Cyber attacks are most often detected only when they occur. This statement is repeated year after year by cybersecurity experts, who are persistently ignored by those who claim ‘who would attack us’. Cyber attacks are no longer ‘what if’ situation but a ‘when‘, meaning it is not a question of whether you will be attacked, but when.
The most notable attack in the recent period was undoubtedly the one on ZET. At the end of October, the company announced that an attack had occurred, affecting part of the network intended for administrative services. ZET then isolated its information system for several days, rendering sales points and the MojZET application non-functional. ZET is just one in a series of victims of cyber attacks following Hanfa, KBC Zagreb, Split Airport, and many others.
Could this attack have been avoided? Probably yes, but again, attacks come without warning. This was confirmed to us by Neven Zitek, Cyber Security Business Solutions Director at Span.
– What a typical Security Operations Center (SOC) does is detect early signs of compromise. For example, logins to user accounts at unusual times, anomalies in network traffic (large amounts of outgoing traffic), network traffic to known malicious websites, changes to known files, unusual access (e.g., a receptionist accessing finance systems), etc. A large number of received so-called phishing emails or emails targeting specific individuals in the organization may indicate that an attack is already underway. Such a signal should be treated as an ‘early warning’, raising awareness among employees and checking defensive measures – explains Zitek, adding that all signs we can observe technically indicate that an attack has already begun and it only depends on the phase and intensity of the attack.
Technical Failure or Attack?
Cybersecurity expert and board member at Infigo, Bojan Ždrnja, adds that unfortunately, the most common sign today that a system is under cyber attack is that it is unavailable; however, if this is excluded, the usual signs are unexpected changes in system operation such as system slowdowns, user logins at strange times and from unexpected locations, and outgoing network traffic to the attacker’s servers.
– Of course, sophisticated attackers try to minimize the chance of detection and will often try to ‘stay under the radar’, conducting activities that look just like legitimate ones. We do this in so-called Red Team exercises where we simulate advanced attackers – says Ždrnja.
Although it can happen that these recognition signs are sometimes identical to a technical failure, the real question is how do we know it is an attack and not a failure? According to Ždrnja, when something is not working, it is always an incident, but then it is necessary to analyze whether it is a security incident or a technical one.
– To make this as precise and quick as possible, it is essential to have correct log records and telemetry from the system. Today, SOC serves precisely for the detection of incidents/anomalies; ideally, they should have monitoring 24 hours a day, seven days a week, as we do at Infigo – says Ždrnja.
This initial recognition of whether it is a failure or an attack is the biggest challenge for IT and security teams, and according to Zitek, the key difference lies in correlation and context.
– IT teams in the event of an outage have as their primary goal to restore the availability of the application (server, service) as soon as possible. Security teams are tasked with linking that event to other recorded signals and concluding whether it was done intentionally and for what purpose. This is where the main challenge lies because often the intent cannot be immediately detected, so a coordinated response from IT and security teams is crucial in cases of greater unavailability – explains Zitek.
Passwords are Most Often Stolen
The most common mistake companies make is, of course, ignoring suspicious behavior of users or systems, which is, according to Ždrnja, somewhat understandable as they do not want to create noise in the number of reports. However, user education and system protection are important to reduce the likelihood of an attack.
It is important to react as soon as there is a suspicion of an incident, whether it was reported by the SOC or if some user noticed something internally.
– Generally, we always recommend the phases of Preparation (preparation for the incident that will inevitably happen sooner or later), Identification (identification of the incident itself), after which comes Containment (isolating the incident), Eradication (removing the attacker from the system), Recovery (recovery), and Lessons Learned, which is a very important step where we prevent the recurrence of such incidents in the future – explains Ždrnja.
We have heard numerous examples from cybersecurity experts about how they stopped an attack at the last minute for a client, but Zitek notes that they have about a dozen such examples daily. Their SOC processes about 1.5 billion signals every hour, among which is information that a cyber attack has started or is underway on infrastructure, user identities, or applications.
Attacks most often occur on identities in terms of attempts to steal passwords, so signals such as logins at unusual times or from unusual places may indicate that a compromise has occurred. Then, recognizing phishing emails that are part of a larger and broader campaign, finding such emails in all inboxes, and deleting them before they come into contact with other end users is also a common action.
There is also, of course, the installation (intentional or unintentional) of malicious software downloaded from the internet, whose activity has been recognized, stopped, and removed from the system. In all these cases, Zitek states, the crucial factor is the use of the latest technology and mature processes within the organization of the Security Operations Center. Of course, for these purposes, artificial intelligence also comes to the rescue.
AI Finds a Needle in a Haystack
– The primary purpose of automation and AI is to increase productivity by speeding up routine actions, where each component has its role. Automation in incident response is key. If we know in advance what signals indicate a compromise of the system, and we also know what the expected steps are for such a case, then automating such a response is an ideal application because time is not wasted while a person confirms the signals nor is time wasted before applying containment and isolation techniques. AI, on the other hand, helps find the ‘needle in a haystack’ in the sense that by processing large amounts of data, it can find the anomalies we are looking for that may indicate a compromise of the system – says Zitek, adding that for the success of these tools, the human element remains crucial, which is the core of modern cyber defense.
In the end, one should not focus solely on one aspect of a cyber attack but should work evenly on overall resilience to cyber attacks, which also includes recovery in the event of a successful attack.
– At the forefront is definitely the management of information or cyber assets. Here I include conducting a Business Impact Analysis (BIA) on the assets to identify critical assets. Then 24x7x365 monitoring of assets by the Security Operations Center with the help of advanced antivirus tools. A good policy of strong passwords (or even better, a passwordless system without passwords) and multi-factor authentication, along with limiting user access rights only to what is necessary – asserts Zitek.
This Span expert notes that creating a crisis response plan caused by a cyber attack and establishing business processes in a timely manner is essential. And finally, equally important but often overlooked, he adds, is continuous education and raising awareness among all employees and management to be aware of risks, changes in threats, and to ensure that their behavior does not transfer those risks into their organization.
