IBM has published its latest X-Force Threat Intelligence Quarterly (registration required). The tagline to the report is Malicious or inadvertent, an insider threat to your enterprise “crown jewels” can cause significant damage. Explore ways to fight insider threats.
What is interesting is that IBM is not just focusing on the malicious employee but has now included ex-workers, friends of ex-workers, employees who click on malware and trusted third parties. This is about as wide a net as IBM could possibly cast so it’s not surprising that this cast of actors rivals the threat from outside the company.
There is, of course, a serious point to what IBM is saying. Companies are often quick to give access to workers when it is required to do their job but very slow to revoke access when that need has passed. At the same time, few companies have adequate processes to track what their users are doing to determine if their actions are valid.
All of this, of course, plays into IBM’s new security intelligence approach which uses profiling along with other tools to decide if a user is playing nice or behaving badly. Determining what is normal for a user or even an application and then detecting abnormal behaviour is not a trivial task. It requires gathering data from a wide set of sources around the enterprise and then doing real-time analysis to spot when things look wrong.
Exfiltration of data is an example of how hard that is for many companies. With so many users now having access to cloud services, either personal, departmentally sanctioned or part of a wider enterprise IT plan, data flows out of companies faster than capital out of a crumbling economy. Despite this, few companies track how much data is being moved out, where it is going and who is sending it. The net result is that stealing data has never been easier and it is being done openly.
Trust nothing and nobody
The report also comes with some old warnings but ones that are continually overlooked. For example, IBM warns consumers, not quite sure how many are likely to be downloading the report, about the danger of giving their details to companies. It points out that once the data is handed over the consumer is subject to the data protection policies of the company which can be difficult to evaluate or understand.
It’s a fair warning and trying to get the details of different companies policies can be like pulling teeth. However it does open a different conversation which is why companies have chosen to make them so complicated in the first place? In most cases it is due to a lack of understanding of the relevant laws and the fact that a large number of companies don’t understand their own responsibilities.
Another issue raised in the report deals with the problem of old threats getting new life. An example given is that of remotely turning on microphones and webcams when they are attached to the Internet. These are low tech hacks that as companies start to connect everything to the web are likely to find a new lease of life if network and device security is not improved.
Spam still on the rise and an underestimated source of malware distribution
As with previous reports IBM has focused on the risk from spam. Volumes are around where they were 2 years ago but it is the payload that has changed making it a more important threat than previously.
In Q1 2015, the US was the top distributor of spam with 8% of the total spam sent. Just behind it was Vietnam followed by last years spam champions Spain. One of the problems with spam is that much of the focus is often on the country where it has originated. This means that a lot of security teams tend to block email coming from countries where they believe the majority of threats originate.
Email from countries such as the US, Spain, Italy and Germany, who all figure in the top five countries for sending spam last quarter, are more likely to be trusted than email from Russia, China or Vietnam. This makes it more likely that more spam will get through basic security blocking and increases the risk. The same is true of botnets where those with a high level of machines from the US and Europe are more sought after than those with mainly Asian based computers.
While the number of spam messages with malicious malware attachments is low, it is on the climb. As those machines come from countries more likely to be trusted, the risk of infection is naturally higher. This means that there is a need for IT teams and users to pay more attention to dealing with spam rather than just dismissing it as a nuisance. IBM makes three recommendations for security teams and four for users:
- Keep your spam and virus filters up to date.
- Block executable attachments. In regular business environments it is unusual to send executable attachments. Most spam filters can be configured to block executable files even when they are within zip attachments.
- Use mail client software that allows disabling automatic rendering of attachments and graphics, and preloading of links—and then disable them.
- Do I know the sender?
- Did I expect this email and this attachment?
- Does it make sense that the attachment is zipped, and is the format appropriate for this type of message and attachment type?
- Which file type is in the zip file? If it is an executable, a screensaver or a file type unknown to me, I should not open it!
Breaches need incident plans and forensic techniques
As regulators begin to demand companies report every breach and law enforcement look to investigate, there is an increasing need not only for Incident Planning but also for Forensic Analytics to gather data. Realistically this is going to challenge many large companies which is why IBM, HP and other security vendors have been stepping up their services offerings lately.
One of the keys for IBM has been its focus on Security Analytics where it captures data from multiple points around the IT infrastructure, including the network, and carries out real-time analysis of the data. This does require a significant amount of storage and processing but the majority of the work can be automated. The majority of the techniques for reducing the data set and automating the analysis are well understood by the Business Intelligence teams inside organisations.
This is where IT security needs to start thinking outside of its own world and engaging with other parts of the business to gain access to the available skills. The examples IBM gives in its report make use of both BI and visualisation technologies. Where it needs input is in the reconstruction of traffic patterns to understand the wider impact of an attack or incident. This is where IBM is selling its professional services to customers.
One of the risk factors ignored by many companies is the supply chain and customer ecosystem. These are increasingly embedded within the IT function of the enterprise but often consist of large numbers of small to mid-sized firms with often weaker security than larger enterprises. This is where there is a need to start auditing the entire ecosystem. IBM doesn’t supply any figures around how often they are asked to do this but HP recently said that less than 15% of enterprise customers ask them to audit their ecosystem.
This brings with it a significant risk in that the forensic data may point to a customer or supplier but without the ability to extend the search of investigation into their systems, critical data to understand the attack will be quickly lost. This makes it hard to defend against a repeat attack and to reconstruct an attack in order to map its methods.
It is interesting that IBM has returned to focusing on the human factor as the main risk to the business and the insider as the biggest risk of all. Companies have always been aware that people are the weakest link in security but without better training and an overhaul of processes, it is unlikely that this threat will diminish any time soon.