What we can learn from the Lazarus Group attacks

by Alex Taverner, Asia-Pacific head of commercial cyber services at BAE Systems Applied Intelligence

The Bangladesh Bank SWIFT hack and Polish Bank network-heist perpetrated by the now famous Lazarus group, were without doubt a wake-up call for all Chief Information Security Officers (CISO) around the world.

The combination of custom malware and insider knowledge with a highly granular understanding of the banks’ networks and operational processes used to perpetrate heists are symptomatic of today’s cyber attacks. Cyber criminals are getting smarter because every time, they are taking stock of the situation, carefully analysing and learning from their previous mistakes and successes to fine tune their strategies.

In response, we see the CISO’s role shifting, becoming more accountable to the board as cyber protection strategies and tools are elevated to their necessary position as a strategic priority. There are a few lessons CISOs can learn from those recent SWIFT attacks, that will help them direct this increased security investment widely.

Lesson #1:  it’s not just about defending against potential threat, it’s about speed to detection and reaction

There is a fundamental shift from defending against potential intrusions, to having a base assumption that networks and systems have already been compromised. This means that today, the focus should be on increasing the speed to detection and response.

The objective of today's CISOs is not to exclusively focus on the prevention of incursions across the increasingly porous and ill-defined perimeter, but to work with the rest of the business to make sure risk  and it’s impact is understood by everyone. CISOs also should focus their efforts on reducing the duration and extent of threats. It’s about being proactive at all stages of the detection chain.

Lesson #2: SOC2 isn’t enough to fight sophisticated cyber threats

While SOC 2nd generation (aka SOC2) tools, such as SIEMs, fuelled many conversations a few years ago, they are not equipped to detect advanced threats.  Today, it is imperative to detect advanced, rapidly evolving threats such as the ones illustrated in the SWIFT incidents as early as possible, and organise timely and tailored responses.

CISOs should move beyond technology designed to identify the threats that they already know about, to those that can detect the ones they don’t. In this effort, they should open the doors to technologies that have proven their worth in other business areas, such as big data, analytics and machine learning.

Lesson #3: SOC3 and threat intelligence, the winning duo

Detection technologies need the right data to be effective, but running analytics over the top of a SIEM or SOC2 data set isn’t the solution. They are still fundamentally constrained by the data set and don’t materially increase the ability to detect advanced threats through these platforms. The solution lies in the third generation SOC (aka SOC3) capabilities, integrating data analytics and threat intelligence.

While the right intelligence used well can have outstanding results, the reverse also holds true. The threats that one organisation is exposed to will be different from those for the organisation next door. SOC3 requires a complete rethink, and CISOs need to figure out exactly what data sets provide the richest sources of such information. Attribution and context is key to the success of tomorrow’s cyber strategies.

Understanding the individual threat actor groups, their motivations, likely targets and modus operandi opens an entire new world of pro-active defence, threat hunting and intelligence-led response.

The ‘operationalisation’ of threat intelligence information is paramount to extracting real value and providing a meaningful defence against prospective attackers.

The ultimate lesson: cross collaboration

If we want to build a common threat intelligence data bank, collaboration across industry, third party bodies and Government is paramount.

When you think about the Polish Bank hack, it is suspected that the malicious code was hosted on the website of the Polish Financial Supervision Authority, the government watchdog for the banking sector that is supposed to set cybersecurity standards for Polish banks.

Collaboration can not only help gather more data and increase analytic power, it can also help design common responses to threats, become smarter for next attacks, and ultimately increase speed to detection and reaction.

 As SOC4 and SOC5 definitions develop, our journey is not just to see potential benefits, but also to fully recognise their requirements and constraints if we are to fully harness their value and build a compelling business case for their adoption.



Tags SIEMcyber threatsCISOsBAE SystemsSwiftBAE Systems Applied IntelligenceLazarusSOC4

Show Comments