Insights on the evolving cyber threat landscape
Business has changed markedly over the last few years thanks to the rise and sophistication of digital technologies. As asset managers have evolved to become more automated and utilise a plethora of solutions to manage data, they have unavoidably become more vulnerable to serious cyber attacks. The simple fact is, cyber criminals have an exponentially higher number of attack surfaces to utilise, from cloud computing systems to mobile devices and the Internet of Things.
"What was once a limited attack surface not extending beyond an organisation's firewall has become practically unmanageable," says Jay Kaplan (pictured), CEO and co-founder of Synack. "Companies need to take a proactive approach to securing anything that reaches inside the walls of their organisation as any digital device could cause a complete compromise of the integrity of that organisation's data."
Synack is the first hacker-powered intelligence platform and recently announced it had raised USD21.25 million in a Series C round of funding led by Microsoft Ventures. Leveraging a global crowdsourced network of ethical `white hat' hackers, Synack's platform delivers an offensive approach to defence for organisations, and works with some of some of the largest Fortune 500 companies, hedge fund groups, as well as various branches and agencies of the US Government.
"We started the company four years ago having previously spent four years at the NSA supporting the US intelligence community. That gave us a unique perspective on the cyber landscape and opened our eyes to just how pervasive the problem is – something everyone is starting to realise now. With Synack, we wanted to change an organisation's ability to better understand what they look like in the eyes of an adversary trying to break into them.
"The idea is to mimic what the attackers are doing maliciously, by utilising our highly vetted ethical hackers, to probe and test a technology footprint proactively. This provides prioritised insights so that when someone does try to break into an organisation, it becomes so difficult that they decide it's not worth pursuing," explains Kaplan.
Synack currently has 500 researchers on the platform located in over 50 countries. They are referred to as the Synack Red Team or SRT for short.
"Many existing solutions that attempt to discover vulnerabilities have become highly commoditised. We recruit a global network of white hat hackers and when they successfully find a vulnerability with a client, we remunerate them. In addition, we have a process where we do verification of the client's attempted remediation. The client might believe they've patched a vulnerability but many times there is a way to circumvent that countermeasure, something we are able to discover immediately," says Kaplan.
Rather than being reactive to cyber attacks, organisations are able to work with Synack, and others, to employ ethical hacking strategies that expose vulnerabilities, and address them, before the bad guys come along.
Viktor Tadijanovic is Founding Member and CTO of Abacus Group. Firms like Abacus are responsible for managing all its clients' technology, from an operational standpoint. Although they can't prevent breaches, per se, IT partners can share data-rich reports with clients to highlight if, for example, a disgruntled employee is stealing or deliberating leaking sensitive data.
"An example is file access privileges. Who's got access to which directories? What changes were made? When were those files accessed? We give clients these reports to review and to identify potential red flags. Then they can come back to us and say, `We think we've seen something suspicious, can you go into this in a little more detail?' We have all the data logs to do this, and potentially identify a rogue employee who is accessing information and appropriating it before they leave," explains Tadijanovic.
The recent high-profile WannaCry and NotPetya ransomware attacks are symptomatic of how just how serious cybercrime has become, affecting nations and critical infrastructure with massive consequences. As serious as these attacks are, hedge fund managers need to remain pragmatic and do their best to `right size' the perceived risks to their organisation.
Craig Balding is the founder of Resilient Security, a London-based firm that provides a range of cyber advisory services to global corporations. Prior to this, Balding was Managing Director within Global Information Security at Barclays PLC.
He acknowledges that for hedge funds, the challenge is trying to put a number on cyber risk.
"They will have governance and risk management frameworks in place but many struggle to determine what their cyber risk exposure is, and also what their appetite is. You can't be perfect, or strive to be. I do think being able to price someone's cyber risk is the elephant in the room," says Balding.
"So much of it is about recognising where you are," states Eldon Sprickerhoff, founder and chief security strategist for the cybersecurity services company eSentire Inc. "It requires sitting down and making pragmatic decisions: what are you allowed to do (as the CTO) and what can you afford to do? What makes the most sense for your firm?
"What are the areas that can be acted upon right away to show the board you are making progress? And what do you need in terms of budget, six to 12 months from now? Demonstrate what you've done, and, if it's not enough, justify what budget you need to complete the task. It's all about doing what is most appropriate from a planning perspective."
Of course, the problem with ransomware, by way of example, is that it takes place in the background. The latest file-less malware strains will try to figure out what software is being used on a system and then attempt to disable updates, leaving computers vulnerable to future attacks.
Sprickerhoff notes that one ransomware group is locking databases and saying, `We'll let you restore three workstations, which three are they going to be? And by the way, we've locked your database so it's going to cost you more to get that data back'.
"Depending on the database, the client might find themselves having to negotiate thousands of dollars. This is a very tailored approach to malware attacks," says Sprickerhoff.
