As the world continues to expand its reliance on computing technology, data has become a commercial form of currency. As with all things of value, modern criminals are using every means necessary to access data and exploit it for various reasons.
Data breaches are increasingly more common, and it almost seems as if we’re only a notification away from the next global industry leader reporting a compromise of their network revealing data of hundreds, thousands, or millions of customers.
While these breaches are generally the result of hacking or computer/network intrusions, there are several other categories that fall under these attacks. These infiltrations can also be caused by accessing the stolen laptop or computer of an employee, negligence or error by personnel that exposes vulnerabilities or sensitive data to the public, or even through accidental exposure through cloud-based storage and services.
It is normally perceived that these attacks are caused by hackers who are looking for secure information of end users to sell with the intent of identity theft or access to banking information. However, data breaches can really be instigated by anyone with enough knowledge and intent to gather their desired information.
Industrial espionage in modern IT
When discussing espionage, thoughts that come to mind are secret agents across the globe struggling to keep their nation’s security intact or attempting to thwart the attacks of a criminal organization. Industrial espionage is a real threat to organizations that are in competition to gain an advantage over their rivals.
In October 2018, federal prosecutors revealed the details of charges accusing Chinese government intelligence officers and their co-conspirators of repeated computer intrusions to steal turbofan engine designs for commercial jetliners. The offenders were attempting to gather designs develop their own comparable engine to be manufactured in China by their government-owned aerospace company.
These designs were developed via partnered effort between unnamed companies and a US-based aerospace organization.
The indictment provides details how those involved used various hacking methods between 2010 and 2015 to gain access to aerospace company networks. One method was to implement and register a doppelganger domain name that closely matches one of the companies involved in the engine design.
While most companies were not mentioned in the 21-page indictment, Capstone Turbines, a Los Angeles gas turbine manufacturer, was listed as a target, so one domain name created was capstonetrubine.com.
By creating a domain that resembled the original company, they were able to use a watering hole attack method where outside organizations mistakenly accessing the false domain become infected with malware making their own network infrastructures vulnerable.
The more frequent an outside company accesses the original domain, the higher the probability of accessing the incorrect domain and spread malware. Using a combination of spear phishing, watering hole tactics, malware, and domain hijackings, the attacks remained undetected until US law enforcement was able to uncover the infection and notify businesses to take action.
The importance of robust threat detection
This example is evidence why organizations must place a critical focus towards threat detection and prepare themselves on how to respond to these attacks to minimize damage incurred by using security methods such as micro-segmentation.
It’s best to focus on the discovery of threats as soon as an attempted or successful intrusion has taken place. Employing protection through dynamic deception, reputation analysis, and policy-based detection helps to detect live breaches and allows for immediate containment to investigate the actions and determine if they’re malicious.
Early threat detection is a vital tool for network infrastructures to prevent prolonged access to sensitive data while providing organizations with the ability to act quickly and minimize the spread of any virus or malware effects.
Based on the example of the stolen engine design, early detection would’ve immediately identified the attack to protect the files and prompted an immediate investigation of the attack source and involved culprits.
During the investigation, data collected from the incident is reviewed to navigate the footprint left behind by the attack, determine user credentials and the methods chosen for the intrusion, and then identify the attack trends and characteristics.
The information gathered allows administrators and security teams to evaluate the situation to determine if the intrusion was a new or unrecognized user with real business needs or if a true attack has been initiated and security response protocols should be enacted.
The response tactics taken by organizations after a threat has been detected are also important to limit the landing site, or damage area, of a malicious invasion.
With an advanced micro-segmentation foundation in place, the entire network architecture is monitored and has incident response policies ready to take quick, immediate quarantine actions.
Options like exporting IOC (inversion of control) to specific security gateways, single click updating of segmentation policies in to limit traffic access to their attack points mitigating the east-west movement to systems accessible with the intruder’s credentials, and even suspend, stop, or disconnect VM actions to limit the damage caused by the attack.
Rapid detection of threats minimizes losses
Taking precautions towards keeping a network infrastructure hidden from hackers has been a primary security practice for quite some time. However, with how often attackers are probing networks worldwide, it’s imperative to prepare for the likelihood of an intrusion.
If left unmitigated, breaches will lead to financial losses in the immediate term while negative brand recognition can affect future opportunities. With the frequency and success rates of cyber-attacks today, it’s imperative to have an action plan to address what happens when an intrusion occurs.