www.pwc.co.uk Cyber Threat Landscape April 2013
Cyber Threats: Influences of the global business ecosystem Economic Industry/ Competitors Technology-led innovation has enabled business models to evolve Customer Suppliers where changing business drivers create both opportunity and risk Environmental Consumer Enterprise Service Providers 42% of organisations view themselves as a leader in information security strategy and execution 8% of organisations rank as real leaders. JV/ Partners research launched this week shows costs of breaches for large organisations can total 750,000+. Technology 2
Cyber Threats: from attacks of opportunity to attacks of objective teams around the globe are regularly called upon to provide insight into or help investigate attacks across the following categories of threats. Increasingly, our research and investigations show a degree of overlap by some threat actors across these categories. Motivators Threat Focus Impact Nation states Global competition National security Economic/industrial espionage Highly targeted, long term cyber campaigns with strategic focus on specific data assets Loss of R&D / sensitive intellectual capital Disruption to infrastructure Cyber criminals Illicit profit Fraud Data breaches with a focus on monetisable assets Identity theft Monetary loss Intellectual property loss Loss of trust and privacy Cyber terrorists Ideological Political / retaliatory Malicious havoc Financial and government systems Large or high profile companies Destabilise, disrupt and destroy cyber assets of corporations and enemy nations Hacktivists Political cause rather than personal gain Deniability for states Targeted organisations that stand in the way of their cause Disruption of operations Destabilisation Embarrassment 3
Cyber Threats: Nation States What information have we seen targeted by APT actors? Telco supply chain & hardware / software choices Legal and professional services firms are targeted for M&A data. Drug manufacturing processes. Chemical prototype blueprints. Pricing/contractual documents. Technology blueprints, R&D plans & progress, marketing strategy, supply chain and customer base data Geological maps, survey results & reservoir info. Emails of executives and M&A / divestiture specialists. Trading algorithms, system source code. Customer data, investment strategies Land contracts, crop output data 4
Cyber Threats: Nation States Targeted attack lifecycle overview Advanced cyber intrusions typically follow a series of phases in order to successfully achieve a specific objective. These phases are known as the cyber kill chain. attacker success Degree of 1 Reconnaissance 2 Weaponisation 3 Delivery 4 Exploitation 5 Installation 6 Command & control 7 Data exfiltration Understanding your supply chain, conference attendance etc and developing a believable approach vector to be used later Turning the believable approach, such as a PDF overview of the IAPP Data Protection Intensive, into a malicious payload Deployment of a strategy to get the malicious file into the hands of people likely to open it, via email, USB thumb drives & links. As soon as the file is opened, bugs in software programs are exploited in order to execute the malicious payload The digital equivalent of copying keys now that the attacker is in, they firmly entrench themselves within the IT network With computers now under their control, the attackers begin their hunt for target data They gather relevant information, compress and encrypt it and extract it from the network by making it appear as legitimate traffic 5
Cyber Threats: Cyber criminals St. Petersburg At the time of writing, has worked on at least four large breach incidents, and have knowledge of several more, involving a prolific cybercrime group who focus on network intrusions at card processors, resulting in high value cash out frauds. 2008?? 2011 2012 2012 2013 $9.4m $13m $20m $2m $39m 7m card details compromised 6
Cyber Threats: Hacktivism / Terrorism 7
Cyber Threats: The aftershocks What did they do on our systems? How did they get in and what did they exploit? Who s behind it and what do they want? Are they still on our systems? What data did they get? How do we get rid of them? How do we stop them next time? 8
Cyber Threats: Operating in an Assumed State of Compromise Organisations are adjusting their security posture to anticipate that a security breach/compromise has taken place or will occur. This drives a different perspective on where time and effort is invested. Traditional Security Lifecycle Prevent Correct / Enhance Respond / Remediate State of Compromise Security Management Cyber Incident & Crisis Management Detect Cyber Evolution: A holistic approach Discover Increased volume, complexity and detection difficulty of attacks and the associated impact is driving enterprises to adopt a new approach to security. Triage / Contain 9
Cyber Threats: directing investment to the things that matter Traditional Security Lifecycle Prevent Correct / Enhance Respond / Remediate State of Compromise Security Management Cyber Incident & Crisis Management Detect Detect / Discover Triage / Contain Incremental capabilities needed for resilient Cyber Security: Organization & Governance Information Risk led approach; effective governance and accountability to appropriately reflect cyber security importance to the business. Information asset centric security Clear view of what data exists and what is important. Information governance policy and program Threat Intelligence Detection / Monitoring Security behaviors and culture Capability to understand and adapt security posture to emerging threats Predictive monitoring / analytics bringing together multiple data sources. People behave differently through clear understanding of what matters Full visibility enterprise-wide Security in the business ecosystem Third party and supplier security management, including data in the cloud Incident response & crisis mgmnt Integrated capability to respond to incidents (crisis management together with technical response and forensic capability) Preventative controls and IT Hygiene 10
Kris McConkey Director, Cyber Security +44 (0)207 804 2471 kris.mcconkey@uk.pwc.com The Global Network Our global network comprises more than 3,000 cyber investigative, security, and risk services professionals. This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. 2013 PricewaterhouseCoopers LLP. All rights reserved. In this document, refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. 11