Governance & Risk Management , Incident & Breach Response , Security Operations
Analysis: FireEye Report on APAC Data Breach Challenges
Experts Recommend Ways to Improve Detection, ResponseMany organizations in the Asia-Pacific region are woefully unprepared to detect and respond to data breaches, according to Mandiant's M-Trends Report 2016 for the region. In fact, the report finds that the median amount of time it takes to discover an attack in the region is 520 days, three times the global median.
See Also: Gartner Guide for Digital Forensics and Incident Response
Mandiant's report is based on an analysis of how its clients in the region discover and respond to breaches. "In 2015, we continued to see heightened levels of cyber threat activity across APAC," the report notes. "We surmise that this is likely fuelled by geopolitical tensions, relatively immature network defences and response capabilities and a rich source of financial data, intellectual property, and military and state secrets."
CISOs and other security practitioners must improve their security posture and defend networks better against sophisticated, well-funded and relentless advanced attackers who will capitalize on bugs and defects, the report notes (see Why Asia-Pacific Lags in Data Breach Detection).
"It's a critical challenge as most organizations can't detect unique, advanced cyber threats, via email or the web, due to inefficient network monitoring capabilities," says Singapore-based Bryce Boland, chief technology officer, Asia Pacific, for FireEye, parent company of Mandiant. "Besides, most [organizations] often ignore critical alerts and rely on legacy security technologies, unaware of risks by advanced attacks."
Satyanandan Atyam, CISO at Bharati Axa General and Life Insurance Co., summarizes the security challenges facing the APAC region: "Organizations can't defend against new attack forms, leave alone responding, due to lack of layered security. Deploying security control across each layer means additional investment - this doesn't come easily."
Report's Key Findings
In addition to identifying lengthy delays in detecting attacks, other key findings from the report are:
- Most breaches in APAC never became public.
- APAC organizations are often unprepared to identify and respond to breaches because they lack basic response processes and plans, threat intelligence, technology and expertise.
- Some attacker tools were used to almost exclusively target organizations within APAC.
- Many organizations have been already conducting forensic investigations internally or using third parties but failed to eradicate attackers from their environments.
The Malware Threat
Attackers are targeting APAC organizations using targeted and customized malware, says Bangalore-based C.N. Shashidhar, CEO of SecureIT. "Attackers deploy three teams - intrusion, maintenance and persistence and exfiltration - to conduct the exploits," he says.
In recent years, breaches in the region have shifted toward advanced persistent threats using malware injected into the enterprise network, which then traverses the network, using privilege escalation to locate and carry out its attack, says Singapore-based security expert Tom Wills, director at Ontrack Advisory Services. "What's changed is the creativity to get that malware into the network," he says. "Recently, attackers scattered infected USB thumb drives throughout a company's car park."
A recent report from Fortinet on security threat detection revealed that on an average, APAC-based organizations reported more than 81,000 attempted attacks between October 2015 and February 2016, says Rajesh Maurya, Fortinet's regional director, India and SAARC.
The Mandiant report indicates that threat actors often move laterally from the initial infected computer to neighbouring hosts to perform reconnaissance activities and infect additional devices. Lateral movement is frequently facilitated by legitimate but compromised user credentials.
"The lateral movement is mostly effective because many organizations don't isolate different segments of the network," Maurya says. "Moving from segment to segment is a breeze."
Detecting a Breach
The long delays in detecting APAC breaches is troublesome given the damage that hackers can quickly do.
Attackers can access domain administrator credentials within three days of gaining access, according to the Mandiant report. After stealing domain administrator credentials, attackers can quickly gain access to sensitive information and exfiltrate it.
"Most enterprises in the APAC region rely on archaic perimeter and signature based anti-virus and endpoint controls, which are incapable of detecting sophisticated and zero-day based advanced threats within their environments," Shashidar says
Responding to Breaches
To improve breach response efforts, APAC organizations need to assemble crisis management teams that include representatives of security, IT, communications, legal risk, compliance and various business groups, FireEye's Boland says. "This synchronizes a coordinated response," he says.
Fortinet's Maurya recommends conducting frequent cyber threat assessments to make sure appropriate security technologies are in place to deal with today's dynamic cyberattacks.
"Conducting a practical proof of concept to understand vulnerabilities across each layer with the available technologies as a drill - to compromise data by enacting the role of a hacker - will definitely do good," says Bharati Axa's Atyam. "But you must convince your management about the positive outcome of the drill."
Boland adds: "Boards and CEOs must get involved to ensure an effective approach to security which mitigates risks. Asian policymakers must move towards stronger breach notification regulation."