Building organization confidence surrounding a company’s Internet threat defense effort means we can never let our guard down.  A potential internet security threat could come from anywhere at any-time and it doesn’t have to start from cyberspace.  Many threats are initiated internally by infected handhelds and laptop devices which walk right past the firewall.

Although most companies take a layered approach to network security and threat detection, recent malware can use a polymorphic technique which means it constantly varies its structure and content in order to avoid detection.  Solutions which perform deep packet inspection in an attempt to pattern match through the use of constantly updated signatures can easily be evaded by these new malware techniques.

Traditional security methods such as antivirus, access control lists, radius authentication, password rotation, VPNs, firewalls and intrusion detection systems continue to guard our intellectual property and corporate wealth but, we know that advanced evasive measures still sneak past our best counter threat measures.   How then should security officers continue to press on with their defense efforts to combat the most insidious types of electronic crimes such as Advanced Persistent Threats (APTs)?

There is also the issue of follow up.  Once we have isolated a suspicious behavior pattern, how can we confirm that the connection was nefarious?  What signs should we look for that is indicative of cyber crime?  What are the first steps and who do you contact?

What are Cyber Criminals looking for?

Looking back over the past 25 years of threat detection and mitigation, the cyber security industry has evolved from malicious intentions to ruin files and backups to more organized targeted attacks.  More specifically, some threats are organized by politically motivated groups who issue denial of service attacks with the intention of shutting down web sites.  An example of such an attack was performed on the Nasdaq web site on February 14th, 2012 (I.e. Valentines Day). The intention to shut down these sites is often to prevent a company from doing business.  Other attacks are designed to steal either intellectual property or actual money from on-line bank accounts.  You may want to ask yourself; Who is being targeted the most?

 advanced persistent threat expert“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2,000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”Dmitri Alperovitch, former VP of Threat Research, McAfee®

Company’s less concerned about their bank accounts being tapped should consider the much larger implications of their intellectual property being stolen.  Dmitri went on to say:

“What is happening to all this data … is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat.”

In the worst case scenario, the cyber criminals are looking for your company assets. If they can’t compete in your industry the old fashion way, they’ll take what you spent so much money on to build:  your intellectual property.  They want your customer lists, your engineering designs, future marketing plans, the names of your best employees and then they want to use it against your company.  How much would you pay to learn all this about your closest competitor?

Read Part 2.

 

Michael

Michael

Michael is the Co-Founder and the product manager for Scrutinizer Incident Response System. He can be reached most hours of the day between work and home. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer. Feel free to email him.

Related