Written by Hussam Sidani, the Regional Vice President for the Middle East and Turkey at Cybereason
How secure is your organization if you can only stop attacks that have already been detected in other environments based on Indicators of Compromise (IOCs)? Secure enough, if those were the only attacks you needed to be concerned with. But what about targeted attacks with bespoke tactics, techniques, and procedures (TTPs) that have never been documented because they were designed only to be used against your organization?
In today’s threat landscape that’s what’s happening: zero-day exploits, never-before-seen malware strains, and advanced techniques developed specifically for high-value targets are plaguing security teams. Most security solutions do a pretty good job of detecting and preventing known threats, but they continue to struggle with detecting and preventing novel threats. But the issue run even deeper than that — how can security teams detect malicious activity on the network earlier if the actions and activities of the attacker are not outwardly malicious because they are typical of activity we expect to see on a network?
The diminishing value of IOCs
Following a security incident, investigators scour for the evidence and artifacts left behind by the attackers. These can include IP addresses, domain names, file hashes, and more. Once these Indicators of Compromise (IOCs) have been documented, they can be shared so that security teams at other organizations can search their environments for similar threats, and security solutions can be tuned to better detect and prevent them from being used in subsequent attacks. That’s great for everyone, except the initial victims of the attacks, of course — for them, the damage has already been done.
Bur IOCs are constantly changing and more often are unique to a specific target, so leveraging IOCs for proactive defense in another environment is unlikely to result in earlier detections. Even the assumption that IOCs are somehow uniformly applicable in every instance, for a given attack campaign in the same environment, has proven to be demonstrably false.
Furthermore, the more advanced attackers engaged with a high-value target often change their TTPs within the same kill chain when moving from one device to the next in a target environment, making early detection based on already-known IOCs nearly impossible. IOCs are still quite valuable for detecting known TTPs, just as outmoded signature-based detections are still effective for detecting common malware strains, and they will continue to be an important aspect of our security toolkits for the foreseeable future.
But given the limitations of their application in surfacing highly targeted and novel attacks as described above, the question remains as to how we can detect more reliably and earlier in the kill chain. That’s where Indicators of Behavior (IOBs) come into play.
Defining Indicators of Behaviour
IOBs describe the subtle chains of malicious activity derived from correlating enriched telemetry from across all network assets. Unlike backward-looking IOCs, IOBs offer a proactive means to leverage real-time telemetry to identify attack activity earlier, and they offer more longevity value than IOCs have ever been able to deliver.
IOBs describe the approach that malicious actors take over the course of an attack. They are based on chains of behavior that can reveal an attack at its earliest stages, which is why they are so powerful in detecting novel and highly targeted operations. Sooner or later, an attacker’s path diverges from the paths of benign actors.
But IOBs is not about just looking for anomalies or a key indicator of malice at a particular moment in time, although that’s also part of it. IOBs are about highlighting the attacker’s trajectory and intentions through analysing chains of behaviors that, when examined together, are malicious and stand out from the background of benign behaviors on the network.
IOBs can also be leveraged to detect the earliest signs of an attack in progress that are comprised of “normal activity” one would expect to see occurring on a network, such as we see with techniques like living off the land (LotL/LOLBin) attacks where legitimate tools, processes, and binaries native to the network are abused by the attacker.
Operationalising IOBs for Operation-Centric security
Today’s alert-centric approach to security puts too much focus on the generation of uncorrelated alerts and remediating the individual elements of the larger attack campaign; a process that has proven to be inefficient given the typical resource constraints security operations are subject to.
Conversely, an Operation-Centric approach leveraging IOBs can reorient the detection and response cycle by consolidating otherwise disparate alerts into a single, content-rich correlated detection that serves to comprehensively disrupt the attack progression earlier than is possible with our current reliance on IOCs alone.
Leveraging IOBs to achieve an Operation-Centric approach also presents the opportunity to create a repository of detectable behavior chains that can surface even the most novel of attacks earlier, as well as support automated response playbooks that can better disrupt attacks at their onset.
