Every organization – no matter who they are, how large they are, or where they are in the world – is at risk from cyber attackers. More than $125 billion each year is spent on information security worldwide and the spending is increasing. Cyber attackers are, however, evading the defense, breaking in, remaining undetected for months, and finding the Crown Jewels. First, the attack surface is getting larger for the attackers to exploit and there are too many doors, windows and entry points. It is not a question of IF but WHEN and here’s why –

The latest include –

• Australian organizations are being targeted by a “sophisticated state-based cyber actor” and the attack was targeting all levels of government as well as political, business, education and health organizations.
• Cyberattacks on health care, pharmaceutical and research organizations in order to steal valuable research on coronavirus vaccines and treatments.
• Amazon discloses large cyberattack attempted against a cloud customer. AWS Shield fended off the attack, which threw 2.3 trillion bits of data per second at the customer’s cloud service and much higher than the previous DDoS record of 1.7 trillion bits per second in 2018.
• H&R Block reports unauthorized access of customer accounts: The tax prepare discovered in early June that some customer accounts on their portal had been accessed in late April by an intruder.
• Cognizant employee data breached. Cognizant Technology Solutions Corp. notified an unspecified number of employees and customers were impacted.
• Akamai gives customers more time to pay bills; and fallout from attack on legal-tech firm Epiq hits several large customers. Hackers trigger far-reaching destruction by targeting low-profile firm.
• Austrian telecoms (A1 Telekom Austria) detected a hacker on its network in December (2019) but it took them about six months to eject the hacker given this was an advanced persistent threat (APT).

The Newton’s first law is the law of inertia, it is also, alas, the first law of cyber attacked companies. It’s not their fault since there are innate cognitive biases that bind us to the present while blinding us to long-term threats and opportunities.

Among them are availability and confirmation biases, which is our instinct to solve problems based solely on the information that we have immediately at hand and our tendency to interpret data in a way that supports our pre-existing expectations. A one size fits all approach doesn’t work since all cyber attacks are not made equal and most likely why companies are getting wrong today in terms how they approach cyber security. A malware is several standard deviations different than an advanced persistent threat (APT) campaign that isn’t in the realm of a normal hack. Where a less sophisticated cyber attack might be dealt with by removing malware from compromised computers, fending off an APT requires analyzing attacker’s behavior; a cat and mouse game that can take several months to analyze hacker movement and damage.

What’s different in an advanced persistent threat (APT)?

The hacker is going to quietly study how the network and servers are connected for some time before preparing to conduct espionage leveraging a VPN (Virtual Private Networks) or equivalent to mask their location and presence.

How you mitigate advanced persistent threat (APT)?

Here are some techniques for consideration among a long list of them-

1. It is just as important to predict the behavior of the intruders and shut down entry points to the network when the attackers aren’t active.
2. The operation of kicking a hacker out of a network must be executed quickly while the attacker is inactive so that any openings into the company’s infrastructure can be sealed up before the hacker has time to respond.
3. There needs to additional safeguards to separate the less critical parts of its network from the critical infrastructure.
4. There needs to be an additional layer of security credentials making it harder for anyone without the extra login details to access the network infrastructure.
5. One option is to disconnect servers from the internet and make existing passwords invalid at the same time before carefully letting users back in.
6. Back up corporate data so that nothing would be lost if the hacker outsmarted you.
7. Leverage multifactor authentication to access all corporate accounts.
8. Augment the tools that monitor threats so they will receive alerts more frequently about attempted intrusions.

It’s a big effort for any company that suffers an attack. It is far more effective to invest in detection and prevention than remediation.