The Notifiable Data Breach (NDB) amendment to the Australian Privacy Act 1988 will take effect as of the 22nd of February 2018. Organisations have had 10 months to prepare themselves for the introduction of this new law. The Office of the Australian Information Commissioner (OAIC) has provided thorough resources to help them understand the law and prepare controls for its introduction. While the efforts of the OAIC are a positive step forward, there is something missing in the published recommendations. The OAIC and other organisations, have focused on putting in controls to protect Personally Identifiable Information (PII) with strategies such as 'privacy by design,' which is the process of taking privacy into account throughout the whole development process. While this is valuable, there are gaps which can lead to vulnerabilities. It misses programmes and processes that have previously been developed without privacy in mind. Pre-validation, a review for existing or historical breaches, can help organisations identify and correct these security gaps to help you build a better, more effective security programme.
Each year, the mean time for detecting an active compromise (dwell time) changes, however the vast number of published breaches reveal that compromise events occurred months, if not years, prior to detection. Effectively the threat actor had been 'living off the land,' which is defined as a threat actor using an organisation's inbuilt systems and software to achieve their goal.
Validation as Part of the Cybersecurity Lifecycle
To describe pre-validation in terms of the NDB legislation, think of it like buying a second-hand car. If you are about to make a large investment in something that you depend upon heavily, then you are going to have it inspected for issues that could cause you significant pain and cost in the future. This is the same attitude organisations should adopt when preparing for the NDB legislation. Before you make large investments into how you will report breaches to the Australian Privacy Commissioner, it is of benefit to make sure there is no existing breach to report on. Validating that organisations have a clean threat-free environment ensures that the investments made towards future processes and policies for notifiable breach reporting are not going to be used to report on a pre-existing breach. This pre-validation work will ensure the effectiveness of an organisation's hard work around preparing for notifiable breach laws.
Below, Figure 1 highlights an example of what a cybersecurity strategy lifecycle could look like – you may note its similarity to the Incident Response lifecycle. This is an important comparison because the incident response lifecycle is the treatment of one particular threat, designed to eradicate it from an organisation's environment, while the cybersecurity strategy lifecycle gives you a strategy for your entire technology environment.
Figure 1: Example of a cybersecurity strategy lifecycle
It is to the benefit of the threat actor to keep their connection and access to an organisation operational for as long as possible, hence why the cybersecurity strategy lifecycle is similar to the incident response lifecycle.
There are many variations out there on the 'kill chain,' a process a threat actor follows to complete the objectives of their attack. Reviewing the kill chain highlights that most of the steps involved are focused on getting into an organisation's environment. Getting into the environment undetected presents one of the biggest challenges for online criminals so once they find a way in, they are not going to give up the access they have acquired. Rather, they will keep these back doors open, hiding malware in an organisation's environment, ready to be utilised when they decide to launch an attack. Sometimes this can be seen in an organisation's environment in the form unusual system issues, such as a user logging over VPN from two different countries just minutes apart. An irregularity like this is often inappropriately referred to as a "glitch." If your organisation is experiencing any suspicious network behaviour, it could be a sign to contact an incident response specialist.
Testing Before Investing
Threat actors living off the land is a lot more common than you might think. In fact, the vast majority of Secureworks' targeted threat hunts result in uncovering threats that existing security solutions have missed, allowing us to help eradicate the threat and eliminate back doors to prevent the threat from returning. Even within some of the most sophisticated security postures, we have seen threats lying dormant, often because the threat existed in the network prior to the security strategy's implementation. This is why validating that a threat doesn't exist in your environment should be the first step in preparing for the NBD legislation. This will help make certain your organisation has a clean bill of health before building out a robust strategy to help reduce overall risk exposure.
With NDB laws coming into effect and driving greater attention to cybersecurity, activities such as Targeted Threat Hunting should be seen as food for thought as organisations develop methods and processes related to how they will address these new requirements.