In current times given the proliferation of technology in every business and our daily life, it will be hard for any company to say they are not an IT company. But it will require a fundamental change in thinking for many companies to move the mindset from IT being a support to one of the core competency in the company.
Indeed they need to treat it like their core business and if necessary hire the services of ethical hacker to make sure they are prepared for the disaster and can survive.
But its easier said than done, most fortune 500 will still prefer to pay 5 or 6 digit sums to consultant to design a security instead of hiring ethical hacking services, to make sure in case of attack their processes and systems work.
Indeed they hire the services of the same IT outsourcing service provider to design the security, who themselves are a target. Most of this IT outsourcing company including IBM and Accenture are cost arbitrage firms providing manpower at a cost which is higher than the cost of that consultant. So except security by obscurity, I doubt they will be able to build a robust system or process to survive an attack.
Except big tech companies like Google, Apple, Microsoft or Facebook most are not having programs for bounty hunting or security audits. Hopefully other companies also have such programs in place with openness and transparency.
> consultant to design a security instead of hiring ethical hacking services
One does not exclude the other. And also consider that even the best security practices are not guaranteeing anything. Hackers can afford to fail 1000 times. The company only has to fail once.
An ethical hacker will bring down the systems. Indeed I believe that whatever security is in place there is a possibility of a hack. So by using ethical hacker you let the whole system die and see if company can recover or continue either with disaster recovery or paper based process or combination of multiple strategy. This is what I meant by ethical hacking service. Based on practical experience with the top consulting firms can say confidently besides security by obscurity and security practice which is a copy paste of some pre-defined strategy by so called their experts, almost none employ or pay ethical hackers to bring down their own security or process to show that their strategy works.
> you let the whole system die and see if company can recover or continue either with disaster recovery or paper based process or combination of multiple strategy.
You're not describing a security breach scenario here but basically a disaster scenario. It's security vs. resiliency. I mean there are plenty of threat models to protect from, hackers trying to steal secrets, hackers trying to take down your systems, etc. But in the end security is about making sure you detect and/or stop the attacker, other processes take care of rebuilding after they took you down.
So you wouldn't hire an ethical hacker to take down your systems but rather to identify weak points, exploit them, infiltrate the system and then possibly exfiltrate data. The aftermath of what the hacker did is something else entirely and will be dealt by your disaster recovery, business continuity processes, PR, etc.
The Symantec blog is actually more on point, while the Ars piece just picks and chooses what to cite.
I also don't see why Ars calls these hackers "advanced." They use mundane Windows backdoors, like most hacker groups. Probably a FUD title on Ars' part.
Historically the term Advanced Persistent Threat has been used to refer to groups that appear to be a part of some kind of well funded/organized entity. It doesn't have much to do with the actual sophistication of the attack. However, an unusual level of sophistication could potentially be a piece of evidence that indicates a significant amount of resources one would only expect to see in a large company or government operation.
Also, in this particular claim Symantec said the attacker used proprietary malware. Does't guarantee that it's advanced but that is something most small groups or individuals don't bother with.
There are, of course, exceptions to everything. That's why it should ideally take a good amount of evidence gathered over a significant period of time to determine whether any given group is likely to be an APT.
Another thing to consider is that even an advanced attacker gains nothing by using their most sophisticated techniques when drive-by downloads and malicious email links/attachments still work so well in 2019 that they account for the overwhelming majority of major data breaches.
It's unknown how the hackers gained access to install the backdoors. The article suggests, at least in one case, a web server was compromised but they don't know how. All they know is a web shell was installed in that one case.
That's another reason for putting another router after your ISP's box. As long as I'm not an admin on that one, they can do a lot of shady things. Also using a DNS server with external forwarders (PiHole is great for that).
The problem is that the number of attack vectors are legion. If they don't get you by DNS they'll get you by one of the thousands of other attack vectors.
Ransoming of IT MSP's is 100% a thing now. They know that if they can compromise an account that has access to the companies RMM then they can hit hundreds of businesses with a few clicks. As an IT provider who uses these tools it certainly keeps me awake at night.
Many MSPs have far laxer policies than the customers they are servicing. Sometimes they will even go out of their way to undermine the customer's policies in order to cut costs or make the work easier. It makes them a far softer target while almost guaranteeing the same payoff - if you breached the MSP, getting to the customer becomes a much more trivial affair.
This is probably a great strategy. There are a lot of IT providers out there that are... less than totally competent. From the little places that handle the "my Outlook isn't working" questions for local small businesses, to the global services divisions of Fortune 100 tech companies, these places have enormous access. They also tend to not treat their people particularly well...
Something smells fishy here. On the one hand they seem to be very advanced, on the other they do a very bad job covering their tracks and everything points to Iran, with the discovery just a few days after the drone attack. Call me paranoid but this just doesn't add up.
Indeed they need to treat it like their core business and if necessary hire the services of ethical hacker to make sure they are prepared for the disaster and can survive.
But its easier said than done, most fortune 500 will still prefer to pay 5 or 6 digit sums to consultant to design a security instead of hiring ethical hacking services, to make sure in case of attack their processes and systems work.
Indeed they hire the services of the same IT outsourcing service provider to design the security, who themselves are a target. Most of this IT outsourcing company including IBM and Accenture are cost arbitrage firms providing manpower at a cost which is higher than the cost of that consultant. So except security by obscurity, I doubt they will be able to build a robust system or process to survive an attack.
Except big tech companies like Google, Apple, Microsoft or Facebook most are not having programs for bounty hunting or security audits. Hopefully other companies also have such programs in place with openness and transparency.
If an MBA program only requires accounting/finance and doesn't require IT management at some basic level should get it decredited.
One does not exclude the other. And also consider that even the best security practices are not guaranteeing anything. Hackers can afford to fail 1000 times. The company only has to fail once.
You're not describing a security breach scenario here but basically a disaster scenario. It's security vs. resiliency. I mean there are plenty of threat models to protect from, hackers trying to steal secrets, hackers trying to take down your systems, etc. But in the end security is about making sure you detect and/or stop the attacker, other processes take care of rebuilding after they took you down.
So you wouldn't hire an ethical hacker to take down your systems but rather to identify weak points, exploit them, infiltrate the system and then possibly exfiltrate data. The aftermath of what the hacker did is something else entirely and will be dealt by your disaster recovery, business continuity processes, PR, etc.
The Symantec blog is actually more on point, while the Ars piece just picks and chooses what to cite.
I also don't see why Ars calls these hackers "advanced." They use mundane Windows backdoors, like most hacker groups. Probably a FUD title on Ars' part.
Also, in this particular claim Symantec said the attacker used proprietary malware. Does't guarantee that it's advanced but that is something most small groups or individuals don't bother with.
There are, of course, exceptions to everything. That's why it should ideally take a good amount of evidence gathered over a significant period of time to determine whether any given group is likely to be an APT.
Another thing to consider is that even an advanced attacker gains nothing by using their most sophisticated techniques when drive-by downloads and malicious email links/attachments still work so well in 2019 that they account for the overwhelming majority of major data breaches.
https://www.securityevaluators.com/whitepaper/sohopelessly-b...
That paper needs wider exposure, though sadly it didn’t get much traction here when I submitted it.