More work to be done
Understanding attacker intentions and likely pathways based on early-stage actions and activities enable defenders to proactively predict and disrupt subsequent stages of an attack, as well as provides an avenue to develop fully autonomous security operations. In order to achieve a truly Operation-Centric posture and move closer to autonomous security operations, a future-ready standard that universally defines and operationalizes IOBs is required.
To be truly useful, there needs to be a common definition, language, and expression of IOBs that is completely independent of any particular security tool or vendor. The wide array of solutions available can provide the raw telemetry as well as the color and context required to collectively interpret observable behaviours.
But, as it stands today, security tools themselves don’t provide a standardized language that can accurately describe and operationalise the chains of behavior that will enable us to detect and respond to attacks faster than the adversary can adapt. Operationalising IOBs will require standardization that will deliver the full potential value of the entire security stack to quickly and autonomously deliver the necessary context and correlations across diverse telemetry sources.
But achieving an Operation-Centric approach that leverages IOBs will ultimately empower security operations to predictively respond to changing TTPs more swiftly than attackers can modify and adjust them to circumvent defenses, which is key to finally reversing the adversary advantage and returning the high ground to the Defenders.
The Evolution of Cybersecurity in Banking
By Ricardo Ferreira, EMEA Field CISO at Fortinet
Changes in the banking sector associated with new digital initiatives have ushered in unprecedented cybersecurity risks. As highlighted in recent reports, key activities in the financial ecosystem can be disrupted by cyber incidents, so risk management and secure network protocols are paramount. With cybercriminals relentlessly pursuing financial gain, data breaches have become more frequent and sophisticated, underscoring vulnerabilities in the banking sector.
Regulatory approaches, such as EU DORA, G7, and reports from other central banks and regulators, emphasize the critical importance of cyber resilience in the banking sector. These regulations are reactive measures to past threats and proactive strategies designed to anticipate and mitigate future risks. Characterized by continuous digitization, increased third-party dependencies, and geopolitical tensions, the evolving cyber threat landscape demands a robust response from financial institutions.
Central Bank Digital Currencies (CBDCs) add another layer of complexity. As CBDCs gain traction, they present both opportunities for financial inclusion and challenges in terms of cybersecurity. In this competitive landscape, where traditional banks, financial technology disruptors, and digital-native challenger banks strive for market share, delivering a seamless digital experience is crucial. However, institutions must not lose sight of potential vulnerabilities as they race to innovate. Embracing digital technologies is essential, but so is ensuring that these technologies are safeguarded against ever-evolving threats.
As banks and financial services providers continue to grow and innovate, a holistic approach to cybersecurity informed by the latest regulatory insights and threat intelligence will be crucial to ensure sustainable and secure progress.
Cybersecurity in Banking
In the rapidly evolving digital landscape of banking, cybersecurity teams are at the forefront of a complex battle. The financial sector is particularly vulnerable to cyber threats, including significant data breaches. The financial sector is a favourite target for attacks seeking financial gain, trade secrets, or service disruptions that bring publicity to social or political causes. In fact, financial and cybercrimes are now top global policy concerns, according to a new INTERPOL report.
Depending on the severity of the attack and the specific bank in question, a single successful breach can lead to serious damage to the brand. According to the European Union Agency for Cybersecurity (ENISA), more than 10 terabytes of data are stolen monthly, and more than 60% of organizations may have paid ransom demands. Another report states that 2022 was the biggest year ever for crypto hacking.
As digitization becomes an even greater necessity across the banking industry and security risks increase, executive teams need to ensure the resiliency of their business operations, compliance with government and industry regulations, and the effectiveness of their cybersecurity infrastructure to protect the expanding attack surface.
Financial services providers must defend against an onslaught of data breaches, ransomware, malware, phishing, and social engineering attacks growing in sophistication, frequency, and intensity. The challenges of fending off threats increase as the attack surface expands in breadth and complexity. In its 2023 Global Cyber Risk Outlook, Moody’s states that regulators and insurers are taking actions to reduce financial exposure to cyberattacks, and at the same time, demand for cyber insurance will outweigh supply.
