The evolving nature of cyber threats creates a need to continually improve a business’ cyber security environment. By researching to constantly stay informed of evolving threats, a business can proactively evolve cyber security to be ‘hardened’ against threats before they occur.
By the end of this topic, you will understand:
- how to research evolving trends in cyber security
- how to translate research into cyber security enhancements in a business
- the requirements necessary to action these enhancements by engaging with relevant business personnel.
There are several reputable sources of government information on current cyber threats in Australia. Those of note are:
- Australian Cyber Security Centre (ACSC): The ACSC is the central cybersecurity agency in Australia, providing information, guidance, and assistance to enhance the cybersecurity resilience of the nation. It offers a wide range of resources, including threat intelligence, advisories, and alerts to keep organisations and individuals informed about the latest cyber threats.
Website: Home | Cyber.gov.au - Stay Smart Online: Stay Smart Online is an Australian government initiative that provides a variety of resources and advice to help individuals and businesses protect themselves from cyber threats. It includes alerts, tips, and educational materials to promote cybersecurity awareness.
Website: Stay Smart Online | Directory - Cyber Security Incident Management Arrangements (CIMA): CIMA is a framework established by the ACSC to guide the response to and management of cybersecurity incidents. It provides information on incident response planning, coordination, and communication during cyber incidents.
Resource: Cyber Incident Management Arrangements for Australian Governments | Cyber.gov.au - Essential Eight Maturity Model: The Essential Eight Maturity Model is a cybersecurity framework developed by the ACSC. It outlines strategies to mitigate the most common cyber threats. The model helps organisations assess their cybersecurity maturity and provides guidance on improving their security posture.
Resource: Essential Eight Maturity Model | Cyber.gov.au - Australian Signals Directorate (ASD) Signals Directorate (ASD): The ASD is an intelligence agency responsible for signals intelligence and information security. It collaborates with the ACSC to provide cybersecurity guidance and resources. The ASD publishes the Australian Government Information Security Manual (ISM), which offers guidance on securing information and systems.
Resource: Australian Signals Directorate | Australian Signals Directorate (asd.gov.au) - Cyber Security Awareness Week: The Australian government organises Cyber Security Awareness Week annually to promote awareness of cybersecurity issues and best practices. It includes events, resources, and campaigns aimed at educating individuals and organisations about staying secure online.
Resource: Stay Smart Online Week | Australian Signals Directorate (asd.gov.au)
All of the above provide updates on emerging cybersecurity trends. Additionally, reputable IT organisations such as Oracle, SAP, IBM, Google and Microsoft provide information on malware and cyber threats that target their applications. Of note, there is a number of real-time threat identification engines that provide current reporting on real-time cyber security threats as they evolve.
Reading
The anti-malware software company Kaspersky provides a graphical display that allows reporting on the latest cyber security trends: cybermap.kaspersky.com/buzz
and real time threat reporting: MAP | Kaspersky Cyberthreat real-time map
The benefit of researching trends is that it allows a predictive and early response to emerging threats. There is more time to access and implement effective cyber security improvements as a result. There are many online sources of research information. When researching, look to reputable agencies that have expertise in digital spaces. Always consider suggested remedies and practices carefully in the context of a business’s operational environment to ensure a positive outcome.
Example agencies include: Apple, IBM, Oracle, SAP, reputable anti-malware software providers and Microsoft.
At any one point in time, there are literally millions of attempts being made around the world to illegally gain access to networks. These are not being undertaken by people, but by networks of computers called ‘Botnets’. These are computers programmed and automated to make penetration attacks. Once an attack is successful, hackers receive a report. This report indicates to hackers the location of the penetrated device and allows them to then take control of the infected computer.
Botnets can target any type of digital device and quickly attempt tens of attacks on a device per second. When evaluating research, it is worth noting that the scale and speed of Botnet global hacking attempts mean that businesses will likely experience a Botnet attack at some point. As a result, it must be a priority to evaluate current hacking trends to:
- identify emerging cybercrime risks to the business
- develop responses to current cyber-attacks being reported.
Researching recent trends in cyber-attacks informs a business and can help keep it ahead of ‘waves’ of new attacks. By researching current cyber security hacking trends, staff can be briefed to be:
- more aware of current known vectors being exploited (such as infection from emails).
- informed about new forms that malware is taking. For example, recently, malware that ‘ransoms’ computer systems by locking out staff has become more common. If research points to increased ransomware attacks, staff can be advised to be hyper-vigilant against phishing scams. Phishing scams are a common exploit for injecting ransomware into a business system.
Note that research into current cyber security trends will also identify best practice policy and processes that business’ around the world are deploying. Such best practices may not be a response to an emerging cyber threat. They may be responses to improved cyber security practices in managing:
- new software applications – such how a business can safely use Web 2.0 and 3.0 platforms
As a proactive measure, once trends in cybercrime are established, a detailed review of hacker exploits is required. This review will identify:
- the vectors used (such as email).
- if the malware trend identified has the potential to damage the business. It may be that the malware or exploit does not infect the type of hardware or software a business deploys. Further, the exploit may, in the case of technical attacks, already be patched such that the exploit cannot impact the business.
