Cybersecurity: A multilayered approach to cybersecurity

This article first appeared in Enterprise, The Edge Malaysia Weekly, on October 8, 2018 - October 14, 2018.
-A +A

Security and privacy are vital in a data-driven society. Even more so for businesses in the digital economy, which is a lifeline for many organisations.

With companies getting more connected and relying more heavily on cloud computing, the cloud and the digital assets it stores are becoming a treasure trove for hackers looking to gain access to sensitive information, damage reputations and make a quick buck. This calls for more innovative cybersecurity solutions.

A study by Accenture and the Ponemon Institute on the cost of cybercrime found that the average annual cost of cybersecurity per organisation jumped 22.7% from US$9.5 million in 2016 to US$11.7 million last year. The amount has increased an astounding 62% over the last five years.

The study, which examined the costs incurred by organisations when they respond to cybercrime, also found that a company suffers 130 breaches (core network or enterprise system infiltrations) on average annually. This was 27.4% higher than in 2016 and almost double what it was five years ago.

Traditional cybersecurity uses preventive strategies aimed at blocking attacks. This model meant that all of the solutions were working in silos as they defended businesses from attackers and malware using multiple firewalls, gateways and software from different vendors, says Trend Micro Malaysia Sdn Bhd technical director Law Chee Wan.

But as the threat landscape evolves, many of today’s advanced threats could bypass perimeter defences with customised attacks that can move laterally and often go undetected for a significant duration. “In the past, a typical organisation would have separate vendors for the firewall, intrusion prevention system, endpoints (such as desktops and laptops), email and website protection,” says Law.

“The problem is, whenever there is a breach — for example, through a mobile phone connected to the office WiFi — and it starts to spread, the different vendors only take care of things at their end and give information based on what they know from the network and endpoints. However, they would have no idea about the origin of the threat.

“Due to the different solutions from multiple vendors, there are a lot of consoles and complexities to deal with. Ultimately, you cannot find the root cause.”

Companies or businesses that depend on digital data in their daily operations are especially vulnerable, says Law. He points out that the reputation of these organisations may be impacted if their digital assets fall into the wrong hands.

“For example, hospital devices cannot have downtime. But once a ransomware locks down the devices, people’s lives are at stake. This is the reason there is a sense of urgency [to ensure that digital assets are always secure],” says Law.

“So, if ransomware is used to target them, the hospital administrators would have no choice but to pay the ransom. Hackers leverage the fact that the data or digital assets are highly valuable to the business owners.”

He adds that just as there are businesses of various sizes, there are different types of hackers. They range from the more sophisticated ones to those who target small organisations.

To address this issue, Trend Micro has come up with a connected threat defence (CTD) strategy — a layered approach to cybersecurity with quadrants for protection, detection and response, as well as a solution for visibility and control. The strategy provides a 360° view of an organisation’s networks, endpoints and hybrid cloud environments, that is, integrated cloud services that utilise both private and public clouds to perform distinct functions within the organisation.

Law points out that the core business of most organisations has nothing to do with cybersecurity. Rather, their focus is on generating revenue. This is where the CTD strategy comes in. He says it can help solve this problem as the entire process of defending the organisation’s assets is automated.

The protection quadrant uses solutions such as anti-malware, behaviour monitoring (evaluating and analysing suspicious activities), intrusion prevention, whitelisting a list of authorised applications, application control, encryption and data-loss prevention. Nevertheless, these solutions are not entirely foolproof as they will not block 100% of all malware or attacks.

To help identify complex threats and attacks that evade standard defences, the detection quadrant comes into play. It employs techniques that can detect zero-day attacks, which exploit previously unknown security vulnerabilities, command and control (C&C) communication and advanced persistent threats.

A timely response must follow every detection or prevention. With the response quadrant, signatures (algorithms that uniquely identify specific viruses such as a definition files) and security updates are delivered in real time to the other quadrants or layers to prevent future attacks, identify root causes and accelerate remediation (the process of cleaning up computers of file-based and network viruses as well as virus or worm remnants).

