New to Z

New to IBM Z

Deepen your technical skills, expand your global network, and connect with mentors and other early tenure professionals on the mainframe platform.

 View Only
Back to discussions
Expand all | Collapse all

Is your threat a 'usual suspect' or a 'Keyser Söze'?

  • 1.  Is your threat a 'usual suspect' or a 'Keyser Söze'?

    Posted Tue October 29, 2024 09:47 AM

    Foreword

    Security is all of our concern, whether you are a receptionist or an engineer, and whether you work in an office or from home.

    We all have a part to play, in ensuring our organisations and systems stay secure.

    As we continue through Cyber Security Awareness Month (CSAM),  I wanted to ensure that people are aware of some of the 'core' security concepts.

    Over the course of CSAM, I will be writing posts about aspects of cybersecurity / mainframe-security.

    In today's post, following the recent IBM Z Day, I shall briefly explain (some of) the different types of threats that we must be wary of.

    P.S.  If you don't get the reference in the title, please spend your evening watching The Usual Suspects.

    |

    A Quick Overview

    Computer hacking is the act of identifying and exploiting system and network vulnerabilities in order to obtain unauthorized access to those systems:

    After all, where valuable data can be found, hackers will try to investigateinfiltrateextract, and  extort data.

    Different hackers may break into systems with different motives, not always doing so for malicious reasons, but in this article we will focus on those who have unethical intentions.

    Some threats may be the stereotypical / cliché hacker, while others may be much less predictable, including insider threats and Advanced Persistent Threats (APTs).

    NOTE: In this article, the phrases "Hackers" and "Threat Agents" may be used interchangeably.

    |

    The two 'forms' of Cyber Crime

    In terms of threat agents, they could commit Burglary, Piracy, Fraud, etc…

    However, these will fall into two categories of cyber crime:

    • Cyber Enabled Crime - This is traditional crime that has increased in scope and scale using technology (Examples include Identity Theft, Financial Fraud and Data Theft)

    • Cyber Dependent Crime - This is a type of crime that can only be committed through electronic means  (Examples include Malware, Hacking and Denial of Service)

    |

    Where do most threats originate from?

    Certain countries are notably more dangerous than others, when it comes to cyber threats.

    CyberProof's Cyber Threat Intelligence (CTI) team performed an analysis of the most cyber-dangerous countries in 2021.

    They conducted research to identify the most common origins of cyber attacks, basing their research on verified indicators seen during attacks (such as IP addresses)

    Based upon CyberProof's research, they were able to identify the ten countries that served as the place of origin for the highest number of cyber attacks in 2021.

    As shown in the chart below, the countries where most threats originated from were China and the United States of America.

    Threat activity can be seen in real-time by viewing 'Live Cyber Attack Maps' such as those hosted by SonicWall and BitDefender.

    (Note:  This research was conducted using research of various "verified indicators" seen during attacks.  However, CyberProof did note that some of the 'origin IP addresses' represent legitimate services (such as cloud infrastructure), which were abused by hackers to launch their attacks.)

    |

    Advanced Persistent Threats

    Not only do we have to be wary of international hackers, but we also ought to be aware of organised hacking groups/collectives.

    Advanced Persistent Threats (APTs) are a type of long-term attack made by highly-organised groups of specialists:  These are calculated attacks that may take place over months or even years, with hackers working hard to remain undetected so they can spend as much time as possible within a network, so that sensitive data can be mined and key users can be monitored.

    The main players of APTs are generally well-funded entities (with major investments in skills and tooling) who have the time, muscle, and laser-focused attention to locate and exploit information/data, although in some cases their objective may be Ransomware, Espionage or Systems disruption.

    APTs require the hackers to stay incognito and in some cases they have gone undetected by organisations for months or years.

    The hackers will spend as much time as possible within a network to monitor key users and their actions  -  By the time they exfiltrate, they could understand your system better than you do.

    A report by ENISA, the EU Agency for Cybersecurity, showed that attacks conducted by APTs on EU institutions has been increasing over the years.

    |

    Insider Threats

    These originate from authorised users, such as employees, contractors and business partners.

