Many organisations get advanced warnings about impending attacks, but fail to act, according National Australia Bank (NAB) head of cybersecurity Nicholas Scott.
Speaking at the RSA Conference Asia-Pacific in Singapore on Thursday, Scott said that organisations need to look beyond the normal technical aspects of fighting online crime, and consider what techniques criminals are using to conduct their activities.
He said that when organisations see phishing emails that clone their official websites, or impersonate employees, they think that a campaign against their company is starting. However, the truth is more likely that the campaign started six months ago, and that the organisation missed all the signs leading up to it, he said.
According to Scott, the humble spam email is often thrown away because it's seen as a nuisance, but the information security head said that he actually goes out of his way to collect as much spam as he can, from varied sources around the world, in order to mine it for information.
"We mine it and go, 'Oh, look at that, CitiBank, Bank of America, and JP Morgan are starting to be phished, and there's a new payload'," he said. "I can tell you now, that payload is coming to me in the next month or two."
There were other similar sources of information that he said could be mined for information that organisations simply aren't making use of. For example, even how web forms are submitted could provide indications of a potential attack.
He said that there is enough information for organisations to be able to determine whether a form, which could take a user a few seconds to fill out, is actually being submitted in a fraction of a second. Similarly, given that the information submitted in a query should match the form's elements, including their order, any variance to these could give organisations an early warning that someone is planning an attack or performing reconnaissance on their systems.
"If I was expecting five fields to come back and six fields get posted, I immediately want to go and freeze the account of that customer, because that customer is being owned," he said.
Another good source for this sort of information is server errors that are often discarded, Scott said.
"Please don't throw the errors away. Collect them and have a look at them, because I think you're in for a bit of a surprise. You'll actually find that these errors are people trying to do things that your system doesn't recognise, and it's the first sign ... that they're trying to do something."
For criminals who are a little smarter, he said a telltale sign that an attack is impending is a host of transactions that are successful up until the very last point. Scott theorises that at this point, the criminals have figured out how to successfully penetrate the organisation's systems, but the surrounding infrastructure — money mules to avoid crimes being traced, recruitment drives, email spamming systems — are not yet in place, and the criminal does not want to unduly alert the organisation to its presence.
"If you see somebody going through ... all of these steps in the transaction within any of your environments, and suddenly it stops and it doesn't complete, I'd be looking very closely at that customer."
But that's not the only source of information that Scott said he uses. He said that organisations need to keep tabs on human-interest elements, like large news events that criminals piggy-back off to fool users into clicking on links in emails. He advocated for organisations to keep themselves abreast of the latest major political developments in order to adapt how they might monitor for threats.
He also keeps an eye out for the recruitment campaigns that could indicate at what stage an attacker is, so as to alert any fooled parties hosting the adverts that it is a false job position.
While the idea may seem to be outside the realm of the chief information security officer's (CISO) responsibilities, Scott said that any damage organisations could do to these criminals could be helpful, whether to prevent an attack on them or someone else.
"If you can disrupt any part of this chain, you will disrupt the ability for them to defraud you of either your products, [or] in my case, money. If you can break it at any point in this chain, you will actually disrupt their ability to be successful," he said.
"These signs are all there. They're probably sitting in half of your systems today, but you're ignoring either as anomalies or errors, or you're ignoring them because it's spam and it's annoying.
"It's there; you've just got to look for the information."
Michael Lee travelled to Singapore as a guest of RSA.