If someone suffers a cyber breach, having good detection tools in place will help to identify an attack early on and give the manager time to respond. Then it boils down to: Have you got the right playbooks to know how to respond? Have you practiced them?
"Any organisation that is systemically important needs good cyber hygiene that covers entry level defence, targeted protection around your most valuable assets, detection systems that pick up anything that doesn't look normal for your network, and a clear response policy, which means knowing what steps to take to contain the threat.
"People like to spend budgets on fancy systems with flashing lights while completely missing some of the basics of cybersecurity," asserts Balding.
Sprickerhoff says that eSentire recommends that every quarter clients run tabletop exercises to test their incident response plans, "because things are constantly changing. Maybe not the entire IRP but certainly a sub-set of it. You want it to be a live document, not something gathering dust on the shelf."
As fast as the cyber threats evolve, there is one constant feature one can be sure of: the human.
No matter what the size of a breach, or the technology being used to guard against it, people will always be the weakest link.
The most common aspect of social engineering is the phishing campaign. Dean Hill is Executive Director, Eze Castle Integration. He says that, in relation to cyber hygiene, the biggest issue for firms to deal with is continuity. Often, they will embark on a process to improve their cyber security framework, including staff training, and will sessions once, twice, before it becomes a bore and they forget why they are doing the training in the first place.
"Everything we tend to see in relation to phishing involves a lack of human training. Typically, it is the senior people in organisations that are targeted. These are well constructed attacks using social engineering, a lot of research goes into them, and the rewards are often substantial.
"The older generation are perhaps a little blasé and less educated on the sophistication levels of cyber attacks. In addition, I think this has a direct impact on the policies that a firm will employ. If you've got C-suite executives that are not fully up to speed and don't fully appreciate the risks, they are less likely to correctly enforce any policies or procedures, and in that instance, we, as a technology firm, are fighting a losing battle.
"Put a plan in place and stick to the process. Ultimately, you don't do something for nothing. You have to reinforce why it is important," states Hill.
Having a one-size-fits-all approach to cyber awareness training is akin to throwing money down the drain. According to Balding, firms should segment their employees into different groups based on risk profile.
"Anyone at the top table – the CEO, CFO, COO – will need different training to the rest of the organisation. Then you've got high visibility users – the ones that can be easily found on LinkedIn, who are more likely to get targeted by a cyber attack, and therefore need their own cyber awareness training."
Ultimately, every incident response plan should have clear instructions on how to report a phishing email. What does it look? When did it happen? What were the contents of the email? Then, there needs to be a proper notification process within the firm – who do you go to when you've identified one of these emails?
"A lot of firms that we work with don't have a process for this so that an employee knows who to forward the email to to check a link, or an attachment," confirms Hill.
There has to be a clear path of verification to determine what a potential attack looks like.
Each individual within a firm should know how to respond properly to a potential threat and escalate it accordingly, rather than clicking on something and putting the business at risk, especially from an outsourced perspective.
"If the manager outsources their IT and does not have internal staff who can deal with this, the employee needs to know what steps to take to share with their outsourced IT partner.
"Ultimately, as the first line of defence we would have done everything possible to identify and quarantine emails to check their contents before they reach the client. We have intrusion detection and prevention systems in place for this. We hope we will catch anything in the net that might contain a malicious attachment or link.
"If something malicious slips through the net, they just need to call us, email us; whatever is easiest. The last thing someone should do is forward the email internally to ask other people to check," advises Hill.
Balding provides a stark insight into the evolution of cyber attacks, using the banking industry by way of example.
Early on, organised crime chased after retail channels. They would focus on consumer accounts, and it was a high numbers game.
Then they started to climb up the value tree and target corporate banking channels, applying a lot of the same kind attacks but cashing out much larger sums of money. It became a lower volume, higher stakes game.
"They were using malware to get onto an end point workstation of a bank employee and installing software that would allow them to watch what that person did on the screen. The end result being that they could work out how to initiate a money transfer from one of the corporate employees. They took time to sit in the background and learn what the employee was doing. It works well because it was scalable; you only needed to learn the bank platform application once before replicating it multiple times with different banks.
"The third level of sophistication is the SWIFT attack. Now we are talking about the ability to move significant sums of money from one bank to another. In the space of a few years, malware has evolved from attacking retail accounts to corporate accounts to attacking the banks as a whole," says Balding.
The Bangladesh central bank heist last year saw USD81 million appropriated in what remains, to date, the largest cyber heist.
Going forward, Tadijanovic thinks that artificial intelligence will play an increasingly important role in terms of helping firms spot patterns in metadata: possibly a signature of a cryptovirus or a data exfiltration by a disgruntled employee.
"We are focused on this area right now to help us to harness data and make sense of it. It's beyond the capacity of the human brain to consume and make sense of huge volumes of data and come up with the right cybersecurity policy decisions," concludes Tadijanovic.