the question of “are we the target now” and if so what are the motive behind these unprecedented attacks which have increased over the years leading to such huge financial loss to businessess.

Some of well-orchestrated and organized cyber-attacks on keys infrastructure’s which brought down nations crippling their ability to respond before the damages were done, has given rest of the world an urgency to re-look at their cyber strategy. Some of these attacks include:

• Russia sending tanks to Georgia in 2008- this attack coincided with cyberattack on Georgian government computing infrastructure. This is thought to be one of the first land and cyber coordinated attacks.
• In 2008, Stuxnet- a computer worm purportedly jointly designed by US and Israel crippled Iran’s nuclear enrichment program by sabotaging centrifuges.
• In 2014 a German steelwork was disabled and a furnace severely damaged when hackers infiltrated its network and prevented the furnace from shutting down.
• In 2015, with an attack strongly suspected to have originated from Russia, 230, 000 people lost power when 30 sub-stations in Western Ukraine were shut down via a remote attack. Operators at the Prykarpattyoblenergo control center were even locked out of their systems during the attack and could only watch it unfold. Apart from these few cyber activities across the world which has given most of the nations the urgency to re-look at their cyber strategies again and get involved into a more proactive detection and alerting mechanism, the following are some of the reported and unreported cybercrimes in Fiji.
• In 2013, a Suva based company lost US $65, 000 to cybercrime in a single remittance transaction for acquisition of soft goods from Taiwan whereby payment was diverted to UAE and then to India (Proxy chaining attack).
• Also in 2013, a Suva based company lost US$44, 000 to cybercrime in 3 transactions for acquisition of raw materials from china & Belgium whereby payments were diverted to UK.
• In 2014, a Suva based agency lost US$101, 000 to cybercrime for the acquisition of cloths from Israel whereby payment was diverted to UK.
• In 2014 a Suva based company lost US$10, 000 to cybercriminals in a single transaction for the acquisition of industrial spare parts from China.
• In 2015 a Nausori based company lost US$13, 000 to cybercrime for the acquisition of food and supermarket products from Pakistan whereby the payment was diverted to UK.
• In 2015 a Suva based company lost US$14, 000 to cybercrime for the acquisition of motor vehicle parts and tires from china.
• In 2015 some of the systems in Fiji revenue and customs authority were infected by Ransomware resulting in data loss.
• In 2016 an engineering frim based in Nadi with business spread across many countries was hit by a Ransomware resulting in complete data loss.
• In 2016 a pharmaceutical company with more than 8 pharmacies spread over entire fiji were hit by Ransomware resulting in data loss. The data retrieval process cost NZ$13, 000 per week turn out futile as no data was retrieved.
• In 2017 one of the world renown bottled water brands in Fiji and a prominent resort were hit by NM4 Ransomware resulting in total data loss.
• In 2018 a major City Council was infected by Combo ransomware which resulted in data loss.

The pace and severity of these attacks show no sign of declining. Indeed, because there have usually being little or no consequences or cost imposed on the states, organizations, or individuals that have taken these actions, they and others have little reason not to engage in such acts in future. There are some nations that have spent millions of dollars and many in years advancing into methodologies and tactics for global stability in cyberspace. The best was achieved through continuous monitoring and alerting methods based of cyber threat analytics.

Looking at these statistics which are very few compared to many which are still unknown, it can clearly be seen that Fiji is nowhere away of being a target of some of the biggest, sophisticated and major cybercrime activities. The companies reported above have spend thousands of dollars securing their infrastructure but still their systems were compromised

Consequences and impact of not being cyber resilient

Cyber threats evolve each day and detecting these threats is becoming more important than ever. The statistics being presented in this paper resolves around very few of the attacks and compromises which took place in Fiji and has being either reported or unreported but addressed at some stage- but the fact is, there are many unreported events amounting to thousands of dollars in financial loss. The key things evident with these attacks are that we are no longer strangers to the cyber world and criminals sitting in other parts of the world are waiting to or may have already launched attacks either organized or unorganized.

The questions we need to ask are:

1. Are we prepared for the worse - The critical infrastructures in Fiji such as electricity, water, airline, Government ITC and Fiji National Provident Fund are all single point of failures, meaning if one of these infrastructures are compromised it will lead to greater loss to the nation until the issue is rectified?2
2. What are we spending on? Organizations in Fiji are spending thousands of dollars in upgrading their security infrastructures and getting the best of the tools to protect their assets, but do they know if their spending will give them maximum protection against such attacks. Do they even know the attacking patterns and adversaries and what they are trying to protect these assets from?
3. Do we know what are we dealing with? We don’t even know what adversaries we have or what are our Indicators of attack [IOA]. How can you deal with events without knowing what you are dealing with?
4. Do we know what needs to be protected and what type of attacks can we anticipate? If we don’t understand the patterns of attack, we will not be able to know what needs to be protected and upto what extend.

The Solution- Intelligence driven security approach

It is well-worn and almost axiomatic expression that deterrence is shared in cyber space. Some even assert that deterrence in this realm is impossible. Although some would not agree with this fatalistic outlook, it’s a bitter truth that deterrence in cyberspace is a complex issue.

The modern threat landscape is vast, complex, and constantly evolving. The idea that businesses can be fully secured against any and all potential threats has become untenable. Threat intelligence done right is a window into the world of your adversary. Vendors and service providers are aiming to empower organizations by alerting them to the specific threat vectors and attacks they face, as well as how they should be prioritized for protection and prevention. Gartner defines threat intelligence as, “evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard. ” This definition highlights the three factors that distinguish threat intelligence from mere data and information. At its heart, threat intelligence:

1. Must be evidence-based.
2. Must relate to an existing or emerging threat.
3. Must inform decision making.

If any of these requirements are missing, more processing is required before information can be considered threat intelligence. Understanding the patterns of attacks and knowing your adversaries will help nations and other organizations to be better prepared for any potential threats attacks but also let business make correct decisions in their spending related to upgrading or enhancing of their security infrastructure.

As you begin the process of selecting a threat intelligence solution, you’ll want to be sure you’ve clearly defined your needs, as well as have a good understanding of vendor capabilities.