Advanced persistent threats: What treasurers need to know
Cyber threats are on the rise and no industry is immune. According to a January 2016 report by Forbes, the global cost of cyber crime will reach $2 trillion by 2019.
Elizabeth M. Petrie
Director Cyber Threat Risk Management, Citi
Global Product Manager, Digital Security, Treasury and Trade Solutions, Citi
Cyber threats are on the rise and no industry is immune. According to a January 2016 report by Forbes, the global cost of cybercrime will reach $2 trillion by 2019. While the direct losses from such attacks are costly, often larger are the costs of recovering from these incidents, as well as the long-term reputational damage. A Ponemon Institute study found that the total cost of cybercrime for a corporate in the U.S. averages $15.4 million per year.
The one piece of good news is that while cyber-attacks are rapidly increasing, businesses and banks are getting far better at detecting this nefarious activity and are working more closely together to share information and best practices. Awareness is increasing and companies are strengthening their defensive postures. However, as more companies digitize the way they conduct business, the number of targets for attack are also growing. Online criminals have become more sophisticated as they target individuals to compromise and seek to access or damage a target company’s computer network/system with the intent of acquiring data or money.
One of the more pernicious forms of attack today is the advanced persistent threat (APT) in which an sophisticated actor gains access to a network and stays there undetected for an extended period of time. In order to develop effective security strategies that combat such threats, treasurers need to spend time deconstructing the threat and understanding who is trying to attack them, what they want, and how a company can best position itself to protect against exploitation and exposure.
The evolution of cyber threats
As technology has evolved, so too have the tactics of cybercriminals. We’ve seen a shift from decentralized, individual attackers to highly networked and sophisticated groups. The attackers of yesterday developed their own tools and went after targets of opportunity, exploiting well-known vulnerabilities. As networks have become more complex, these individuals began to band together in loosely-knit groups. Attacks have become more refined as tools are being shared, as well as sold as new revenue streams. Today, we are facing a highly-networked and well-equipped adversary.
A good defence starts with knowledge and insight
The best defense against such threats starts with knowledge and insight. Focusing on understanding the enemy and thinking about how attackers may want to target your organization is key to developing a strong defensive posture.
The most basic questions begin with who is targeting you, what is motivating them, and how are they doing it? Attackers generally fall into one of five broad categories – cybercriminals, hacktivists, cyberterrorists, insiders and nation-states. Each has their own specific motivations. For instance, cybercriminals are usually financially motivated and rely on social engineering. Hacktivists are looking to advance a social or political agenda through attacks that are often disruptive. Cyberterrorists are typically politically or ideologically motivated and seek to instill fear through attacks. Insiders are frequently driven by a range of possible motives, from fraud, to revenge or a desire for destruction. Because they often already have authorized access to networks and systems, these attackers are difficult to detect. Lastly are nation-states, which tend to be among the most sophisticated attackers, targeting trade secrets and sensitive information in support of their national interests.
Spearphishing is the chief weapon of APT
Whether the goal is theft of intellectual property or outright pilfering of funds, the trade mark qualities of an APT actor is that they are patient and persistent. These attackers often wait for the best time to take the greatest amount of money or the most valuable intellectual property they can. They are usually very strategic and deliberate in order to prevent detection.
The primary weapon of APT attacks is typically spearphishing or whaling, which use targeted email to gain access to networks and systems by tricking recipients into clicking a link or opening an attachment containing malware. Personal information is used to make the malicious email indistinguishable from other legitimate communications, so as to not raise suspicions. Attackers really do their homework and work to understand the target, where they sit in the organization, and what message will be deemed trustworthy. Vigilance and education are the best weapons against spearphishing and whaling campaigns.
No one is immune from the threat
As organizations harden their perimeters, the cybercriminals are increasingly targeting corporate data that can be monetized. In 2017, the National Bureau of Asian Research reported that the losses associated with theft of intellectual property could be as high as $600 billion in the U.S. Some say it is the greatest transfer of wealth in history.
And anyone within an organization can be targeted – even if they are not directly involved with intellectual property or finance. APT perpetrators will often target a broad range or employees and then move laterally, crawling through the org chart until they reach the right personnel.
Fighting back against sophisticated threats
The first step in fighting back against these sophisticated threats is to understand the enemy and understand yourself. What preparation do you have in place to respond to a large loss of intellectual property or a significant and rapid loss of funds? Are your vendors and third-party relationships a source of vulnerability for your organization? Consider conducting a holistic threat assessment to identify gaps in security measures and put controls in place to mitigate them.
Technology alone is not sufficient to defeat cyber-adversaries. At Citi, we believe the best approach blends technology with teamwork and good talent. When solid methodologies are combined with intelligent tradecraft, it becomes possible to build a strong defensive perimeter and posture. Working with a banking partner is imperative to gain critical information and insights into the latest threats and steps that treasury can deploy to counteract them.