In the 1999 movie classic The Matrix, Morpheus poses the question of “What is real? How do you define real?” to the protagonist Neo. Similarly, as our physical and digital worlds continue to meld, it has become increasingly harder to determine what is real in the cyberspace realm. Today, cyber attackers have evolved to use manipulation and trickery to distort our data, forcing us to question even the basic integrity of our digital reality.
Research from VMware’s 2021 Global Incident Response Threat Report found attacks that cause destruction and threaten integrity now occur more than half of the time. Whether it be via business communication compromise, the manipulation of time, or dreaded deepfakes, attackers are finding new ways to not just infiltrate victims’ infrastructure, but also colonise them to make attacks on others in turn.
A single point of failure
What defenders have traditionally relied on to determine something digital as ‘real’ is data integrity – the assurance that digital information is uncorrupted and can only be accessed or modified by those authorised to do so.
Organisations go to great lengths to preserve data integrity as it is a key component of data security. The Singapore Government commissioned a Public Sector Data Security Review Committee in 2019 to ensure data integrity and prevent malicious modifications of data in transit. Security systems and protocols heavily rely on data integrity for a “single source of truth.” However, these systems also all rely on a single point of failure – time.
Time’s immutability makes it the foundation of security and we have come to rely on timestamps, date records and chronological order as proof of authenticity. Yet, cybercriminals are now taking advantage of this through the manipulation of timestamps or Chronos attacks, which nearly 60 percent of respondents observed. Other research has also found that 41 percent of financial institutions have observed the manipulation of time stamps, as cybercriminals attempt to alter the value of capital or trades.
Environmental manipulations including time are particularly insidious. When attackers can make themselves invisible to any time-reliant queries, they evade detection and stymie response. By doing this, they poison data sets and undermine the confidence security teams have in them, making it harder to use time as a verifier of a single source of truth.
Battening the hatches
Given this escalation to attacking the very reality of our data, is fighting back the answer? Some in the trenches sure think so, with incident response professionals now willing to employ cyber offense as defence. VMware’s 2021 Global Incident Response Threat Report found that 81 percent of respondents are willing to leverage active defence techniques in the next 12 months. These tactics range from deception to disruption, such as deploying deception grids and micro sharing data, and creating a hostile environment for would-be attackers.
While these techniques are useful in the fight against attackers, hacking back is not recommended. Instead, cyber vigilance must be the de facto weapon and penetrate every aspect of the organisation. These are some recommended tactics that CISOs can adopt:
- Track identities on the move and embrace multi-factor authentication.
Attacks today often occur under-the-radar. With attackers often covertly entering the system, just-in-time administration and multifactor authentication will be key to tracking identities on the move and catching them off at the pass. In the recently released “Information Security during the Covid-19 pandemic” handbook, the Vietnamese government emphasises the need for two-factor authentication for users to safely operate in cyberspace.
Worryingly, despite being a commonplace option, less than half of Singaporeans use two-factor authentication to secure online accounts according to the Cyber Security Agency of Singapore – making this an open loophole that organisations and individuals must close.
- Perform regular audits on all time-based dependencies
Knowledge is power – attackers are now setting their sights on data integrity, which means security teams must do the same. Audits should already be done on a regular basis, and now must include increased emphasis on the redundancy and resiliency of time. Endpoint detection and response should also be deployed with time manipulation in mind and focus on time-based dependencies to ensure the integrity of upstream data sets.
These audits should take into consideration possible attack vectors and scenarios that may be used to disrupt or manipulate timing infrastructure, as well as real world testing of time manipulation.
- Conduct regular threat hunting
Prepare for the worst, hope for the best – so the saying goes. Security teams should assume attackers already have multiple avenues into the organisation and act accordingly. Threat hunting should be conducted on a weekly basis and on all devices and must be a key component of any organisation’s cybersecurity strategy.
Consequently, bug bounty programmes are gaining traction in APAC, with Lazada launching a bug bounty program in Southeast Asia with up to US$10,000 per bounty. Singapore’s GovTech also offers pay-outs of up to S$5,000 to white hackers that uncover public sector security vulnerabilities. Bug bounties help security teams detect behavioural anomalies, as attackers can maintain clandestine persistence in an organisation’s system while they conduct reconnaissance.
Furthermore, threat hunting shouldn’t be exclusive to just the organisation. High profile supply chain attacks on the US Colonial Pipeline and SolarWinds have unfortunately proved that organisations are only as strong as their weakest (supply chain) link. Defenders should hence expand threat hunting to the outside general counsel, managed service provider, and even marketing or public relations firms.
- Apply micro-segmentation
Like a high security bank vault, adversaries should not have immediate access to sensitive data once making it past the front door. A Zero Trust approach with micro-segmentation builds zones within the organisational perimeter defence, limiting attackers’ abilities to move laterally. This forces attackers to pass multiple trust boundaries when attempting to cross security zones, with each transversion providing opportunities for detection and prevention.
It is simply a matter of time before attackers find more insidious ways to breach organisations. This makes it more critical than ever that organisations have a defensive mindset at the top. From there, teamwork is key. From the CISO down to the folks on the frontline, the full organisation must work together in the cyber trenches to stay one step ahead of attackers.