Businesses are facing an onslaught of cyberattacks, especially ransomware. If they want to respond they need to change not just their technology but their approach to cybersecurity risks, according to FireEye CEO Kevin Mandia.
Mandia, speaking at the CDW Managing Risk Summit in Washington, D.C., says that the cybersecurity firm will soon release its annual “M Trends” report on the investigations it conducted in 2016. The firm conducted more than 500 investigations in 17 countries last year. Mandia says that if the original victim of an attack is in the United States, they most likely fell for a spear phishing attack.
Spear phishing involves hackers sending an email that appears to be (but isn’t) from an individual or business that users know; the hackers gain access to a user’s files when the user clicks on the email.
There are a few high-level conclusions Mandia shared from the report about the state of cyberattacks FireEye is investigating. One is that there are few risks or repercussions for the attackers.
By the time FireEye is called by a business, Mandia says, the breach has usually reached a scope and scale that requires outside help. Additionally, most of the breaches FireEye investigates are conducted by state-sponsored actors. For the first time since 1998, FireEye is responding to intrusions coming out of Russia more than China, Mandia notes.
Mandia notes that attackers will continue to reflect geopolitical conditions. If hackers launch their attacks on U.S. businesses from inside the U.S., they will eventually be caught because their anonymity will be pierced due to courts, warrants and the due process of the justice system, Mandia contends. However, attackers operating in “safe harbors” in foreign countries are not being caught, publicly named or deterred from attacking again. Unless attribution of an attack is made by a nation-state, the attackers will not be deterred, Mandia says.
Attackers also continue to exploit human trust. In the 1990s, Mandia notes, if hackers wanted to attack a large business they would scan the packets going into or out of a firm’s server, tap into their IT services and try to hack machines. Now, he says, hackers will try to conduct research on a 25-year-old employee who is putting their life online, and then conduct social engineering to spoof them and get their credentials through a spear phishing attack.
Of the more than 500 investigations FireEye undertook last year, more than 90 percent of the original victims, “victim 0,” were hit with spear phishing, Mandia says. Such attacks are usually highly targeted, only focusing on about two to five employees, and are difficult to detect.
Meanwhile, cybercrime tradecraft has improved drastically, according to Mandia, and those who conduct hacking for governments will often also do criminal hacking on the side to make more money. Extortion in cyberspace is also rising as hackers use the digital currency bitcoin to get payments from companies whose data they have encrypted or stolen.
Additionally, once a company gets hacked, someone else knows about it, Mandia says. Often, the media will find out about a breach at roughly the same time a company does, and then the firm must make a disclosure in a rushed manner.
According to Mandia, data loss prevention tools are not that helpful for detecting large breaches. “We have never responded to a breach because someone detected the data leakage,” he says. “Every time someone breaks in, and we all have DLP, DLP has never been the trigger mechanism for over a thousand breaches we have responded to. Again, we have a skewed vantage point, but that means the hackers we respond to know how to evade DLP every time, and they do.”
In short, Mandia says, businesses are failing to detect spear phishing attacks, don’t manage credentials well, don’t segment their networks enough, and only enable single-factor authentication for their virtual private networks. Those accounts with lots of privileges are not secured enough, and critical data for responses to attacks is not being collected.
Given all of that, what can businesses do about it?
First, Mandia says that businesses need to understand what they are up against and the threats they face. They also need to identify the risks they do not want to become a reality. He says that business line owners need to know the risks and identify what they can’t afford to lose or not be able to do in the event of a cyberattack. Such determinations cannot just be the responsibility of the company’s CISO or CIO.
Companies also need to determine how good they want or need to be at security. At a base level, companies can deploy tool-based security efforts and then integrate those tools to make sure they are compliant. However, they can also invest in adaptive cybersecurity defenses and try to become more resilient against attacks, Mandia notes. That might be where power utilities need to move, he says, as attacks against critical infrastructure increase.
Companies should also “assign one throat to choke” and lead cybersecurity efforts. Firms need to assign clear leadership, Mandia says. If a company’s board doesn’t have an answer for who is responsible for cybersecurity, then everyone is responsible and security concerns wind up falling through the cracks.
They also need to determine a framework for reporting attacks. Firms need to be able to withstand third-party inspection of their cybersecurity plans and defenses.
Finally, companies need to ensure that their risk profile aligns with what their board of directors wants to do.
Mandia notes that at small and medium-sized businesses, which usually do not have the resources to constantly assess their security posture, and sometimes might not have real boards, all of this becomes even more difficult.
According to Mandia, large firms in defense-industrial base and financial services have been able to enforce these best practices on third-party cybersecurity firms. Contracts can be used to impose the firm’s “risk profile” on partners, he says.