How to fight cyber crime
The recent nomination of the British Banker’s Association as an intelligence node and source of benchmarks and practices in the UK’s financial infrastructure, via CBEST, has pushed the role of the banking sector in detecting and remediating breaches into the spotlight, writes Nick Pollard.
Banks are formally plugged in to the intelligence community, for example, UK CERT and their peers, via CISP as both sources and consumers of intelligence. CBEST will use the latest threat intelligence so that defences can be put through their paces with tests resembling real-world incidents.
As with any collective pool of intelligence, organisations will get out what they put in. For security teams, a starting point for intelligence gathering is gaining a birds-eye level of visibility into anomalous or unusual activity where the data resides: at the endpoint. This can produce a clear picture of risk; from new threats to compromised accounts, back-channel communications and processes, suspicious patterns, commonalities and anomalies. Not only does this lay the foundation for improved intelligence on the origins and scope of an attack, it also provides for fast and efficient remediation and response to any breach.
The response plan
Banks’ cyber response follows a generally accepted six phase pattern. Each task should be invoked in a prepared IR plan within an agreed upon structure. Ultimately, senior management accountability is required and is likely to be reinforced, including within the domain of Information Technology, within the short term.
The first post breach step is the technical identification of a compromise – identify and expose – and the invocation of the IR team. Gaining visibility into systems for indications of compromise is a critical, and as with any incident, speed is of the essence. There are two ways proactively to validate cyber threats- endpoint security analytics and security automation:
- Endpoint Security Analytics: leveraging data from all servers and end-user devices, endpoint security analytics can give complete visibility of endpoint activities across the network, in order to detect anomalous behaviour, areas of potential risk, and security threats before damage can spread.
- Security Automation: integrating network-enabled endpoint cyber forensics tools with SIEM systems helps quickly to reveal and validate suspect or mutating software on any endpoint on the network. The cyber investigation tool should be able to work quickly across platforms, as speed is essential to finding and collecting actionable volatile data.
Once a problem has been identified, the next step is triage. This requires identification of the potential harm, based on an appreciation of extent of the compromise, the ongoing capabilities and intent of an adversary.
Once a threat is triaged and recognised, an appropriate response can be formulated, both for containment and remediation (stages 4 and 5). The necessary experts can be identified and roles assigned from a personnel matrix, on the basis of a defined, process within the IR plan. Sponsors will be from a variety of domains from IT remediation to legal and regulatory liaison and even marketing, who may be called upon to identify and notify potentially millions of customers. Forthcoming changes may require the apportionment of responsibilities to individuals deemed to be senior management to be revisited in the context of IR plans.
One existing requirement that the new CBEST may bring to the fore is the requirement to notify financial regulators of potential threats. That is, of potential threats and vulnerabilities notified under the framework that may then be recognized as applicable. This potentially adds to ‘Identify’ ‘Triage’ (stage 3) and even ‘Preparation’ (stage 1) workloads. If CBEST affords advance warning of an eventuality that “may occur in the foreseeable future, a firm should consider both the probability of the event happening and the severity of the outcome should it happen,” in order to decide on the need for notification. Early warning and intelligence may raise the requirement of notification at a very early stage indeed.
The fledgling intelligence sharing framework for banks is nonetheless valuable, given the corporate context. In fact, across the entire business world, a substantial proportion of the IT security community is concerned that they neither have internal intelligence of attacks, nor the means to communicate them. Recent data on this makes for salutary reading; a survey conducted by EMA suggests that a common frustration with IT security technology, shared by 36% of respondents, is that tools are unable to detect emerging threats or attacks. Nearly a third (29%) reported poor reporting for communication.
Therefore, in view of the concerns of IT security professionals the CBEST framework will help address some of the biggest challenges – the invisibility of potential threats, or, as Rumsfeld had it, of a comparable intelligence problem ‘unknown unknowns.’ It pulls together the foundations for building a mature incident response plan; people, process and technology, providing intelligence and benchmarks including input from commercial and government external sources. The insights that can be gained from institutions’ own systems and devices can help to inform this collective pool of intelligence and provide a route to faster and more efficient breach detection and remediation. The challenge will be to ensure that the organisation and pre-prepared plans can keep pace with accelerated threat intelligence and reporting.