Threats from within

Written by Joseph Poppy on 12/07/2018

Cyber security is a big deal these days. A very big deal. A deal worth £3.5billion to be precise. The threats are varied and numerous, with attackers constantly shifting their methods and approach to circumvent security. No matter how good cyber security gets and how thorough your processes are, the threat will always remain. What’s interesting here is that a large portion of this threat comes from within your own walls.

IBM’s Cyber Security Intelligence Index showed that 60% of all attacks were the result of insiders. Whilst this might sound like your staff are out to get you, remember that this is a mix of human error as well as malicious activity. With people falling victim to phishing campaigns, opening malicious emails or following links and accidentally downloading malware, there are many ways users can unwittingly compromise a network. This makes preventing a breach an incredibly difficult task.

Couple this with malicious insiders, who deliberately abuse their position as a trusted user of a network, then we have a serious problem. How do businesses keep themselves secure against all possible threats, internal and external?


A breach is inevitable

In answer to that question, a number of industry experts have opined that avoiding a breach forever is virtually impossible. It’s a matter of when, not if. This may seem a tad fatalistic but considering the way technology is evolving and the number of attack vectors available, it is certainly a plausible idea. However, don’t be too alarmed, as what can be considered a breach can vary considerably. A breach can range from the superficial, to the catastrophic. If you’re doing everything right, it’s unlikely that your inevitable breach will sit in the latter.

Some companies have tried to adopt a zero-trust approach to avoid internal attacks, malicious or otherwise. However, in terms of practicality this approach is hard to make work. Putting a large number of obstacles in your users’ way in the name of security only reduces productivity and builds frustration. A fully secure cyber policy, complete with top of the range systems might indeed keep attackers at bay, but it would also prevent your business from being able to operate.


No such thing as 100% secure

Think of it in terms of your own personal banking. Imagine you not only have to put in a password and memorable information with every transaction, but also have to submit a picture of your ID and provide voice recognition and commit to ocular scanning and solve the Sphynx’s riddle and get permission from the Queen and a number of other steps of increasing ridiculousness. Whilst you’d be able to sleep soundly with the knowledge that no one will be able to steal your money, you won’t have a bed to sleep on because you wouldn’t be able to pay for it.

Of course, the above is taking the idea to the extreme, but the point stands. 100% security would come at the cost of utility and productivity. So, taking the view that a breach is inevitable despite your preventative measures, logic dictates that it’s worth ensuring you have adequate reactive measures.


Awareness is key

The first step to containing and resolving a breach or the spread of malware/ransomware, is knowing there is a problem in the first place. It’s unlikely that a hacker will announce their presence. A burglar doesn’t start their night of burgling by turning on the radio. If a malicious party had compromised your servers for cryptojacking, or had passed your defences and was now syphoning off precious data, how would you know? If they had managed to successfully compromise an email account or get through your firewalls without raising any alerts, how would you know anything was amiss before it was too late?

It sounds a silly question, but in actual fact it’s a good one. You’d be surprised how long it takes most companies to become aware of a breach. In most cases, businesses do not become aware they’ve been breached until a staggering 101 days after the event.


Take action

First of all, every business should have a good plan of action in the event of a breach of any description, but in terms of identifying one, well, you need a good SIEM. Whether in-house or outsourced, a quality SIEM managed by skilled analysts is invaluable in this modern age. One of the best ways to identify any potentially malicious behaviour is to monitor the data logs for anything suspicious. This is not only a great way of preventing attacks, but also a good way of identifying, isolating and rapidly resolving attacks that may have snuck through. To do this in real-time is in itself a significant commitment that requires a purpose built SOC, which many companies do not have the time or resources to set up.

Any changes made to the environment, any logons, any installations or traffic suddenly flowing to unknown destinations leaves behind a trail. Practically anything that happens on a network leaves behind a log. If monitored effectively, suspicious behaviour can be spotted, and the relevant teams contacted. A skilled analyst will even be able to see connections between seemingly unrelated issues, investigate and discover attacks that may not appear obvious from a surface level glance.


Install a SIEM and hire good analysts

Even better than that would be a whole team of skilled analysts, working to a set of runbooks dictated by yourself, monitoring your environment 24/7. This is what you get with an outsourced SIEM solution with threat monitoring. At Bulletproof, we have seen many attempts to compromise systems that would generally go unnoticed were it not for the vigilance of our analysts and their willingness to investigate and link seemingly unrelated issues. We know that vigilance is key, but we also know that most businesses are too busy focussing on providing a product or service to their customers to worry about taking on the mammoth task of installing a SOC and learning its subtleties.


  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.