And bring your tools, people and partners together
Cyberthreats are like the common cold or some other infectious virus; eventually you’re going to get sick.
It’s a part of life.
They’re always there, lurking just around the corner, waiting to make your life that little bit harder.
At the same time, you can’t focus entirely on potential risks to your business at the expense of developing it. You must protect yourself without freezing everything and preventing future development.
That means adopting a grown-up approach to risk management, and allocating your budget judiciously to give yourself the maximum protection while still keeping your IT systems flexible enough to support new ways of doing things.
So how does that work?
Understand the chain of events that make up a modern attack
Before you can live with a risk, you have to understand what it looks like, and map its potential evolution as it turns into an attack.
Defense firm Lockheed looked to the military for the answer, borrowing from it the concept of the kill chain, originally used to describe the structure of a kinetic attack.
Eric Stevens, director of strategic security consulting services at Forcepoint, describes the kill chain slightly differently to Lockheed:
Reconnaissance: In the early stage of an attack, a malicious actor will gather as much intelligence about the target’s network and organization as possible.
Lure: Lockheed calls this step ‘weaponization’, but Stevens characterises it as the creation of lures, such as email, social media posts, or other content posing as legitimate links.
Redirect: Lockheed’s kill chain calls this ‘delivery’.
The lures redirect users to pages that contain exploit links, according to Stevens.
Exploitation: During the exploitation phase, an exploit kit scans for weak points in the target’s system to gain privilege.
A phishing attacker may succeed in accessing user credentials.
A malicious payload may hook a vulnerability in an unpatched software product.
Installation/Dropper file: The exploit kit finds a weakness which is then used to deliver a dropper file with malware that infects the system and then begins finding extractable data.
Command-and-control: The payload then phones home to the attackers, and creates a control channel that they can use to manipulate it, giving them the opportunity to execute the final phase.
Actions on objectives: This is the money stage.
The malware can be used to create whatever effects the attackers want within the system, including stealing data and intellectual property, or sabotaging internal resources.
How to distinguish between different types of attack, and what kinds of tools can help?
Describing the second stage as a lure and accepting a fluid approach to its stages solves one of the popular criticisms of the Lockheed model, which is that it focuses on malware and excludes phishing attacks. “Not all threats need to use every stage, and stages may loop back to prior stages, extending the seven-stage process significantly,” Stevens said. “These steps provide cybercriminals with hundreds or even thousands of ways to create and execute APTs over extended periods of time.”
That presents a big haystack and a lot of needles for security pros trying to protect their organizations against these threats.
They must spot different types of attacks, distinguish between them where necessary, or draw correlations between small events that could be insignificant in isolation but may signal something more serious when viewed in context.
Tools are essential to help security pros understand what is going on, said Les Neely, a mentor at the SANS Institute who also works as a security professional at Lawrence Livermore National Laboratory. “You need good instrumentation. You definitely need an event correlation engine, but it has to be looking for the right events,” he said.
Advanced security teams can take things a stage further, using the instrumentation layer as a source of data that you can then use with other statistical analysis tools to model normal behaviour on a network, he explained.
This will then help security teams to detect anomalous behaviour more easily.
That isn’t a push-button solution, though. “It took maturity to get there,” he said, describing one project he worked on that took this approach.
Seeing and understanding everything can sometimes be a tall order. “There are also places where we don’t have visibility, where you couldn’t correlate two small events,” Neely pointed out.
How to set budgetary priorities for your security team
If it’s difficult to keep eyes on everything at once, then a little triage may go a long way.
The savvy organization will set priorities in its cybersecurity operation that span its tools, and its skills.
That means having a lens to help you focus on what’s important, Stevens said.
“Start by aligning all of your security activities to an actual security model, a framework that is really focused on IT security,” he advised. NIST’s own security framework is a first port of call for him.
There are government tools and private practices that can help organizations map other frameworks in sector-specific areas to NIST. Other frameworks that you may need to bridge include COSO, which starts from a risk management perspective, ISACA’s COBIT for IT governance, PCI-DSS for the storing of credit card data, HIPPAA for US healthcare operations, and FedRAMP, which is the US federal government’s standard approach to security assessment and monitoring.
“Each of these requirements in PCI map to these requirements in the NIST framework,” he said. “It lets you map all the third party requirements and internal business requirements together, so that you can knowingly go in and select where you need to put your security controls in place.” The idea is to understand how and where to judiciously apply your security tools budget for maximum effect.
A good risk assessment, combined with an understanding of which security tools are best for which risks, can help a CISO to prioritise their spending.
But even that may not be sufficient in the long run.