To remain competitive and resilient in this environment, financial institutions must continue to innovate and ensure that those innovations are secure. This dual mandate becomes even more challenging given the expanding attack surface, driven by the rise of digital banking, fintech disruptors, and the introduction of CBDCs and the modernization of their core systems. Key cybersecurity imperatives for banking include:
- Visibility. Maintaining comprehensive network visibility is paramount with the proliferation of mobile banking, IoT integrations, and cloud deployments. As the cyber threat landscape becomes more intricate, having clear oversight of all network activities is crucial to prevent data breaches and manage cybersecurity risks.
- Automation and operational efficiency. The era of siloed security solutions is fading. Modern cybersecurity demands integrated solutions that can automate tasks, reducing the need for manual configurations and constant monitoring. Implementing “policy as code” can further streamline this process, ensuring that security policies are consistently and automatically enforced across a secure network.
- Flexibility. The diverse IT architectures, spanning multi-cloud and on-premises deployments, necessitate agile security controls and policies. As financial institutions navigate the complexities of digital transformation, their security solutions, including policy as code practices, must be adaptable, ensuring that security policies align seamlessly with infrastructure changes.
- Compliance reporting. Regulatory compliance is not just a checkbox exercise. With central banks and other supervising authorities emphasizing cyber-resilience regulations, security teams must strike a balance between adhering to these regulations and proactively defending against cyber threats. Utilizing policy as code can also aid in ensuring compliance by codifying and automating policy checks.
Lastly, the human element cannot be overlooked. Beyond state-of-the-art technology, financial institutions need skilled professionals who can harness the potential of new platforms and systems. The limited availability of specialists in niche areas and a potential knowledge gap in understanding intricate products, processes, and systems pose additional challenges.
As the banking sector continues its digital journey, a holistic, informed, and agile approach to cybersecurity, adopting and succeeding at digital initiatives to converge network and security, reskilling the workforce, and driving automation will be the linchpins of success. Ensuring a secure network and effective risk management in the face of potential data breaches and evolving threats is paramount.
Cybersecurity Regulatory Impacts
Although the banking sector is a beacon of financial stability, it is increasingly grappling with dual challenges: ensuring robust cybersecurity and adhering to evolving regulations. As financial institutions strive to meet customer demands and counteract cybersecurity risks, they are simultaneously navigating a labyrinth of stringent data privacy and security regulations. These regulatory measures, coupled with the expanding digital landscape, have inevitably escalated operating costs, particularly in the realms of compliance for both retail and corporate banks.
The imperative for heightened security and compliance in banking is underscored by the need to protect sensitive personal data, maintain transactional integrity, and safeguard the health of national and global economies. Yet, a recent International Monetary Fund (IMF) survey paints a concerning picture of the regulatory landscape. Covering 51 countries, the survey revealed:
- 56% of central banks or supervisory authorities lack a dedicated national cyber strategy for the financial sector.
- 42% lack specific cybersecurity or technology risk-management regulation, and a staggering 68% do not have a specialized risk unit within their supervisory department.
- 64% have not mandated testing or provided guidance on cybersecurity measures.
- 54% do not possess a dedicated regime for reporting cyber incidents.
- 48% are without specific regulations addressing cybercrime.
While these statistics might paint a bleak picture, it’s essential to view regulatory and security requirements not as hindrances but as catalysts for innovation and risk management. For example, McKinsey highlights the potential of data analytics in banking, suggesting that it can lead to risk-reduction savings valued at up to $1 billion annually for some large banks. These savings encompass reduced fines, enhanced compliance reporting accuracy, improved management of sensitive data, and the mitigation of various other risks.
As the banking sector continues its digital evolution, striking a balance between innovation, cybersecurity risks, and regulatory compliance will be pivotal. Embracing this triad can unlock unprecedented opportunities, ensuring a secure, compliant, and forward-looking financial landscape.
