I don’t think a day goes by without hearing about another company that was a victim of a data breach. These companies are not small either. Organizations like the Office of Personnel Management (OPM), The Internal Revenue Service (IRS), United Airlines and many others have all lost very sensitive data. Despite significant investments in the latest next-generation technologies, software defined networks, virtualized data centers, and new detection and alerting capabilities for anomalous traffic we still seem to be losing the Cyber Battle.
How do we tip the scales in our favor? A step in the right direction would have companies develop a better understanding of the attacker and defender lifecycle. A proper defensive posture requires a company to have an understanding of their adversaries (or threats), of the changing cyber battlefield, and of their own capabilities and weaknesses. Once understood, a company will have a better understanding of how these details impact their business, and create a systemic plan to address those places where their defenses are ineffective and prioritize on the biggest risk to the business.
There are a variety of threat actors all companies need to worry about, but the most important question is, “which ones are focused on compromising the data that resides in your network?” Once you understand that, you can then focus in on those specific threats and attack methodologies. Understanding relevant external threats is generally referred to as Threat Intelligence (TI). These days, there is a lot of marketing buzz about TI, but many people are confused as to what it really means. While there are a number of definitions floating around the Internet, in general terms it’s any external information about a threat that an organization can consume and integrate into its defensive decision making process that results in something actionable. This includes decisions from a Strategic, Tactical, and Operational perspective.
To further understand a threat actor’s methods you can start by mapping the anatomy of an attack, sometimes known as the “Kill Chain,” which was coined by Lockheed Martin a few years back. There are many variations describing the phases or steps of any attack, but these are the ones generally used: Reconnaissance, Weaponize, Delivery, Exploit, Command and Control, Internal Reconnaissance, and Maintain. During each of these phases of an attack, the cybercriminal has specific goals, and defined tactics they use to achieve those goals.
In a competitive environment, knowing the battlefield and understanding the landscape is extremely important when evaluating your defensive strategy. For example, in a football game your strategy will change depending on things like the weather and ground conditions. If it’s really windy out, there may not be as many long passes, or if the ground is muddy special cleats may need to be worn for better traction. The same is true when considering your defensive position in cyberspace. Here is just one example of something you need to take into consideration when examining the threat landscape:
Because of the sophistication of the Cyber Crime Ecosystem, many tools available to criminals have become very advanced. One of these advanced tools is the “quality assurance enabler,” or “evasion services.” Evasion techniques have been developed against many security technologies. Tools and techniques have been developed to evade IPS systems as exploits enter the network, and to evade detection by anti-malware tools as malware is downloaded and run. Ironically, evasion has also been developed against sandbox technology which was specifically built to combat evasion techniques against anti-malware solutions. The statement “Build it and they will Evade” has never been more true. So, an important question to ask is, how do you know if your security solutions and strategies are keeping up with the latest evasion techniques?
In addition, zero day attacks have changed. 5 to 10 years ago, exploits designed to exploit zero day vulnerabilities were very hard to come by, and usually only found them on the Dark Web or were custom built by Nation State actors. Today, there are many organizations that offer zero day exploits for a fee, either as a custom service or as an annual threat feed guaranteeing you a certain number of exploits per year. There are also bug portals, zero day brokers, forums on the black-market, and others on Dark Web, and of course bug bounty programs available. With all this focus on zero day services, even with the latest security solutions in place, you’re actually more likely to experience a zero day exploit today than you were a few years ago. So another question you need to ask yourself is, how do you protect your organization against the exploit of a vulnerability that you don’t even know exists?
As Sun Tzu stated “If you know the enemy and know yourself, you need not fear the result of a hundred battles” This statement is just as true on the cyber battlefield. But too many companies focus almost exclusively on external threats or external threat intelligence, yet neglect to understand their own internal threat environment.
To get started, you need to work systematically to understand your network better, including:
And this is just the tip of the iceberg. Luckily, there are many frameworks available to help IT professionals understand their internal environment, including ISO, CIS Critical Security Controls (SANS Top 20), The OWASP Top 10, and the new NIST Cyber Security Framework. These frameworks should be used to assess your current security posture, and of course, can be tailored to fit your organization’s needs.
Now that you understand the need to identify the various threat actors focused on stealing your data and your unique cyber battlefield, and the importance of visibility into your own environment, it’s time to put the pieces together. Doing this allows for a more intelligent defensive posture, and helps you focus on what’s most important to your business. None of us have unlimited budgets, so we need to use our money wisely.
When you assess your environment using one of the frameworks listed above, or one you create for your unique environment, one outcome will be a much clearer identification of your data, including what it is, where it’s located, who can see and access it, how it is stored, how much value it represents to your organization, and who might benefit by having access to it. This is critical information, as it will allow you to identify the threat actors motivated to steal that data. Once the threat actors have been identified, you can overlay their threat methodologies, or kill chain phases, when determining which security controls or technology you need to develop or improve in order to address the vulnerabilities you have identified. This will arm you with better information when selecting a security vendor or partner as you will know beforehand the features and functions you need to reduce your risk to an acceptable level.
This entire process is part of what is called having Cyber Situational Awareness. When you understand these things, you get a better picture of your current security posture, and that will help you anticipate what may happen to you networks and systems, thereby enabling your security team to plan, design, implement, and optimize corrective measures designed to avoid costly breaches or mishaps.
Stay tuned for a deeper review into the various components of this Secure Foundation.