The Sunday Business PostNovember 17, 201932 Focus On: Cyber Security Consulting

COMMERCIAL CONTENT

In Sophos’s most recent threat report, there is a section which shows how much ransom-ware has evolved since 1989. Originally spread by 20,000 flop-

py disks sent in the posts, it has changed significantly between then and the last three years.

WannaCry and NotPe-tya became the first global ransomware attack and na-tion-state targeted ransom-ware respectively in 2017, while 2018 saw targeted large-scale attacks becoming commonplace, and this year brought about the first ran-somware targeting IT service providers.

That last part is a bit worry-ing, as managed service pro-viders are probably the last place you’d expect an attack to come from. Yet it highlights just how important it is for security organisations to be-come proactive and pre-empt attacks.

As a result, it meant that Sophos has moved towards managed threat response (MTR), a necessary decision since the majority of compa-nies don’t have the means to carry out threat hunting.

“Threat hunting is real-ly what we should be doing as best practice,” said Brian Murray, enterprise account executive for Sophos. “We may not see it as completely malicious, but they have some malicious signature to them. It’s behavioural signatures to them, where it’s slightly anomalous behaviour, how can we attack this? How can we quarantine it? How can we look to see if it’s suspicious or not.”

One of Sophos’s main prod-uct lines is Intercept X, which allows for endpoint detection response, and Murray says it’s almost like having an addi-tional person in the security

team. With automated re-sponses, it’s able to see if a bad actor is within your organisa-tion and, with synchronised security, can lock down and isolate endpoints so damage is limited.

“With the managed threat response, it means there’s a large global group of people permanently monitoring your environment,” he said.

“[They’re] looking for be-haviours that are happening there, mitigating those, reme-diating them before you do anything, you’ll simply receive an email saying something has happened and it’s been dealt with, which is hugely valuable for any organisation.”

Murray said that while at-tacks are becoming more so-phisticated in their approach, there is a laziness to them as well. None of them are going to spend ages trying to breach a company, instead they’ll go for the low-hanging fruit when-ever possible.

On top of that, there are some other shortcuts they take. They may be malicious, but they’ll also look for ways to cut down the workload through automation or by making minor adjustments.

“The attackers are becom-ing more sophisticated in their approach, but we have to remember that attackers are inherently lazy,” he said.

“There are only around 30 variations of cyberattacks happening in the world, they are just being repeated and slightly augmented to con-tinue breaching perimeters of an organisation.

“Attackers don’t want to be spending too much time in development, they just want to look at what’s easy, what can they do and how they can infiltrate an organisation.”

“Still it works so as long as it works, it will continue [to be done] if organisations keep

leaving them-selves open.”

The threat r e p o r t mentions that mod-ern ran-somware relies on obfusca-tion to suc-ceed, as it’s much easier to change a mal-ware’s appearance than to change its pur-pose or behaviour. Despite that, some of its traits are hard for attackers to change, like encryption of documents, but others can be changed or added.

For one, remote monitoring and management solutions can be used against compa-nies to access IT infrastruc-ture or end-user systems as they usually allow high-end privileges. Such a thing can be a disaster if it falls into the wrong hands.

Another strategy ransom-ware can take is to try and minimise detection by dig-itally code-signing it with an Authenicode certificate which anti-malware or an-ti-ransomware might not pick up on.

Similarly, taking advantage of the security industry’s best tools by using dual-use utili-ties such as PSExec from Mi-crosoft Sysinternals which would allow ransomware to get onto peer machines is an-other strategy.

When all of this is consid-ered, it’s no surprise why be-ing proactive and awareness is so important now for security companies like Sophos.

As with all things, people tend to be the potential weak point of any organisation. It’s easy to set up technology and procedures, but if your aver-age worker isn’t aware of the

threats and their responsibili-ties, that can be manipulated.

“We can train our technolo-gy to be the best it can be, but it will always be the user who [is the] biggest attack vector,” said Murray. “It’s why email has always been that way in [for attackers].”

“It comes down to the same thing, which is an under-standing of security protocols within the organisation. It’s understanding that every-one is indeed at risk and a lot of organisations believing it simply won’t be us is quite an old-fashioned way of think-ing.”

The scale and sophistication of the threat landscape mean that having security teams, usually third parties, to keep up with the threat landscape is crucial now. In Sophos’s case, it has both the global team and the software to keep toe to toe with attacks and other mali-cious behaviours.

All of which is done with-out a business realising it in the first place, and taking a heavy workload off them. Awareness doesn’t just mean knowing that threats exists, it also means knowing that your protection measures are working too.

Threat hunting is the name of the game when it comes to best practice for stopping cyberattacks, according to Sophos’s Brian Murray, writes Quinton O’Reilly

It has been a busy year for VM Group and for its founder Dr Vivienne Mee. The growing need for expertise has seen an

uptick in businesses using its instant response partner pro-gramme.