    Insider threats may accidentally or intentionally misuse their legitimate access, or have their accounts hijacked by cybercriminals.

    There are five forms of insider threats:

    • Oblivious insiders, who unknowingly cause harm by unwittingly taking risky actions, generally out of ignorance or a lack of training.
      Usually this means they are unaware that they are breaking a rule or taking risks, which can be solved through proper training and keeping people on their feet with phishing tests.
      An example may include someone is working in a café but goes to the toilet while leaving their laptop unlocked.

    • Negligent insiders create risks by ignoring (or turning a blind-eye to) security protocols.
      This generally means they are aware of the rules they are breaking and need to face mandatory training or disciplinary processes.
      This can be solved by reaffirm the responsibilities and expectations with staff, via all-hands meetings, one-to-one meetings, company-wide emails, etc…
      An example may include someone downloading and installing inappropriate files/applications to their work device, despite knowing that this goes against policy.

    • Pressured (Forced Malicious) insiders don't want to commit any crimes or misdeeds, but may be experiencing extortion to pressure them into using their existing access nefariously.
      This is why Security Vetting staff will ask questions like "Do you have any debts" and "Have you ever taken lewd photos and given them to people" as these can be used against you.
      We can catch any risky / non-compliance commands that are logged by using software like Command Verifier and having zSecure Alert.
      An example may include someone being blackmailed into helping a hacker because they have 'dirt' on the employee.

      Malicious insiders can include disgruntled staff who have a vendetta, who are intentionally stealing or compromising data within the organisation's system, although this can be prevented by properly following Zero Trust and Least-Access principles, thereby denying them the capability to commit any malicious actions.
      We can identify any risky / non-compliance commands that are logged by using software like Command Verifier and having zSecure Alert.
      By ensuring that these logs cannot be signed off by the issuer, instead requiring a different person to check them, there will always be a second layer of validation.
      Additionally, by following zero-trust / least-access principles, staff will not have the capability of committing any malicious actions.
      An example may include a disgruntled employee who was bullied by a manager and then let down by HR, so they want to get back at the company.

    • Professional insiders make a living by exploiting businesses and selling whatever they can collect, often taking jobs with the main goal of stealing assets or corrupting data.
      They may specifically apply for work, with the specific intention of stealing assets, selling data to rival businesses, corrupting data, or committing insider trading.
      We can identify any risky / non-compliance commands that are logged by using software like Command Verifier and having zSecure Alert.
      By ensuring that these logs cannot be signed off by the issuer, instead requiring a different person to check them, there will always be a second layer of validation.
      Additionally, by following zero-trust / least-access principles, staff will not have the capability of committing any malicious actions.

    |

    Additional Statistics

    A recent report from Verizon revealed that while external attackers were behind around 80% of breaches in 2022, this accounted for "only" 200 million records being lost:

    In contrast, the 20% of breaches initiated by internal actors were responsible for losing over 1 billion records, meaning that each internal attack exposed roughly 20 times as many records.

    According to IBM's  Cost of a Data Breach 2023 report, the average cost of a data breach was $4.45 Million USD, but in their most recent 2024 report, this had increased by 10% and accounts for the highest total ever recorded.

    However, data breaches initiated by malicious insiders were most costly, costing an average of $4.99 Million USD and accounting for 7% of all breach pathways.

    Additionally, credentials may have been stolen by malicious insiders only to be used in subsequent attacks, with the identification time and containment time of these attacks taking over 280 days on average.

    Expanding upon Professional Insiders

    Professional insiders may apply for work with the specific intention of stealing assets, selling data to rival businesses, corrupting data, or committing insider trading.

    Ensure that you make comprehensive background checks before hiring people, including their professional references.

    Consider Googling where they have previously worked, to see if data breaches coincide with their tenure at this company.

    For example, a prospective employee may have worked for five companies in a row that have all admitted to data breaches which coincide their their tenure at the company.



    ------------------------------
    Niall Ashley (he/him)
    Consultant in Mainframe Security (RACF)
    Vertali Ltd
    ------------------------------


Related Content