In May 2018, insurance company Aflac revealed that it had been the target of a successful cyberattack that led to a data breach and the possible exposure of customers’ sensitive personal information. The attack occurred via a hack of independent contractors’ email accounts
Similarly, in 2014, Anthem, a health insurer, experienced the largest theft of customer data from a U.S. healthcare institution in history to that date. This hack was executed using a phishing attack, through which the attackers gained access to valuable customer data
. As a result of this hack, close to 79 million customers
had their sensitive data, like Social Security numbers and addresses, jeopardized.
The Anthem cyberattack is just one of a number of attacks targeted toward health insurers in recent years. Insurance companies, like other financial services organizations, are, of course, a primary target for cyberattacks. Adversaries are looking to profit from their attacks, so hacking insurance companies can serve that end. Cyberattacks targeted toward this industry have stolen customer data and used that data to commit profitable fraud schemes. Beyond concerns about cost – which, of course, are significant – insurance companies have added worries when it comes to digital security. Given the extremely sensitive nature of data collected and used by insurance companies, cybersecurity measures are particularly important for these firms, especially those looking to gain and keep trust with consumers. In addition, regulations on the industry require a greater level of protection than many other industries to remain compliant.
As a result, cybersecurity has become an essential part of doing business in the insurance industry. Across the industry, firms are stepping up their game when it comes to cybersecurity. These companies are deploying more and more resources toward cutting-edge technologies like machine learning, artificial intelligence and orchestration.
See also: Quest for Reliable Cyber Security
An important question to consider, though, is to what strategic ends are these cutting-edge technologies being put. Are they simply bolstering traditional methods of cybersecurity, or are they being used for methods of cybersecurity that are innovative, instead of simply faster or more efficient versions of the same product?
The Incident Response Approach to Cybersecurity
Traditional cybersecurity approaches are focused on reporting about intrusions, in what is known as an “incident response.” What this means is that an adversary – commonly referred to as a “hacker” – finds some way to gain access to a target and compromises it. The target can be accessed through vulnerabilities in web frameworks, internet browsers or internet infrastructure such as routers and modems. Regardless of the method used, once an attacker is discovered, the forensics about the attack, including basic information known as Indicators of Compromise (IOCs) like IP addresses, domain names or malware hashes, are shared across the cybersecurity community. These IOCs are then used broadly to thwart future attacks.
The problems with this approach are twofold: Like a canary in a coal mine, someone has to be a victim first so that IOCs can be derived and shared with others; additionally, blocking IOCs has a very short half-life. Most adversaries subscribe to the very feeds that companies subscribe to to quickly learn if they have been exposed. All an adversary has to do is come from a new IP address or recompile its malware so that it has a new hash value (both of which are extremely trivial) and its attacks will sail through defenses that depend on IOCs. This after-the-fact methodology consumes a lot of resources and generates a lot of seemingly valuable metrics, but it is ultimately flawed.
Cybersecurity teams and adversaries are trapped in an endless loop where the adversary always has the advantage. As hackers repeatedly gain access to valuable systems and data using the same methods, cybersecurity teams continue to chase after them to secure compromised systems. While a great deal of effort is put toward understanding as much as possible about the adversary and his methods, only a small amount of that understanding is used, and only to perform the very basic actions described above. Adversaries continue to play chess, strategizing about how to slip past cybersecurity teams unnoticed, while those same teams act as though the game is more like tic-tac-toe. Very little cybersecurity effort is put toward addressing the methods used by adversaries; instead, security teams are locked in a pattern of waiting for inevitable attacks, trying to minimize the damage they cause, ensuring that remediation occurs as quickly as possible and blocking only exactly identical attacks.
Planning for the Future of Cybersecurity
As is readily apparent, these current, standard methods of cybersecurity are fundamentally flawed. Incident response only helps prevent attacks that exactly replicate past ones. To stem the flow of cyberattacks and to truly protect against them, the cybersecurity industry needs to embrace a paradigm shift. Rather than rely solely on the incident response and recovery methods that have been used for many years, a more sophisticated approach is needed. It will need to be designed to successfully recognize adversary methodology (and all the manners in which an adversary attempts to obfuscate its methodology) before attacks occur and at a meaningful scale. This kind of approach, when paired with incident response tactics, could provide true security to vulnerable, critical networks.
If the cybersecurity world wants to halt dangerous, costly attacks, there is a great need to shift attention toward prevention. Instead of seeking discrete, static IoCs based solely on what has already occurred, cybersecurity analysts can instead use the intelligence they have derived about adversaries’ methodologies – commonly referred to as tactics, techniques and procedures (TTP). From these TTPs, analysts can identify the general form and components of an adversary campaign. In addition, they can determine abstract indicators like how the adversary is attempting to hide his actions. A cybersecurity tool would be able to recognize possible adversary TTPs and indicators that describe a threat (or threatening behavior) in general terms. The system would then act on any traffic that met this pattern before
it reaches inside a network, as the attack occurs, and do so in a way invisible to adversaries. Using this basic model, a cybersecurity tool could truly prevent common exploits before they were executed and could even predict and protect against future, not-yet-seen exploits. In addition, this prevention plus response method of cybersecurity enables teams to truly take advantage of cutting-edge technologies in ways that change the game, instead of simply adding speed (and cost).
See also: Best Practices in Cyber Security
A TTP-based cybersecurity tool would work in concert with existing incident response, internally focused cybersecurity efforts, adding a layer of prevention over the top of this vital but flawed process.
With these two methods employed hand-in-hand, cybersecurity teams can make headway in reducing the number of attacks and can more quickly and productively respond to attacks that do prove effective.