It is often the case that emerging types of cyber-attacks rely on users to allow an infection to occur – such as by clicking on a link in social media that loads the malware. There is no technical solution for this per se, and what is required is the enforcement of an effective cyber security policy.
Over the course of a week, there will be numerous new variants of malware that are released onto the internet. The cyber security deployed in businesses that treat cyber security seriously will already have policies and procedures in place to manage malware that uses typical vectors.
Occasionally, there will be a Zero-Day or totally new threat that uses a new way to infect digital platforms. A Zero-Day exploit is the most dangerous form of malware and when research identifies the discovery of a Zero-Day exploit, quick action needs to be taken to stop any potential infection.
Remember that digital platforms include PC’s mobile phones, servers and network devices. This means that there is a wide range of points that Zero-Day exploits can target.
Example – Using Fonts
In March 2020, an exploit was discovered by Microsoft that allowed hackers to remotely control computers when users opened documents that contained PostScript Type 1 fonts. The malware was executed when the document was opened and was an entirely new way to infect computers
The patch to remove the vulnerability took weeks to develop and until it was developed, hackers were free to exploit computers using this technique.
Learn more here: Windows Zero-Day Attack Lets Hackers Hide Malicious Code in Fonts | Extremetech
When research uncovers a Zero-Day exploit:
- research the potential damage that could occur and if there are stop-gap fixes. Potentially a business may not require a cyber security response as the business does not have the environment the Zero-Day exploit requires. This should be a quick process as soft vendors who have identified the new Zero-Day exploit will publish a data page describing the exploit, how the exploit can affect the business and, possibly, a suggested stop-gap measure. If a business is exposed to the risk of a new Zero-Day exploit:
- identify when a fix for the Zero-Day exploit is expected.
- communicate with management on how the Zero-Day exploit could impact the business and provide a plan to manage any exposure while a fix is developed. Seek support to act rapidly as millions of attacks per second will be made around the world, and Australian businesses are high-value targets.
- once support is secured from management, communicate to staff about how the exploit spreads and what they are expected to do. Ensure they know they will be kept informed.
Typically, research will not uncover zero-day exploits, but typical variant exploits. It is to be expected in cyber security that hackers will repackage old exploits to try them again. In these cases, the appropriate action is to:
- identify the characteristics of the malware
- look for emerging trends to establish how often the exploit is being used
- prioritise education and information on research findings based on risks to the business.
Activity 1 - Managing Researched Zero-Day Exploits
Once threats have been identified and researched, the threat needs to be documented and action taken to remedy the exposure the business has to the emerging threat. To do so:
- document the threat including the recommended remedy.
- circulate the documented threat to the relevant personnel (such as team leaders in areas that are affected) and the changes required to remedy the threat. By doing so, you allow business personnel to anticipate the change and gather additional input. There may be reasons why your suggested remedy is impractical. You may discover an alternative suggestion that is a remedy that can be more easily implemented.
Tip
Depending on the scale of the business, the flexibility to change varies. A small team of 10 IT developers with one IT system can quickly adapt to cyber security changes. A large transportation company with 50 locations, multiple IT systems and thousands of employees in various roles requires a more measured approach to implementing change. The bigger the business, the more complex the business workflow. In this case, careful consideration of how required changes in cyber security will affect a business needs to be understood. This ensures that the business is not adversely affected as a consequence.
A change to remedy a cyber security gap needs clear, concise, and practical steps to adapt a business to potentially new ways of working. In cases where a cyber security remedy requires workplace behavioural change, without effective communication, the expected changes in staff behaviour will not occur. An emerging threat may be understood, but the gap will not be closed.
A business will likely have policies and procedures in place to ensure company communications adhere to approved protocols. Before sending an advisory communication within a business, seek the advice of stakeholders such as media managers and other senior managers to ensure a communication complies with internal protocols.
Note: Working broadly across the business is a typical requirement when implementing cyber security change. When policy is updated and systems modified, teams across the business must adapt. Training may be required needing the input of training managers. Changes in workplace operation may need industrial relations expertise to implement. Cyber security relies on managing organisational change and touches on more than providing a remedy to a cyber security gap.
Serious threats to a business need to be followed up with additional communications and may require personal visits by cyber security staff to brief staff and managers. When managing cyber threat communications, consider the potential threat and respond accordingly. For extremely serious threats, an email with a multi-layered approach to stress the serious nature of the threat is inadequate.
Case Study
In 2015, a group of hackers called the Carbanak gang used a technique called ‘Spearphishing’ to steal one billion dollars from multiple banks. Spearphising is a form of phishing that uses an email that appears to come from a contact that the recipient knows. The hackers ‘spoof’ the email address to trick the email system.
The infected email when opened required the staff to click on a link to visit a website or to open a document. Sophisticated malware than key trapped User IDs and passwords of bank staff. This access information then allowed the criminals to logon and transfer money.
At that time in 2015, banks had cyber security policies that prohibited opening web links and suspicious documents. In fact, Spearphishing had been a known technique since 2011.
While staff would have been aware of the risks, there was a communication failure. Phishing cannot be eliminated as a hacking technique and bank staff need regular, practical training in how to avoid being trapped.
Activity 2 - Quiz