Cybersecurity Risk Management for Banks
Cyber-risk management in today’s banking landscape extends beyond technical measures to encompass a holistic, organization-wide approach. However, many institutions grapple with limited tools to gauge cybersecurity risks, especially when integrating new digital partners and technologies.
Recent regulations emphasize operational resilience, advocating for a globally aligned risk management framework. This international convergence seeks to standardize practices, reducing fragmentation. A notable aspect of these regulations is the scrutiny of third-party providers, given their growing significance in the financial ecosystem.
While banks are traditionally cautious in IT vendor selection, the rise of innovative startups offers a number of promising solutions. Yet, this openness must be balanced with due diligence, especially when third-party relationships can introduce cybersecurity vulnerabilities. As banks evolve digitally, a harmonized approach to risk management that considers global regulations and third-party integrations is essential for a secure and progressive banking sector.
Banking Cybersecurity Challenges
Historically, banks have operated as siloed entities. Distinct departments, each with unique objectives, often rely on separate systems. This fragmented approach has inhibited growth, restricted scalability, and diminished customer satisfaction. Traditional banks, particularly, have garnered a reputation for cumbersome processes, especially when customers seek new services or support.
Implementing a unified platform that centralizes data and bridges the gap among various systems can effectively counteract the challenges posed by these silos. However, information silos also amplify cybersecurity risks, data breaches, and compliance concerns beyond operational inefficiencies, which are all pressing issues in today’s banking landscape.
The integrity of the IT infrastructure and the vast amount of data it houses remain a paramount concern in banks’ digital transformation journey. Addressing technical debt is crucial. This debt is often a byproduct of historical underspending and the juxtaposition of modern technologies atop outdated infrastructure. To navigate these challenges, banks should establish dedicated units or expert teams focused on innovating and ensuring that their offerings remain competitive. Assigning clear responsibilities for these innovation projects is pivotal.
Gone are the days when IT security in banking was a linear affair. Today’s banking ecosystem comprises tens or even hundreds of thousands of interconnected devices ranging from computers to Internet-of-Things (IoT) integrations. And when the proliferation of social, cloud, and mobile channels is factored in, the potential attack surface for data breaches and cybersecurity risks magnifies exponentially. The pressing question remains. How can banks ensure a secure network amid such vast complexity?
Although the need for financial organizations to embark on digital initiatives is essential, it accentuates the need for scalable security and compliance solutions. As banks evolve, the scalability offered by Software-as-a-Service (SaaS) solutions becomes indispensable, especially in the retail banking sector. Organizations must ensure that risk management remains agile and responsive to the ever-expanding digital landscape.
Secure Networking Solutions for Financial Organizations
Whether an organization has cutting-edge or legacy technology, infrastructure vulnerabilities can become prime targets for cybercriminals. As these adversaries relentlessly exploit weaknesses, financial institutions face the potential for significant financial losses, operational downtime, brand damage, and regulatory fines. Financial leaders must prioritize the resilience and overall health of their institutions.
Financial institutions should consider converging networking and security into a single secure networking solution to address these challenges. They can apply consistent threat intelligence and security services by consolidating disparate point products into an integrated cybersecurity platform.
Key features of an ideal security solution include:
- Visibility: Comprehensive oversight across the entire digital attack surface
- Advanced protection: Defense mechanisms against threats that are growing in volume and sophistication
- Intelligent integration: Seamless integration within a smart IT architecture
- Automation: Leveraging technology to address the shortage of skilled human talent
- Simplified compliance: Streamlined processes to ensure adherence to data privacy regulations
How to Enjoy Threads and Keep High Levels of Privacy and Security
Recently Threads released a new Web version allowing users to finally search for content and use other features from any of their desktop devices. For those who still use Threads, Kaspersky experts have compiled a list of tips on how to do it securely, protect personal data, and avoid scammers.
Kaspersky experts have previously discovered phishing pages imitating the web version of the social network and collecting users’ logins and passwords, as well as offers of a so-called “Threads Coin” promising to “connect users to the Metaverse,” which was fake and sold for cryptocurrency on the Web. It is important for users to always be on alert when exploring new social media platforms.
