You are here
Understanding the threat key to good cyber defence
ONE indirect result of the SingHealth cyberbreach - in which digital records of 1.5 million patients were stolen - has been that there is now growing realisation within South-east Asia that data breaches and cyber attacks do not happen only in the West. Feedback from security researchers suggest that in S-E Asia, outside of Singapore, there has been, till now, less awareness about the nature of the global cyberthreat. The SingHealth breach has in fact helped to highlight the danger to the region. It is necessary to understand the nature of the threat so as to be able to take appropriate defensive measures. Good defence can mitigate a lot of the dangers that cyber criminals pose.
Hackers (or threat actors) are not one homogenous group. Various motives drive different groups of hackers and their targets and modus operandi vary. Cyber security company FireEye's Steve Ledzian, technical director for Asia, says there are three types of hacker groups. He is an Asia expert for FireEye, which provides protection against advanced cyber threats and also jointly runs an Advanced Security Operations Centre (SOC) with Singapore Telecommunications (SingTel).
"Hactivists" are a group of threat actors who often attack websites and organisations for political or ethical reasons and their motive could, at times, be financial harm for their targets though it does not involve personal financial gain.
The second and probably biggest group are cyber criminals whose principal motive is financial gain. They are out to steal information like credit card details, which can later be monetised. A combination of sophisticated infiltration techniques and sledgehammer type of attacks like the WannaCry ransomware that struck in May 2017 and affected several hundred thousand computers around the world, are their tools of trade.
The third group is probably the most dangerous. These are those that use what is known as advanced persistent threats (APTs), in combination with other tools, to steal information, often for espionage. An APT is a prolonged and targeted cyber attack in which an intruder gains access to a network and remains undetected for an extended period of time. The intention is usually to monitor network activity and steal data rather than cause damage. It is significant that the Singapore government has stated that the attack on SingHealth was carried out by APT groups linked to foreign governments.
While it is useful to categorise different types of threat actors to get a better understanding of their motives, it should also be kept in mind that there is some overlap. Some sophisticated criminal gangs also use APTs to steal information for financial gain, sometimes on behalf of a third party. It is in this context that one needs to view the various measures that the Cyber Security Agency of Singapore (CSA) is proposing to safeguard Singapore's critical information infrastructure (CII). The Internet-separation proposal - whereby CII networks would be kept physically separate from the Internet, with access only through well-guarded "secured information gateways" - is a strong measure but hardly unique. Many organisations around the world employ such techniques to safeguard data. While this is a good strategy for critical CIIs, it is not always a practical solution for many other organisations. At the end of the day, there is a need to balance security with convenience, especially in the private sector.
There two types of cyber defence technologies. One is geared more towards prevention to block hackers from gaining access to the network. These would include solutions like firewalls and intrusion detection software. Detection and response technologies are less well-known and they focus on policing the network to find out if there has been an intrusion and, if so, work out a strategy to minimise the damage. Both approaches are complementary and are needed to provide a strong cyber defence.
However, herein lies a problem. As Mr Ledzian notes, historically organisations have invested very heavily in prevention technologies and not so much on detection and response. There is an urgent need for Singaporean companies to look at what gaps they have around detection and response and fill those in.
One of the great misconceptions in cyber security is that once a breach happens the impact, in terms of damage, both physical as well as financial, starts simultaneously. This is not always the case, save for relatively crude cyber attacks like ransomware.
A security breach happens well before the actual business impact is felt. There usually is enough time to take steps to kick out the attacker from the network with the proper tools.
Most security experts, like Mr Ledzian, note that it is virtually impossible to prevent a sophisticated and determined hacker from gaining access. The defence has to work all the time while a hacker needs to get lucky just once. So the determining factor is how soon the presence of the hacker can be detected in the system and how robust the response is in preventing damage.
For Singapore companies that cannot afford to put in place the requisite stringent steps to protect CIIs, the best option is to have a holistic strategy for cyber security. Being breached is not the end of the world. Not being able to detect the breach in time is, however, the danger.