There are many more attackers than there are defenders, and the attackers are much better funded.
That’s a cat-and-mouse game that gets harder to win every year. Relying on multiple best-of-breed point products can lead to an avalanche of alerts and network noise, adding more complexity, rather than clarity, to your security posture.
In a very real sense, the security industry’s focus on the trees rather than the forest, as it were, has arguably failed to deliver reliable, actionable data in a timely matter that would allow IT pros to catch threats sooner than much later.
A movement toward a more holistic approach to more quickly and accurately separate the threats from the noise is emerging among some cyber defense providers.
In some lower-risk areas, it may make sense to make do with employee training as a stopgap one year, and then roll out a technology solution the following year to reinforce it and provide more protection.
How to move beyond gut feel with automation and analytics
The human element is important here.
Tools can provide appropriate data, but it still needs a sharp eye to interpret them, said Neely.
A good analyst or two on your team will be worth their weight in gold.
As security practices evolve, he envisions analysts drawing more on automation and analytics to complement their gut feel.
To reach that level of sophistication, they’ll need external threat data in addition to their own internal instrumentation, he warned. We’ll see more of that as information sharing evolves.
ISACS in the US already make it easier to share information security threats. We’re also seeing the beginnings of automated, structured sharing of information, using API-driven services like Facebook’s ThreatExchange, and using taxonomies and protocols designed to describe emerging security incidents, such as STIX, IODEF, and RID.
There’s also VERIS, which is a language for documenting incidents after the fact so that we can learn from them.
How to integrate your security operation with the overall business
To do any of this, you have to get business users on board.
That can be more difficult than you’d think, argued Forcepoint’s Stevens, adding that even understanding the data architecture can be difficult for IT teams in some situations.
“We have IT security teams in high-sensitivity businesses where IT people have zero visibility into what they’re trying to protect,” he said. “It’s nerve-wracking to do it in the blind.”
This can come down to a lack of understanding on the business side. He recalls one security project at a large corporate client, whose lawyers wouldn’t clearly communicate what they wanted the company to do for them.
Finally he asked the head of the team why the relationship was so contentious.
Surely they were on the same team? The chief attorney hung his head and privately said “We hate to not know things. We don’t want them to realize that we’re not the smartest guys in the room.”
“They were trying to communicate their needs and they had no idea what the language was that they needed to communicate them in,” said Stevens.
It was an education and cultural issue that made that particular team feel embarrassed, and put them at odds with the IT department.
“IT people need to do a better job of educating the business so that we look like the trusted partners,” he explained.
That can involve choosing projects that deliver some clearly-defined business wins, bringing visible value to the other team, said Professor Angela Sasse, director of the UK Research Institute in Science of Cyber Security (RISCS). “Maybe you say ‘that tool you’re suggesting there, we could use that for business process as well,” she said. “Then you see business people getting enthusiastic in investing in a security measure.”
This can pan out in unexpected ways.
In one project that she worked on, a monitoring system was used to help with authentication.
It produced location data describing where customers were accessing from and compared it against a baseline of normal behaviour.
“The monitoring information was also helpful for customer relationship management,” she said.
Business managers could take that location data to identify changing patterns in systems access by customers.
That in turn could lead them to offer those customers other types of contract and service agreement.
“That’s joined-up thinking,” she suggests. “Never make a decision about how to manage the information without understanding how to manage the business context.”
How can partners help?
Working with a third party security partner can help internal IT departments to overcome some of these issues, both because of their prior experience, and because they typically have far more threat intelligence information than a single company could hope to gather on its own, said Neely.
But there has to be some due diligence, because of the job’s sensitive nature.
“There are third parties out there that have thousands of customers and data points to create a high fidelity result, but there has to be a trust element,” he said.
That trust has two facets.
The customer must be able to trust that data entirely, using it as a platform to boost their own threat intelligence and take action on it. “The other part of it is sufficient obfuscation so that if Joe’s company is compromised, it doesn’t get out through that third party that Joe is in trouble,” Neely said.
An indicator of compromise will be useful to the whole business community, but should never be linked to a particular company, which means that it shouldn’t be traceable to a particular IP address.
To this end, some companies are working on tokenisation to eliminate the chance of a company being publicly linked to its threat data, Neely explained.
By taking an intelligent, measured approach to cyberthreats, companies can achieve a reasonable level of protection that matches their level of risk, while also keeping their systems agile and usable enough to serve their business needs. No one likes the reality that threats exist and data breaches will occur, but with the right approach and tools, it is possible to live with both successfully. ®
And bring your tools, people and partners together