A few weeks ago, Shelbi Rombout from Mastercard, Nick Ritter from Fifth Third Bank, Shane Durham from World Pay and I all participated in an interesting panel discussion at the FS-ISAC Annual Summit in Lake Buena Vista, Florida. The panel was presented in an interactive format designed to test the audience’s knowledge of the misuse of certificates in advanced cybercrime. In our discussion, we spent a lot of time discussing the differences and similarities in the threats that are plaguing financial services organizations.
The bottom line was that the concept of “real” cyber attack was different for everyone in the room. Yet there were many challenges that we all had in common. We were all underfunded and we all faced a faster, more asymmetric offensive. There were also a lot of things we could learn from each other.
Case in point: Over Mother’s Day weekend many attendees had spent the weekend checking on their controls and patching their defenses against WannaCrypt. When a major exploit is spreading in the wild, every security team is busy trying to understand impact factors, such as the details of the attack, how it’s changing and how quickly it’s spreading. The fact that WannaCrypt was just the latest in a long line of exploits made it tricky to find a balance between being complacent and having a Chicken Little attitude. You can’t blame security teams for having a doom-and-gloom, sky-is-falling attitude.
WannaCrypt is the exact opposite of a highly targeted, methodical attack. But what it lacks in sophistication, it makes up for in hustle. Because it is self-propagating, it’s a perfect example of attacks that move at machine speed. These kinds of attacks collapse the time between intrusion and exfiltration from weeks or days to just hours, rendering many detection tools and processes useless.
WannaCrypt is the poster child for the importance of basic security hygiene—patching and ingress filtering were effective in preventing the attack. But it also serves as a reminder of why it’s critical that you architect your business infrastructure to be as resilient as possible. You need to be prepared to take an attacker’s best punch and then another and another and still keep circling the ring.
That sounds great, but how do you create a resilient infrastructure? You need multiple layers of protection in the cloud and on endpoint clients. You need to be fanatical about monitoring what’s going on across your network and you need to be poised to quickly investigate and respond to anomalous behavior. This means you can’t rely entirely on humans to detect and respond.
You also have to find a way to integrate information from all the security tools you rely on, so that you have a single view of what is happening on your network. Your endpoint, antivirus, firewall and IDS/IPS systems all have information about what is happening but the data is siloed and in incompatible formats. The data has to be correlated and translated in order to get actionable intelligence. This is where artificial intelligence and machine learning come in; these technologies are poised to be the next big wave of innovation for security teams.
The worst case scenario for every security team is a blended, coordinated attack that chains several exploits together. A WannaCrypt style attack could be devastating if it is combined with a massive DDoS attack designed to distract your security team and disrupt your business. In order to defend against attacks that happen at machine speed we all need to invest in defenses that operate at machine speed.