Real-time threat detection and why timing is the key to threat intelligence
You wouldn’t sit idle under siege. However, when it comes to confronting real-time cyberthreats, it is what some businesses are doing – oftentimes without even realizing it. Organizations are increasingly finding themselves targets of cybercrime, carried out by hacktivists, nation states, or financially motivated criminals. In fact, on average organizations experience 130 successful breaches annually, according to a 2017 Accenture report – that’s an increase of more than 27 percent in just two years.
Many companies, however, don’t even recognize they’ve been attacked until months down the line, leaving them more susceptible to brand damage and greater financial loss. And today’s CISOs are well aware of the cost – their jobs depend on it. According to IBM the average cost for a data breach in 2018 was $3.86 million, if 2,500-100,000 records were stolen. The price reaches a whopping $350 million if 50 million records are lost.
Timing is key when it comes to cybersecurity
Timing is key when it comes to cybersecurity, which is why fighting cybercrime proactively, rather than reactively, is so important. With real-time threat intelligence, fresh, targeted and actionable information is obtained from internal and external, as well as automated and human-generated sources. Think dark web forums, social media, analyst reports, and hacktivism resources. This can be used to help IT professionals like CISOs, fraud managers, or SOC managers, among others, to counter attacks quicker, repel them better, and reinforce their systems against more threats in the future. In fact, real-time threat intelligence with the right vendor can reduce the success rate of an attack by more than 97 percent.
It takes organizations an average of 10 weeks to detect a data breach
Adversaries wreak havoc, steal credentials, abuse brands and exploit other sensitive information right under organizations’ noses. And often, they never find out it’s happened; 70 percent of cyberattacks go undetected all together – which is dangerous for consumers and organizations alike.
Consider what happens when organizations are too slow to react against credential theft, for example. Consumer credit rating firm Equifax suffered a breach in 2017, in which the personal information of 143 million people was stolen after attackers entered through a software vulnerability. The organization’s stock immediately plunged 35 percent and market capital fell $6 billion USD. A brand’s reputation undoubtedly deteriorates after a data breach, too. One 2014 poll found almost 87 percent of customers were not likely to do business with an organization that had experienced a breach involving credit or debit cards.
On the other hand, real-time threat intelligence can enable organizations to detect threats before any real damage is done. It can identify compromised PoS devices, which helps to retrieve compromised and stolen cards and credentials before they’re sold on the black market.
Credit card fraud is just one example of what organizations need to combat in the ever-changing cybersecurity landscape. However, organizations can defend themselves by achieving full visibility over their security infrastructures, including malicious activity already inside. This is done by ingesting data from the maximum amount of sources and gaining knowledge from this data using real-time threat intelligence.
Having this full visibility and leveraging real-time threat intelligence monitoring also means organizations can be adaptive. A quick change in connection location, for example, could mean an organization is being targeted, but separating the accounts would help to avoid further damage.
Take how one major bank leveraged Blueliv threat intelligence to operate more coherently in real-time. Previously the bank had worked with various vendors, which caused generic threat sources to be managed inefficiently. As a result, the bank repeatedly suffered from data breaches targeting the corporate network.
However, once the bank engaged Threat Compass, it was able to operate with one central team – working both locally and globally – to garner a bird’s eye view of the international organizational structure.
Threat Compass delivered purely actionable threat intelligence relevant to the bank, giving it the ability to identify compromised customer accounts, but also rogue mobile apps, targeted malware, and stolen credit cards. The bank was able to decrease the time spent engaging in security tasks manually, and thus identify and respond to threats far more quickly.
Early detection can help retrieve credentials sooner
Cybercriminals use a wide range of techniques and tools to steal credentials, including malware, phishing, Man in the Middle attacks, DNS hijacking and brute force. These credentials can be used in a huge amount of ways; think for blackmail or ransom, to impersonate leaders on social media, to steal identities, to execute fraud or to carry-out data breaches. In fact, according to Centrify, 81 percent of hacking-related breaches use stolen or weak passwords. After all, all it takes is one credential to open the door.
For example, consider the recent data breach involving German politicians and other public figures. Almost 1,000 people were affected by the breach, in which sensitive information such as telephone numbers, credit card details and private chats was published via Twitter in December. A 20-year-old German man confessed to the crime in early January, with authorities stating he used “hacking methods” to crack passwords.
And think back to what happened to Uber in 2016. Hackers gained access to Uber engineers’ private GitHub site and got their hands on login credentials, which gave them access to data stored on Amazon Web Services. This included the email addresses and phone numbers of 57 million Uber users, and 7 million drivers’ personal information. The company paid 100,000 in ransom to the attackers, but Uber executives hid the breach from the public until 2017, which led to a US-wide investigation. Uber settled for $148 million last September.
It’s true that cybercriminals want fresh credentials, but they don’t often use them right away; hackers need time filter them, extract them, validate them, and then sell the data on underground marketplaces if they decide not to exploit the credentials themselves. This is good news for organizations leveraging threat intelligence. Say a CISO at a gaming website discovers a malware infection that’s given hackers access to thousands of customer credentials. Threat intelligence allows them to use sinkholes, honeypots, crawlers and sensors to search for the compromised credentials in real-time. This allows them to retrieve these credentials before a large impact is made and before the legitimate owners have their accounts hacked.
Businesses only have 72 hours to report a breach under GDPR
For CISOs with European clients, the post-GDPR era presents a new regulatory challenge. Because, while data breaches already cause financial and other losses, organizations can now also be fined up to 4 percent of their annual global turnover if a European citizen’s personal data is compromised (or €20 million, if greater).
Data Protection Authorities consider a number of factors when deciding on a fair penalty – including any previous infringements, the gravity of the breach, the number of data subjects, the level of damage suffered and the duration of exposure. But organizations are also required to report a breach within 72 hours of being discovered – and the fine gets steeper the longer they wait. Which means when it comes to a cyber attack, reporting it on-time is absolutely critical to reduce a stiff GDPR penalty.
However, while GDPR has garnered attention in ecosystems around the world, it’s not the only cybersecurity legislation organizations should focus on. For example the EU’s NIS Directive – the first piece of EU-wide legislation on cybersecurity – requires organizations to leverage the correct security measures and make national authorities aware of serious incidents. In 2017, New York State put in effect its own security standards for banks, financial services institutions and insurance companies. And California passed some tough privacy laws in 2018 that will go in effect in 2020.
A CISO’s work is never done
In short: organizations are increasingly being held up against higher security standards, meaning they can’t afford to waste a second when it comes to data protection.
A CISO’s work is never finished because the cyber threat landscape is ever changing. Attacks are becoming more sophisticated, high impact attack vectors are increasing, and new threat actors are emerging. Still, it’s up to organizations to stay ahead of the curve and tackle cybersecurity threat proactively and swiftly to mitigate risk for themselves and their clients. After all, their brand depends on it.
For more information on credential theft, check our report The Credential Theft Ecosystem.
Also, download our GDPR whitepaper here.