With GDPR now being a part of the security fabric, re-porting breaches to the Data Protection Commissioner is mandatory and most busi-nesses don’t have the resourc-es in-house to do that.

“When it comes to things like a cyber breach, an inter-nal or external hack, they may not have the expertise to stop it happening, contain it and even get to the next stage of the investigation,” she said.

While it’s a good problem to have, VM Group has had to assess the number of clients coming in and how many it could properly support.

Dr Mee said there was no point taking on extra clients if the company could not pro-vide the necessary bandwidth to help them in their times of need. The solution was to im-plement an upfront retainer fee which would guarantee the client its time, and allow the company to calculate just how many would be coming to it in a year.

“If they’re all on the pro-gramme and there are not enough resources, there’s not much point, so they have to pay an upfront retainer that

guarantees them our time,” Mee explained.

“We guarantee them that we’ll be on-site in two hours, that we’re going to be avail-able on the phone 24/7, so if a breach did occur, they do have someone to call instead of waiting.”

As part of the programme, the organisation offers a num-ber of additional perks to the service, including cybersecu-rity training and vulnerability assessments to see if they’re prepared for a forensics ex-amination, should the need emerge.

Speaking of which, the fo-rensics continues to be a core part of VM Group’s offering. Insider threat is still very real, usually not malicious, but situations like granting higher-profile people tem-porary access privileges to something and forgetting to revoke them when they’re no longer needed.

“Some smaller and larger organisations allow high-er-profile people to have more access and be more loose with their controls because they might do a lot of presentations and they need to take a USB stick with them,” she said.

One danger of loosen-ing controls temporarily is phishing attacks, a staple of bad actors everywhere, which can sometimes result in fin-ger-pointing or denial.

Mee said there were a few

cases where an Office 365 password was phished with people denying it. It’s often not until VM Group finds the email and shows the phish-ing email that they realise it’s them. The reason it happens is usually because features like two-factor authentication were switched off temporarily to allow for testing and then later forgotten.

Situations like that highlight the importance of tracking changes and having systems in place that can be reversed over a period of time.

“It’s down to simple things, even back to software days when you’re coding, you have your change control, what have you changed, what have you done, you document it so it can be reviewed at a project level or later on if another bug comes into play,” she said.

“That should still be done with your Office 365 or similar environments. If you have an organisation with 300 people and you switched off security features for testing, six months later, you’re not going to re-member to switch it back on.”

When carrying out these forensic investigations, there has to be an understanding of the team, but there also has to be impartiality. Blending in is key for a security consultant who has to understand the dynamics of a team and earn trust – it’s easier to convince someone if you already have

a rapport with them.“If you have a rapport, espe-

cially with security consult-ing, they can be more open and honest,” Mee said. “But the tables can turn if it is an investigation and fingers are being pointed. If we’re going in with a forensics hat on us, you have to stay impartial and there’s a fine line between the clients and the expert. You don’t want to be compromised by having such a close rela-tionship.”

There are a number of mea-sures that VM Group takes to ensure that its investigations aren’t compromised, even within its own organisation. For one, not everyone within VM Group knows what other people are working on, a way of keeping investigations pri-vate and unknown as word getting out can compromise the entire operation.

“Even internally we would have client areas in our stor-age system where reports are kept and they’re segregated,” Mee said.

“If you’re a consultant and you haven’t actually worked on that client, you don’t get access to anything.

“We get high-end, serious types of investigations where even my own clients don’t know where I am. The security world [in Ireland] is small, so if someone has heard you’ve done something untoward, it’ll get around quick.”

Keeping the walls high

Your Trusted Investigations TeamLeaders in Digital Investigations

T: (IRL) + 353 (0) 1 524 1630T: (UK) + 44 (0) 2830 480 015E: info@vmgroup.ie

DIGITAL FORENSICS • ISO 27001 CONSULTING • ELECTRONIC DISCOVERY

CCTV ANALYSIS • INCIDENT RESPONSE • INVESTIGATIONS • MOBILE FORENSICS

EXPERT WITNESS • INTERNAL AUDIT • CLOUD FORENSICS

SECURITY AWARENESS TRAINING • GDPR ADVISORY • IT SECURITY REVIEWS

RISK ADVISORY SERVICES • PENETRATION TESTING • VULNERABILITY ASSESSMENTS

Visit our website: www.vmgroup.ie

CYBER SECURITY TECHNOLOGIES | TECHNICAL CONSULTANCY | CYBER SECURITY TESTINGCYBER RISK & ASSURANCE | MANAGED SECURITY SERVICES

INTEGRITY360.COM

Security First.

Empowering yourbusiness by putting

Prevention is always better than cure

Brian Murray, enterprise account executive for Sophos

Dr Vivienne Mee, founder, VM Group