Top Security Intrusion Trends the Legal Community Should Watch

To help shed light onto the latest cybersecurity trends, CrowdStrike compiled and published the Cyber Intrusion Services Casebook, which is an analysis of key data from hundreds of incident responses and proactive service investigations. See, http://tinyurl.com/j7vqf2y (registration required).

The Casebook provides evidence of several emerging trends observed in attack behavior, as well as a number of actionable takeaways so organizations can utilize lessons learned and best practices to improve their own defenses. The data points can serve as guiding principles for organizations to help them focus on transforming and maturing their security practices and establishing proactive incident response strategies.

One particularly interesting finding that was uncovered was the marked increase in the number of organizations self-detecting breaches. All too often companies are alerted to the fact that they have been compromised from a third-party source. However, self-detection often means that an organization is far more likely to identify breaches in their early phases, and hence, tend to suffer less loss of data and recover rapidly. Although this is an encouraging trend, organizations need to maintain a greater degree of vigilance and look at organizational and legal risk holistically. Now, more than ever, risk assessments need to be informed by actual adversary tactics, techniques, and procedures (TTPs) that already have been used to target your organization or industry and that are likely to emerge against it.

Below are notable takeaways and trends that encapsulate many of the broader forces that shape security preparedness and proactive risk-mitigation.

Operating under Attack

Organizations experience almost immediate re-infection attempts after the discovery of a breach. On average, adversaries engage in aggressive infection re-attempt efforts within two days of remediation efforts. It is important to understand that a large number of cyberattacks are not discrete events but ongoing campaigns, often launched by well-resourced and sophisticated adversaries. As adversaries continue to adapt to evade conventional defenses, organizations need to build sophisticated detection, prevention, and investigation capabilities and expertise to limit their exposure and vulnerability to repeated attack attempts. Preparation is the most significant aspect to lowering business risk.

Defending Against Multiple Concurrent Attackers

Despite the common misperception that organizations are up against one adversary at a time looking to siphon IP or other valuable assets, it is not unusual to find that multiple hackers infiltrated a company's network. Organizations need to invest in technologies that will allow them to have full visibility into their environment, recognizing that hackers can remain lurking in the background even after a “successful” remediation of a discrete episode. In today's interconnected world, a company not only has to evaluate risk based on internal and external threats to its own network, but also remain cognizant of how vulnerable its data may be in the downstream of its supply chain, outside partners, and vendors. To that end, elevating the security discussion to be a part of all business deals, partnerships, and information exchanges can make or break a company's success.

Adversary Tradecraft

Adversaries are leveraging stealthier, often malware-free intrusion tactics and are becoming more cautious in their tradecraft to remain unnoticed for as long as possible. As a result, baseline security protection, like traditional anti-virus technologies, are becoming less effective. Commercial and public sector enterprises should deploy continuous, advanced monitoring capabilities and should incorporate threat intelligence relating to attacker tradecraft, motivations and tool sets.

The Human Element

The most common tactic of attackers upon initial entry into the network is to secure domain and enterprise credentials to maximize chances of staying unnoticed and moving laterally across the environment. To that end, it is critical to establish policy and access procedures that restrict unnecessary access to data and files. Having a widely disseminated, well-understood information security policy should be a top priority for cyber risk leaders. To be effective, the policy should be a living document, not just a “check the box” exercise. It must be shaped and periodically reviewed by senior leadership in consideration of the company's business objectives. Similarly, training employees and IT staff to discern uncommon activity, and to understand the underlying rationale behind corporate security efforts, can help mitigate the risk of insider threats and external attacks.

Conclusion

Often, legal counsel is tasked with spearheading the process of creating risk mitigation strategies for their customers that incorporate the organization's capacity to identify, protect, detect, respond to, and recover from a data privacy breach or other material loss. Although there is no one-size-fits-all approach for cyber preparedness, understanding attack trends and common techniques will help lawyers serve effectively as cyber risk leaders.

Steven Chabinsky is General Counsel and Chief Risk Officer for the cybersecurity technology firm CrowdStrike. He also is the cyber columnist for Security magazine, and previously served as Deputy Assistant Director of the FBI's Cyber Division. Follow him on Twitter @StevenChabinsky.