Advanced persistent threats and other forms of covert malware can be detected by better network monitoring.
In August last year it was discovered that a team of Russian hackers known as APT28 (or Fancy Bear) had used a leaked NSA tool (EternalBlue) to infiltrate the networks of major hotel chains in Europe and the Middle East.
The intruders were able to gain initial entry via WiFi using phishing or another type of attack, spread deeper into local area network (LAN) infrastructure and sit unobserved intercepting traffic being transmitted by guests (including usernames and passwords) before using those credentials to gain access to back end corporate systems and servers and deploy further malware.
Though we doubt if one is actually needed, the incident provided a painful reminder that existing cyber security tools do not always do a good job of preventing unauthorised system access, not least because they tend not to monitor internal network traffic for suspicious behaviour. If a hacker makes it past the firewall and identity access management system using bona fide credentials, they can be left free to do steal whatever information they like without being detected.
Hotel WiFi has long been judged vulnerable to cyberattacks and malware. But the same is true for other public access wireless networks that regularly recycle large numbers of unfamiliar users attaching their own devices – in the education, health care and local government sectors as well as hospitality, for example.
Better network monitoring and traffic analysis to help define what constitutes ‘normal’ usage is one way to help make any irregular activity more conspicuous before it leads to any disruption, though this can create a significant management overhead for hard pressed IT staff.
While it may be a leap of faith for some, many organisations can benefit from outsourcing the task to a third party managed service provider with the integration, automation and platform expertise to keep a closer watch than would otherwise be the case.