How organisations should best manage, detect and respond to a data breach is an on-going question. But an intelligence-driven strategy is an essential part of that
Security vendors should be applauded in many ways for their ability to take technology and security best practice that has been around for a long time, give it a fancy new name, and sell it as the new magic bullet, says David Peters, CTO, ANSecurity.
“Cyber Threat Intelligence is one such instance that, although it offers some benefits, is not a new concept and can be accomplished in more than one fashion. Even the most basic security controls, such as desktop anti-virus, use threat intelligence in the form of signature updates, URL blacklists are the same, even the regular advisories to patch applications and operating systems are effectively threat intelligence messages.”
Many of the new breed of cyber threat intelligence (CTI) offerings are rather expensive, he adds, but there are alternatives that are effectively free. “For example, AlienVault open threat exchange, when coupled with Palo Alto’s Minemeld, can create a potent threat intelligence platform that can take both open source alerts and paid-for services to be fed into an effective system. This combination can feed dynamic firewall rules that can block known IP addresses which are host threat actors. Building your own is feasible for most IT professionals and does not need a deep infosec background.”
FIRING ON ALL CYLINDERS
Where some of the CTI systems can shine is in the more specialist areas, such as Critical National Infrastructure, very large enterprises and organisations that use SCADA. “However, this is a realm where CTI should be used alongside a dedicated SoC and analyst as an aid, rather than a replacement for skilled infosec professionals, Peters advises. “Even in this space, there are national resources, such as GCHQ, which do sterling work in providing threat intelligence that both these more critical groups and other enterprises would be wise to regularly consult.”
ATTACK TOOLS AT LARGE
“With the increased availability of high-quality, open-source attack tools, cyber aggressors can constantly evolve and utilise automated attack tools, points out Chris Doman, security researcher at AT&T Alien Labs. “For an organisation trying to defend itself from a barrage of these assaults, it can all become too much to handle, especially when you consider that security teams are already understaffed and overstretched. So, what can security professionals and organisations alike do to defend against these attacks?
First, Doman advises, start by fighting fire with fire. “If cybercriminals are using automation to their advantage, then so should organisations. Some tasks remain the preserve of humans – but there are still many simple time-consuming tasks that can be automated. This can alleviate the strain for security personnel who can fixate their time on more concerning matters.” Secondly, share threat intelligence. “The last few years, we have seen an improvement in governments, vendors and companies being more open to sharing threat information. By sharing intelligence, we are seeing faster detection and better prevention of known threats.
In addition, for those without the in-house expertise, seek a dedicated team or a SOC to continuously monitor the organisation’s environment. This will give the business insight into what is happening across the entire network. The threat intelligence developed with each investigation will assist the security team in making the correct decisions when it comes to preventing future attacks.”
By building a united front and utilising near real-time threat data, he says, “businesses can strengthen their own defences, while also helping others to make life more difficult for hackers, which is what sharing threat intelligence is all about”.
Cyber security has certainly become a high priority for senior management, according to 78% of businesses that responded to the UK government’s ‘Cyber Security Breaches Survey 2019’. While it is encouraging that this figure has risen year on year, generating awareness of cyber security is only one part of the issue. “The next step for organisations to take is not only understanding, but intelligently acting on the risks presented,” argues Andy Pearch, head of IA Services at CORVID. “Despite the heightened awareness, many organisations are still focusing on mitigating assumed risks, rather than real risks, without a robust security strategy in place.”
The 2019 breaches survey revealed that, in the last 12 months alone, almost one third of UK businesses identified cyber security breaches or attacks. “What’s more, the research also showed that just under half of these companies identified at least one breach or attack per month,” says Pearch. “While these figures should be enough to make a business refocus its strategic security thinking, it is the use of the word ‘identified’ that is significant: many more attacks could have occurred, but not yet been discovered.”
Indeed, global figures reveal that the median dwell time – the time a criminal can be on a company’s network undetected – is more than 100 days. “And, in many cases, the breach is not revealed by the security team itself; it is a call from a supplier, a customer or business partner that brings the problem to light, typically following the receipt of a diversion fraud email requesting – for example, that future payments should be sent to a different bank account.” Such breaches not only have the ability to undermine business relationships, but, in some cases, can also incur significant financial liability. “These frauds usually follow one of two forms: either impersonation, where a criminal masquerades as the business, using a very similar domain name and email address; or, following a successful compromise, the email comes from the company’s own system. It is the latter case that raises the issue of liability for any financial losses a business partner may have suffered.”