- What is important to know regarding security settings in Threads:
- Threads offers a Security Checkup. This feature shows key security-related data about Threads, Instagram or Facebook accounts. It reflects currently connected email addresses, mobile phone numbers, the last time the password was changed and whether two-factor authentication (2FA) is on or not.
- Users should not forget to set up 2FA. Threads is connected to the Instagram profile and uses the same logging details, so users should remember: one password gives access to two accounts! It’s always more secure to use 2FA as a security layer that protects accounts from unauthorized access. Modern reliable password managers can also generate and store unique one-time passwords for 2FA, that’s why one doesn’t need to install and use a separate solution for authentication.
- It’s impossible to delete the Threads account alone – the connected Instagram profile will be deleted as well, which means that all data will be concealed from other users of the social network.
- To do this, users need to go to Settings -> Account -> Deactivate profile and press Deactivate Threads profile.
- As for privacy, a user can limit who can contact them by muting, restricting or blocking someone. In all these cases, none of the contacts will be notified of these actions.
- If you don’t want to see someone’s post, you can mute the user. In case you don’t want to receive notifications of someone’s actions such as likes, replies, and so on, you can restrict the user. If you block a user, they won’t be able to find your profile or account – the list of blocked users is shared between Threads and Instagram.
- To mute, restrict or block someone, go to their profile, click on the three dots in the upper right corner and select the action.
- To strengthen the privacy level in your Threads account, the following tips can be useful:
- You can monitor and set up, who can mention you in posts with ‘@’ symbol.
- Threads is trying to fight against offensive language, so users can filter offensive language in responses to their posts. The platform offers several tools, like automatic filtering with built-in lists or manually adding specific phrases and words.
Achieving a Successful Continuous Threat Exposure Management Program
Written by Lydia Zhang, the President and Co-founder of Ridge Security
If your organization is concerned about increasing and expanding cyber threats, you are not alone. While many enterprises recognize the need to create a multi-layered security posture, this article explores the importance of Continuous Threat Exposure Management (CTEM) and how it can help proactively manage risks and bolster defences against growing cyber threats.
CTEM is a cybersecurity program that goes beyond simply responding to threats. It leverages proactive attack testing and simulation to identify and mitigate vulnerabilities before real attackers exploit them. Organizations can prioritize and allocate resources more effectively by continuously monitoring and evaluating security risks. This systematic approach allows for a more robust defence in the face of a rapidly expanding attack surface.
Primary Benefits of Implementing a CTEM Program
Let’s take a closer look at some of the key advantages of implementing CTEM. By continuously scanning and monitoring your digital infrastructure, you can proactively stay one step ahead of cyber threats. CTEM prioritizes threats based on their potential impact and likelihood of occurrence. This way, resources can be efficiently allocated to tackle the most significant risks first. By following an iterative approach, CTEM allows you to learn from each assessment and adapt defences accordingly. You can implement effective remediation measures and continuously improve your security posture by generating actionable insights from real-time threat data.
This data-driven approach ensures decisions are made based on the latest threat intelligence. This empowers security teams to make more targeted and effective remediation efforts by leveraging real-time data. To maximize the effectiveness of a CTEM program it must be aligned with the organization’s business objectives. This also helps achieve adaptability and continuous protection against the ever-evolving threat landscape. By incorporating your strategic business goals into the CTEM program, you can ensure that it works hand-in-hand with your overall cybersecurity strategy.
The Lifecycle Process of an Effective CTEM Program
A successful CTEM program follows a comprehensive lifecycle process. Let’s break it down into key steps. In the initial phase, the security team identifies and analyzes the infrastructure assets to be included in the program. This analysis encompasses both internal and external attack surfaces, including on-premises and multi-cloud infrastructures.
Each asset’s risk profile is evaluated, covering explicit vulnerabilities and weaknesses like misconfigurations. Understanding the potential impact of vulnerabilities on business operations is essential. Gaps in the security infrastructure are identified, such as logging and detection gaps, and missing, fragmented, meaningless detection rules.