“If an attack is detected, the intelligence covering malicious file activity, internet protocol (IP) addresses and C&C communication is shared with the prevention quadrant to deliver real-time protection. If the same threat is encountered, it will be blocked immediately,” says Law.

The layered approach and comprehensive techniques may cover the entire life cycle of a threat, but integration is key. The CTD strategy’s components work together as one, with central management and reporting through a visual dashboard that provides an overview of the organisation’s networks, endpoints and hybrid cloud environments, as well as key performance indicators for threat investigations and management tasks.

Law says the life cycle of a threat begins when it enters an organisation’s premises through entry points such as its email system. When a user opens an attachment, the virus spreads. In the case of ransomware, hackers encrypt their victims’ files or data, rendering them inaccessible, and demand a ransom for the decryption.

“Subsequently, it creates the intended damage and the virus spreads laterally to other peers and the entire server. The protection against this entire cycle can be automated with CTD as any threats can be picked up and blocked at any entry point, while the intelligence is shared with the rest of the security layers for future prevention and remediation,” says Law.

As for mobile devices, he says they can be isolated if they contain malicious content. “If we are able to see that there is a mobile user trying to spread a virus to other users or the server, the protection will be able to pick it up. Then, it isolates that particular mobile device from the network so that subsequent hacking activities are disrupted.”

Law points out that years ago, the threat landscape was black and white. Now, as the grey areas grow, security vendors employ machine learning to improve protection against known and unknown threats. “The black-and-white ones are clear cut and you just need signature files to get rid of them — a method that requires less computing power and resources,” he says.

“But for ‘greyballs’ or unknown threats, you need different techniques such as machine learning. Pre-execution machine learning predicts threat intelligence using a mathematical algorithm to understand the threats and remove them, focusing only on static files. However, this method only tackles files that are not encrypted or compressed and so, threats are able to bypass them.

“This is where the run-time behavioural analysis comes in. It is a technique that looks into runtime processes to find unknown threats. Subsequently, the information is shared with the CTD’s sandbox.”


Using AI to tackle BEC schemes

While businesses must be wary of ransomware, protecting themselves against business email compromise (BEC) schemes is equally important. The scam — which targets companies’ wire transfer activities — zeroes in on executives who undertake finance-related work and compromises their email accounts to carry out fraudulent transfers.

Trend Micro predicts that BEC attacks will increase this year and lead to global losses of more than US$9 billion, according to its Security Predictions 2018 report. It said the schemes saw a 106% jump in the second half of last year from the first half.

The two main categories of BEC attacks are “credential-grabbing” and “email-only”. The first can be done via keyloggers programmes that record all keyboard activities or phishing kits to steal credentials and access the webmail of targeted organisations. The latter involves sending an email designed to appear as if a company executive is instructing the target to transfer money to personnel in the finance department (usually the chief financial offer).

Trend Micro has identified purchase orders and payments as the two most common filename categories used for malicious attachments. Law says it is nearly impossible to tell BECs and normal email apart, unlike email that come attached with malicious files or URLs.

“BECs are socially engineered and that is why we came up with an artificial intelligence-powered ‘writing style DNA’ to understand how top executives, who are susceptible to these attacks, write their email. We look at their language usage, their common typos and what not, and we build the AI through this,” says Law.

“After their writing styles are established, if a particular email sent to a finance executive does not have a matching writing style, both the recipient and the sender receive an email instructing them to validate the authenticity of the email.”

Trend Micro Malaysia managing director Goh Chee Hoh was quoted as saying that due to the simplicity and effectiveness of BECs, they will continue to be one of the most prevalent forms of attack, especially for those who lack special tools or knowledge to carry out more sophisticated schemes. “With email being an essential workplace tool, advanced protection methods are required to protect against spam and spear-phishing attempts. Malaysian businesses, especially SMEs that are taking advantage of the digital economy, need to make cybersecurity decisions against these threats part of their business strategy rather than just an IT decision,” Goh says in a media statement.