The 7 phases of cyber attacks: Joe Sarno, Fortinet
In the age of digital work places, the enterprises need security everywhere—from the network to the endpoint and from the cloud to every corner of their operations—to limit the risk cyber attacks.
In an interview with Rashi Varshney of Express Computer, Joe Sarno – Vice President, International Emerging, MEA, Eastern Europe, India & SAARC at Fortinet speaks about what kind of strategies Indian companies should have to ensure security as well as business growth, and ideal security infrastructure, and what questions a CIO or a CISO should ask to a security vendor. Read on…
Edited Excerpts
Indian enterprises generally have basic traditional firewalls for security. What are the new gen trends inside the security and what are the breaches Indian companies face in terms of cyber attacks?
India’s adoption in the cyber security space is a little bit behind from other advanced countries. Typically, enterprises start with a firewall and then start adding pieces. The evolution of the threats has evolved enormously over the years. We have seen threats from simple viruses which blocks computers and to today where the real threats are coming from malware and ransomware, which are creating biggest issues for the companies across industries.
However, phishing is still used as the first way, the first attempt to breach an enterprise or government or customer and try and enter into the system. These are the main breaches that are seen today in the market. To address this, we announced security fabric matrix. The security fabric is somewhat the evolution of ten years of innovation in Fortinet whereby we have been building this platform starting from the firewall and adding various components not only inside the firewall but also new solutions outside the firewall. Building those single point solutions brought us to a stage where we thought that we need to integrate these solutions inside a fabric whereby these components inside my network on my security not only inside but also outside and they talked to each other and have the ability to exchange information between the solutions and be more powerful and more adaptive to the new types of malware and breaches we have seen.
How vulnerable Indian companies are in terms of cyber risks?
Everybody is vulnerable everytime. It is not a question of being in India, US or UK. Security is like an insurance, we always have to renew the insurance on a daily basis to be able to consider ourselves protected.
What kind of strategies Indian companies should have to ensure security as well as business growth?
Strategy embraces lots of areas of a company. I think, one of the most important aspects is the training. A a CIO should first train people in cyber security. The training should not only be about how a security solution is working or how to implement a security solution in the most effective way, but also make them understand the risks they are exposed to each day. Training the employees will reduce the risk in a very drastic way, not only on the inside of the network, but also on the wider side because we are constantly connected. The wireless is part of our lives and wired infrastructure is becoming less utilized.
How do you suggest CIOs to build better cyber defences in their corporate network?
I advise CIOs to analyse and understand the different phases of a cyber-attack to build better cyber defences in their corporate network. In the past, it was much easier for firewalls to detect significant threats to the network. This was because traffic could be classified based on specific protocols and cyber-hackers were not as sophisticated. However, cyber threats are now designed to avoid detection by bypassing traditional firewalls with ease.
There are 7 phases of a cyber-attack I prescribe precautionary steps to counter each of them:
Phase 1 Reconnaissance – In this early phase, the attacker attempts to gain understanding about an organization, its network and business partners. Identify “watering holes” or common websites that employees may go to not only for business purposes, but also for leisure. Monitor these sites closely with content filtering and/or proxy tools. These sites are often researched and identified by cyber hackers who then plant malware in these legitimate websites. It is also important to review vendors and take note of the level of access they are accorded. Build a template with key questions and considerations to assess the security of any third party, and determine the minimum access requirements
Phase 2 Weaponization – This is the phase where an attacker selects, and sometimes even builds malicious code to exploit identified vulnerabilities within the target. One needs to know which type of attack is likely to be underway. If a nation-state attack is imminent, focus the efforts and resources on putting processes and technology in place to respond to zero-day threats. Segmenting your network architecture is also a good way to at least minimize the impact of a potential breach. When it comes to zero-day threats, the key is detection.
If the threat is likely to emanate from cybercriminals, concentrate on developing a good vulnerability and patch management program. Consistently patching known vulnerabilities will increase the chance of keeping criminals from compromising a network. When researching vulnerability and patch management technologies, ensure solutions can identify all assets, operating systems, applications, and vulnerabilities.
Phase 3 Delivery – As threats come from both inside and outside an organization, and can be either intentional or accidental, a comprehensive scheme of programs and processes need to be put in place to identify threats and risks. Phishing emails are by far the most common method of malware delivery. Implement a training program on phishing that makes employees aware of the increasing levels of sophistication these attacks often use. Employ content security technology for email and web traffic designed to identify and remove malicious attachments. Solutions that include sandbox tools are especially important as they can detect previously unseen or sophisticated malware.
Phase 4 Exploit – Since many exploits occur through a phishing attack, a strong vulnerability and patch management system is key. Standardize on one browser for the workforce, and ensure it is patched and updated regularly and limit the use of plug-ins such as java or flash. Most malware employ evasion techniques to circumvent traditional AV technology. Utilize sandbox technology to move suspicious content to a secure area where its behaviour can be safely triggered and analysed.
Phase 5 Command and control – To defend at this stage, application control at the perimeter is a must to inspect application streams and detect malware communicating back to their malicious infrastructure. Malicious communication tools often tunnel through other protocols. SSL inspection tools is the best defense as it can intercept, open, inspect, and then forward encrypted traffic once it is deemed clean. A good approach is to typically use a combination of application control, reputational databases, and URL filtering to monitor, inspect, and secure traffic
Phase 6 Internal reconnaissance – No defense strategy is guaranteed to stop every attack. Implement a good incident response plan. When an incident occurs, people tend to panic, so a proper plan detailing steps to take and people to contact could avoid a knee-jerk reaction.
Once an attacker is inside a network, they have bypassed any edge protection layer. However, there is still chance to minimize the impact of the beach by segmenting the network into security zones. This will create various choke points to help isolate the breach and monitor and secure traffic as it moves between security zones. It will also result in more granular visibility inside the network where most organizations traditionally have little to no threat intelligence.
Given that a threat has managed to circumvent your defenses, there was most likely no signature available to detect it. At this stage, adopt anomaly-based and behavioural-based detection. This technology leverages big data analytics and machine learning tools to understand what normal traffic looks like so that unusual or unexpected traffic patterns and device behaviours can be quickly identified.
Phase 7 Maintaining – At this point in the attack chain, the malicious “visitors” will try to extend their visit for as long as possible to siphon data from your network. Document company’s servers that contain sensitive data and make sure they do not have access out to the Internet. This will make it more difficult for cyber criminals because they will need to find a staging server to transfer data onto before exfiltrating data to their destination. Identify all attack paths into and out of servers with sensitive data, and monitor these paths more closely. Pay particular attention to the ones that have access to servers that then have access to the Internet.
To avoid an attacker going undetected for long periods of time, consider Operational Threat Intelligence (TI). Sophisticated malicious code is designed to remain undetected by traditional AV scanning. Do not just rely on a clean scan results, instead invoke more detailed forensic procedures to truly identify whether or not the machine is clean—especially if the device contains sensitive or compliance-related data.
What are the questions CIO or CISO should ask to a security vendor?
I will first see how solid a company, in terms of financial performance, how much money they put into r&D what is their road map, how well is their vision on the future solutions, and what new issues the company is going to address. Second, the capability of supporting my company in terms of support services, professional services, escalation services and if the vendor is able to give residential engineers on site.
I would also want to know how the company is evolving into the future because what is happening today is obviously important, but I would like to see the future evolution in how this company can support me and give me the right type of solutions in terms of security.