Cybersecurity capabilities, such as automated pen-testing, controlled attack simulation, and adversary emulation, are carried out within DevOps and production environments. These activities verify cybersecurity weak points and assess the effectiveness of your remediation efforts. Automation plays a crucial role in the CTEM process. It enables organizations to continuously identify, prioritize, validate, and address vulnerabilities and threats. By leveraging automation, you can stay ahead of the evolving threat landscape and constantly improve your security posture.
How to Tell If Your CTEM Program Is Working
Once you have a CTEM program, how do you know if it’s making a difference? There are some key indicators that can help measure the success of your CTEM program.
The first and most obvious sign of a successful CTEM program is decreased security risks. You want to see fewer vulnerabilities popping up, and when they do, you want faster resolutions. You also want to see a drop in successful attacks or breaches. In this cyber game of cat and mouse — your CTEM program should be the cat!
An effective CTEM program will see an improvement in your ability to detect bad actors trying to disrupt systems. It’s not just about quantity; you also want to see the increased complexity of threats detected. After all, cybercriminals are constantly evolving, so your CTEM program needs to keep up!
Time is of the essence when it comes to cybersecurity. A successful CTEM program should help you reduce the time between discovering and fixing a threat. The quicker you respond, the less damage, so keep an eye on how fast you’re remedying those vulnerabilities.
Automated pen-testing, workflow segmentation and Breach and Attack Simulation are ways of measuring how well your security controls are performing. You want to see those controls becoming more effective over time. It’s training your defences to be stronger and smarter.
Compliance is essential if you’re in an industry with regulatory requirements. A successful CTEM program should help you meet and maintain those compliance standards. So, pay attention to any decrease in compliance violations or issues. It’s a good sign that your program is on the right track.
Now that you know how to assess the success of your CTEM program, keep an eye on these indicators, and remember, it’s all about reducing risks, improving threat detection, responding faster, enhancing security controls, staying compliant, and protecting what matters most to your business.
Cybersecurity Collaboration Holds Immense Significance in Today’s Threat Landscape
Sophos to Focus on Cybersecurity as a Service (CSaaS) at GITEX 2023
42 Abu Dhabi Hosts Coding Hackathon in Collaboration with Al Hathboor Bikal.ai
Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape
The Average Time to Investigate a Cybersecurity Incident is Around 26.1 Days, says Binalyze
Check Point Software Announces the Launch of the Check Point Infinity Portal in the UAE
CyberKnight Signs up as Official Distribution Partner for MENA ISC 2023
Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape
Ongoing Large-Scale Effort to Illegally Obtain Zimbra Email User Credentials Detected
IDC Predicts ICT Expenditure in Saudi Arabia to Exceed $34.5 Billion This Year
Video: Edgio Says Automation Will Bridge the Talent Gap in the Security Industry at GISEC 2023
Video: Tenable Throws the Spotlight on its Exposure Management Platform at GISEC 2023
Video: SANS Institute Focuses on Cyber Security Training to Bridge the Skills Gap at GISEC 2023
Video: Nozomi Networks Focusses on OT and IoT Security, and Network Visibility at GISEC 2023
Video: Inogates and Harfanglab Focus on EDR Solutions at GISEC 2023
Cyber Security5 days ago
Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape
Channel Talk7 days ago
CyberKnight Partners with NightDragon to Bring New Cybersecurity Innovations to the META Region
Artificial Intelligence5 days ago
The 43rd Edition of GITEX GLOBAL to Take Place From 16th to 20th October 2023
Artificial Intelligence1 week ago
F5 to Show Off Multi-Cloud Networking and AI Solutions at GITEX 2023
Channel Talk1 week ago
CrowdStrike Intros Accelerate Partner Program
News1 week ago
Check Point Software Completes Acquisition of Perimeter 81
Cyber Security7 days ago
Cybercriminals Used Malware in 7 Out of 10 Attacks on Individuals in the Middle East
Cyber Security5 days ago
The Average Time to Investigate a Cybersecurity Incident is Around 26.1 Days, says Binalyze