In the battle against sophisticated cyberattacks, defenders must innovate, if they wish to remain one step ahead of the latest threats. To do so, cybersecurity professionals need real-time, actionable intelligence about the threat landscapes they face, says Nilesh Dherange, CTO of Gurucul. “Threat intelligence solutions provide data that lets security personnel make informed decisions about their defences. With threat intelligence technology, organisations can know who is attacking them, what their motivations are and what they are trying to accomplish. With this knowledge, they can remedy the threat.”
Moreover, to make informed decisions, context is key. “Without proper context, threat intelligence is an unruly cascade of alerts that no human can effectively monitor. Too many alerts lead to alert fatigue, not answers. Some conventional threat intelligence systems, like security incident and event management (SIEM), don’t generate the data required for delivering actionable intelligence. The result is too many ‘false positives’ – urgent security warnings that turn out to be empty threats. According to our survey at RSA Conference 2019, false positives are the biggest hurdle in maximising the value of a SIEM solution.”
Dherange references a study produced by Enterprise Management Associates that revealed 79% of security teams are overwhelmed by the volume of threat alerts. “Like the fable about the boy who cried wolf, too many false positives can result in warnings simply being ignored. A famous example of alert fatigue leading to a cyberattack is the infamous 2013 Target breach that affected more than 40 million customers. According to post-breach analysis, the security group kept seeing the same, false malware alert before the attack. Eventually, those warnings were ignored, even as the real intrusion occurred.” To remedy the situation, he adds, a solution is needed that can provide the proper context by quickly analysing new alerts, removing false positives and generating real-time data about current threats. “Modern threat intelligence solutions use behaviour analytics, powered by machine learning, to automate data collection and provide risk-prioritised intelligence. Advanced machine-learning algorithms provide a holistic view of all log data and expose suspicious activity.
“These machine-learning models can predict insider threats, account compromise and data exfiltration by identifying users and entities that are acting in risky ‘abnormal’ ways, compared to peer-group behaviour. Most organisations already use multiple security tools, which produce meaningful log data. Applying behaviour analytics and data science to those sources to examine user access and behaviour is the logical next step.”
To become relevant and actionable, intelligence must be customised. It’s not just a case of switching on a few threat data feeds. “Intelligence needs to be developed over time, with human expertise playing a key role in this,” comments Azeem Aleem, VP Consulting, NTT Security. “It is an intelligence-driven holistic security process that may result in a few mistakes along the way, but that should not distract you from the ultimate goal.”
The five steps he suggests to attain the Holy Grail of actionable intelligence are:
• Business and risk alignment – understanding the mission, scope and authority needed to mitigate risk
• Visibility – define the visibility required to achieve mission readiness
• Content – build enablement for detection, including use cases, situational awareness and baseline
• Security operations – respond, contain and hunt to achieve the mission of rooting out known and unknown threats
• Applied intelligence and analytics – analyse, attribute and predict threats to refocus the mission.
“The key is to first understand what your organisation’s key assets – or ‘crown jewels’ – are via a risk analysis,” adds Aleem. “Then filter out the ‘noise’ to prioritise intelligence relevant to your business. You can then move forward to proactively hunt for threats, map attack patterns and outline the black hats’ tactics, techniques and procedures (TTPs). By pre-empting the bad guys, you can take the initiative back to manage cyber and business risk on your own terms.”
MOBILISING YOUR DEFENCES
As more of our daily interactions move to mobile and other handheld devices, our cyber risk is growing exponentially. “Even Gartner has predicted that, by 2020, 80% of work tasks will take place on mobile devices,” points out Tom Davison, pictured right, EMEA technical director at post-perimeter security companyLookout. “Today, the deployment of mobile devices, across the enterprise, has introduced a host of new cyber threats and led to the disappearance of the perimeter, as employees are able to access the corporate network from anywhere.”
Threat intelligence is a must for any organisation, of course. “However, to truly have confidence in the defence of the business, there needs to be visibility across the entire asset base, including mobile devices,” argues Davison. “A dedicated mobile endpoint security solution can contribute directly to the overall threat intelligence picture, while also protecting sensitive assists when accessed by devices outside the business perimeter. This is particularly crucial in our now post-perimeter security world.
“With humans often regarded as the weak link in security, fortifying technology with education is also paramount to give employees within the organisation a truer understanding of the mobile threat landscape,” he adds. “With a number of hackers and cybercriminals groups operating, its time businesses upped their resilience levels and post-perimeter security is key to efficiently protect the corporate border, while still giving secure access to critical data. ”
External Link: Threat or Treat