Using cyber intelligence to catch cybercriminals. (Image Source: ).
The story of a local bank being taken for R300 million by cyber criminals who had 100 people withdrawing money from ATMs in Japan made the headlines. But South African companies, unlike their US counterparts, are not required by law to report cases of cyber theft so how many more have gone by unmentioned? The bank reportedly never got its cash back so it’s still wise to secure your systems from attack; the more proactive the better.
The likelihood of cyber attackers plundering your vaults is already vast and growing daily. The threat landscape today is highly sophisticated but our defences are typically out-dated and reactive systems. That’s because today’s hackers are often young professionals who work for organised crime syndicates and in many cases they target specific, high-value organisations.
A colleague from IBM, which supplies the i2 Enterprise Insight Analysis solution, worked with the Mexican secret service to combat drug cartels funding organised cybercrime, for example. The cartels have a well of finances the envy of many enterprises so they get the best skills, the best tools, and they have time on their side.
The i2 solution is a sophisticated, next-generation threat analysis solution used by the Mexican secret service, 32 out of 36 policing organisations in the UK, including MI5 and MI6, the FBI, Israel’s Mossad, various military units, and the police in South Africa. It has evolved to be relevant by helping catch bad guys for 26 years and is now commercialised and available for enterprises.
The reason you need it yourself instead of going to the police for help, when they already have this tool, is that they are under-resourced, just as their counterparts are elsewhere in the world. And they have much bigger physical world crime issues on their hands. They are good at kicking down doors. They’re less experienced at hunting cybercriminals who lurk in basements behind packet sniffers, tapped cables, and who make man in the middle attacks on obscure data centres in Brussels back rooms.
But to get the cops to kick in a specific door you must be able to reliably tell them which one. That’s what we’re doing with i2. And we’re helping businesses understand their vulnerabilities at any given moment – as well as giving them the tools to investigate, rapidly find the perpetrators, and give law enforcement actionable insights.
Another fact of cyber attacks is that they almost never materialise out of the blue and they’re almost never successful on the first attempt. They typically occur in stages. The crooks test your defences, fail, and return with new approaches to defeat your static counters. They’re fluid and you’re not, the warning signs are usually there, and we would have seen them had we looked.
We need to keep tabs on insider fraud via structured transactional data, chatter in the deep web in services such as Pastebin, unstructured data in our internal reports, and social media feeds where more human chatter occurs. We wrap that up in a dashboard that’s easy and quick for executives to keep an eye on but into which they can drill as deep as they like to ascertain the precise facts.
Behind the dashboard tiered security with intelligent analyses form sophisticated barriers that help you pivot faster than the bad guys. Tier one firewalls have policies that zap IPs that originate from countries in which you don’t operate. They trap known malware and vaporise it. They trap large attachments for human inspection. At tier two you correlate events. They take care of what’s known as the 5km, one-minute card rule where a single bank card cannot be used to withdraw money from two different ATMs, 5km apart, within one minute of each other.
Once you’ve matured tier two you begin to create the intelligence I’ve spoken about. It’s tier three, human-driven intelligence with automated help that visualises the associations to feed intelligent questioning. And the entire time it’s updating the dashboard vulnerability scenario so the executives can see that cutting security personnel or other resources increases work in progress and cycle times, indicating problems, and demonstrating their exposure in light of legislation such as Protection of Personal Information (POPI) Act.
It’s an approach that helps you find the crooks when they’re still trying to access your systems and helps you feed law enforcement actionable intelligence they can use to kick down doors.
By Tallen Harmsen, head of IndigoCube Cyber Security
Powered by WPeMatico