Standard intrusion detection systems and firewalls only take us so far. For effective protection and detection we need to look at new ways to achieve better detection, leveraging sophisticated technology. An example is how artificial intelligence can probe potential vulnerabilities and reveal hidden clues at a very early stage of an attack taking place.
The most prevalent and serious cyber threats originate from well-funded, professionally operated and organised cybercriminal groups. Sometimes these efforts can be state-sponsored. These operations have the resources to plan attacks, often directly targeted at individual organisations or whole industries. They do this by probing specific human and technical weaknesses. Businesses’ IT infrastructure should be equipped with robust firewalls, but employees can still be fooled. A common tactic is sending emails designed to look like they come from a trusted business partner or a manager. This attack vector is frequently used for ever-present ransomware threats.
Being better prepared
Cybercriminals love reconnaissance, and you may want to know what they already know about you. The first step to being better prepared is to know what criminals can find online about your organisation and key staff. Are your people, partners or clients posting sensitive information about the firm or clients on social media? Has your data been hacked and is it for sale on the dark web? Scanning this open source intelligence is increasingly important as it will warn you about potential attack vectors.
Yet even with the best preparation there is no guarantee that a cyberattack won’t be successful. Moreover, modern hackers are not necessarily interested in acts of cyber vandalism. They often want your systems to run as smoothly as normal, enabling their IT tools to scan your systems for sensitive data that can then be exfiltrated. If this process can continue for weeks or months, then this is all the better for the criminal.
Your organisation might send petabytes of data across the world to thousands of IP addresses, but AI tools can alert you if some of this is being tapped by an unusual internet resource.
Thomas Koch, Associate partner (EY)
AI to check for anomalies
This is where AI tools come in. They scan the mass of network traffic and compare it will historical norms. Your organisation might send petabytes of data across the world to thousands of IP addresses, but AI tools can alert you if some of this is being tapped by an unusual internet resource, maybe in an unusual location.
This can trigger intervention by a member of staff in a Security Operations Center who will check the validity of this data flow. If there is an innocent explanation, the AI system will “learn” not to trigger this false-positive warning in the future. However, it might also point to the illegal exfiltration of sensitive data to an unknown location at a very early stage.
The data gathered by the AI engine can also be used as part of a forensic investigation, tracing data flows through your organisation to locate which workstations or servers may have been compromised, what malware was involved and if it self-replicated, whether administration rights have been hijacked, or which data have been stolen. Because the AI tool works continuously, this breach detection system can generate response mechanisms within seconds.
Solid crisis response plan
Then an organisation-wide crisis response plan has to swing into action. Cyber crisis management is not just an IT challenge, but should be a priority issue for the whole organisation, which needs to be primed to respond.
The AI tool will help the IT department block the communication of more data and will help quarantine infected machines and networks. But this is just a minimum requirement. You need to have a broader plan if personal data has been compromised, particularly passwords, private communications and personal data protected by the respective legal framework.
Clients and product vendors will need to be contacted as soon as possible. You will need to inform partners of the potential for them having been infected. Financial services businesses will need to notify their respective regulators, as well as the National Commission for Data Protection (CNPD), the state-run Computer Incident Response Center Luxembourg, and even the police.
Incident response plans need to be thorough, well understood and tested, so that everyone will be able to respond appropriately given different attack scenarios.
You wouldn’t want the information about the breach to leak out in an uncontrolled way, so you will need to be up-front and communicate clearly to the media. You will also need key executives ready to take decisions quickly. If your data has been locked by ransomware, do you take the risk and pay the ransom, or can you rely on backups? You may also need to spend cash urgently, and you will need to be able to access this 24/7. In other words, as well as the CIO and CSO, the CEO, the CFO, internal legal, the head of communications, and more will need to be able to respond in an orchestrated way at any time and on any day.
Incident response plans need to be thorough, well understood and tested, so that everyone will be able to respond appropriately given different attack scenarios. These plans will need to take account of the potential for absences of key people in the case of illness or holiday. These contingencies need to be simulated as-live in real time so that if the worst happens you can have a methodical, reflex response.
Cybercriminals are so resourceful that it is unrealistic to believe you can protect yourself from an attack. But clients and shareholders have the right to expect you to have deployed the most effective technology and have tested crisis-response plans in place. Ultimately it’s all about being better prepared.