On 29 December 2016, the US government entered a new round in its fight against malicious cyber attackers. It released a 13-page report, accompanied by a much more detailed listing of almost 1,000 technical indicators. The goal of the report was to help companies detect, block and eradicate cyber attacks on their networks.
The move followed a rough year where not only the Democratic National Committee suffered a consequential and highly mediatized breach, but also think tanks, universities, critical infrastructure and many more. Fears that further attacks are coming appear well-grounded.
The US government’s report is important and relevant for many businesses, also here in Switzerland, for at least three reasons:
Aligned with private companies
Firstly, it confirms what private companies – including PwC – have been saying for a couple of years. The released information is a mixture of yet-unseen declassified technical indicators with a few also coming from the private sector. Private cyber security companies have therefore been doing quite a good job at gaining visibility and tracking what attackers have been up to. The investigative methods of private companies appear to match the ones the US government is using.
Overview on known attacking methods
Secondly, the report strongly highlights current state-of-the-art ways of attacking networks. Attackers send e-mails with malicious content enticing users to click on them. Once in a network they try to gain access to even more protected valuable resources (so-called “lateral movement” aimed at “escalating privileges”). The e-mails need not be precisely targeted: despite the hype over “spear phishing” e-mails, many rather resemble spam being sent to thousands of recipients at a time.
How to tackle threats
And this leads to the third point. The bulk of the US government’s report focuses on how to tackle such threats. And it notes: “These strategies are common sense to many, but DHS continues to see intrusions because organisations fail to use these basic measures”. This aligns very well with PwC’s experience and conclusions. In other words, many organisations, also in Switzerland, have yet to implement strong cyber security measures to ensure that they cannot easily fall victim to such attacks.
The way forward: sharing more data
Technical reports of this kind are very welcome. They lead the way by stressing that the sharing of information is crucial to defending against cyber attacks, and they contribute to normalising such a practice. Until now, indicators of cyber attacks have been very often looked at as sensitive information, thus there has been a notorious reluctance to share them between oft-ashamed victims. PwC supports the idea of sharing: when companies exchange information about experiences they’ve had with cyber attacks, negative experiences included, companies not only bring benefits to other companies, but also to themselves in the long run. They can get feedback on other companies’ experiences and this way improve their own security mechanisms. Reports like the one from the US government may contribute to changing the current mindset.
We’d also suggest adding even more precision and more details to such reports and not merely mention the many different malware names involved. For example: attackers launch their offensives in stages and use different tools and techniques at each of these stages. To protect different areas of their network, it is useful for companies to know exactly which technique is being used and at which stage. And lastly, many of the indicators provided, such as IP addresses (the address of a machine on a network), may have at times been used for legitimate purposes. To be able to differentiate between what is actually a part of the attack and what is not, it is necessary to know the exact time at which the infrastructure was used, this by means of what are commonly referred to as timestamps.
All in all, companies are well-advised to take a close look at the indicators of compromise that the US Government has provided and to use them as much to detect potential current breaches as to prevent future ones. Investigative work means that one must be ready for false-positives and shouldn’t necessarily take the initial result at face value. But, again, sharing with the rest of the community the difficulties and outcomes of these investigations can only help to strengthen the overall state of cyber security.
The aforementioned report and indicators are available here.