Middle East organisations should devote more time and effort to gathering and using cyber-crime intelligence, as it will give a good return on investment and assist in the establishment and review of IT security strategies and the creation of eCrime investigative measures.
The most important and obvious question surrounding this point is, “How do you get that type of specialised intelligence?” The answer is companies and organisations should ensure that they have a full 360-degreee view of their data, which includes data in motion, static data and volatile data.
To fully achieve this, organisations should consider the implementation of a network capture and monitoring capability. This functionality, particularly during a network attack, would provide and identify essential information contained within the network data packets. This can assist the forensic analyst in determining whether the data traffic is routine or alternatively assist in identifying an attacker who is sending malformed packets to crash important systems or to gain unauthorised and privileged access. Permanent capturing of all network traffic is not normally necessary, however having the capability to quickly employ such a capability can help to speed the analysis during an attack.
Secondly, commissioning an endpoint investigative capability across the enterprise environment enables full visibility into the ‘data at rest’. This ensures swift and efficient investigations into suspect assets, provides remediation and the ability to gather additional intelligence.
Even with data packet capturing capabilities, difficulty remains in meeting an ever-increasing demand for resources to conduct assessments of the acquired intelligence. This is a genuine problem given the amount of data that a medium- to large-sized investigation may include. Therefore organisations should develop an intelligence analysis and remediation team, supported by robust policies, procedures, processes and best practices.
The recent history of hacking incidents and exploits shows there are recurring themes of failing to keep pace with the rate and variety of exploits. The worry is whether the lessons are being learned or is the gap getting wider?
To reduce any such gap, organisations will need to understand the complex and dynamic developments of technical exploits and cyber-security threats and how to make the most of available intelligence. They will need to invest in the skills necessary to enable them to gather intelligence in this ever-changing environment, otherwise, they will have to contend with playing ‘catch-up’ and being left with only a reactive posture.
There is a need for multi-disciplinary partnerships between the public and private sectors to work on emerging problems with the abuse of technology by organised crime. This combined effort could produce a number of significant results, from developing research into technologies and tools, creating a repository for technical papers and improved intelligence. Some organisations are already encouraging their members, stakeholders and business partners to share knowledge, expertise and experience. This sharing of information and intelligence is giving companies the tools to put in place better defences to tackle the abuse of computers and IT systems. It is only through better understanding of the scale and the scope of the problem that they will be able to build effective strategies.
Organisations must realise that they cannot produce cyber-crime intelligence in isolation. It will require them to establish internal and external partnerships that are supported by a framework of regulation and legislation.
When establishing such partnerships, there will be a need for organisations to transcend traditional boundaries in a cost-effective and efficient manner, while maintaining control of their intellectual property and other critical assets. Any methodology needs to be broad to be adopted en masse, flexible to meet the needs of all and flexible to stand the test of time.