Threat Intelligence

4/6/2018
10:30 AM
Martin Dion
Martin Dion
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Stripping the Attacker Naked

How cyber threat intelligence can help you gain a better understanding of the enemy and why that gives security teams the upper hand.

When it comes to cyberattacks, nobody is immune. Some of the largest enterprises and most important government agencies have been victims of intrusions where sensitive corporate or client data and classified information was stolen and put in the public domain.

Given the fact that no one can prevent breaches from happening, everyone must be as prepared as possible to handle threats. Preparation requires enhancement not only of defenses but of response processes too, and to accomplish this, it's essential to gain a better understanding of the enemy.

There are a few key areas that demand our sustained focus in order to achieve these goals. First, security personnel must identify the "crown jewels" — the vital data needing protection. It's then important to understand what the motivation and profile of an attacker is. After establishing this, the next steps involve identifying who has legitimate access to those assets, then, finally, working out what the potential attack vectors are against legitimate users and the infrastructure that hosts the crown jewels themselves.

It's imperative to have a clear vision and understanding of the cyber terrain, assets being protected, and capabilities of the enemy. This enables us to better re-enforce defenses where we can and have the know-how to respond properly where we can't. Ultimately, it's about establishing a process that will eventually lead to the infusion of cyber threat intelligence information into the defense and response apparatus.

For example, if a company is engaged in selling goods online, one of the crucial assets to protect is the financial information of product buyers. Of all the attackers out there, we can likely deduce that nation-states, corporate spies, and most "script kiddies" up for a challenge are not prime suspects. This leaves cybercriminals. Usually, our thinking stops there — but that's a mistake. What's needed is to push the reflection further and think about the attack itself.

Yes, cybercriminals might want to steal credit card numbers, but this is obvious, and so it's important to think a bit more like them to work out what else they might be after. Can they lock down a part of a system using ransomware that will prevent selling products? Is this a type of bribery to keep the company out of large distributed denial-of-service attacks? Is the organization selling products delivered in unidentified brown boxes of a very personal nature to buyers, and, therefore, is the mere fact that customer names end up in the public sphere going to create problems?

Based on more specific attack scenarios, it may be easier to align defensive measures — but this brings up additional questions. For instance, if a company only sells products to US-based customers, could you block foreign connections using geolocation? It might also open questions related to legal liabilities, due care, and diligence obligations, which could drive more specific processes on how to respond to different types of incidents.

Regarding cyber threat intelligence more specifically, understanding attackers can allow for the extraction of very specific indicators of attack or of compromise from the various databases commercially available. This might enable the focus to be a little more on criminal adversaries and their modus operandi instead of going very wide and generating a ton of false positives. Then, it could be possible to study their techniques and ask ourselves if we have what we need in our infrastructure to prevent them from using their tools and techniques.

By using a more practical and specific approach, organizations can gain the ability to invest precious cybersecurity dollars on things that matter most to a business model and its protection. By knowing the enemy inside out, and by being one step ahead, control is regained. What adversaries consider their attack playground is effectively our arena, and as security professionals, we rule it. It is for us to step up and — when they trespass on our turf — leave them standing naked and defenseless.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Originally from Montreal, Martin has been navigating the tormented water of cybersecurity for over 20 years. He was the founder and CTO at Above Security Canada where he worked locally and in the Caribbean's. Twelve years ago, he moved to Switzerland to launch SecureIT, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
4/11/2018 | 12:48:40 PM
Re: Not Worth Reading
As an alternative to the "crown jewels" analogy, consider this: "Data is the life's blood of the modern enterprise".  If you accept that, just what part of your organization's life's blood isn't worth protecting?  How much of a leak is acceptable?  Which parts do you need to keep uncontaminated?  When is it Ok for any of it not to get to where it's needed? 

As to why Information System architects aren't ready, willing or best suited to take point in protecting data assets: the metrics for job performance are skewed toward finding new, better and faster ways to exploit an organization's data.  What stakeholders have failed to realize is that their people aren't the only ones good at doing that!  The scattered debris field left by all the (well rewarded), shortcuts, design-as-you-go, secure-it-later, data-ecology strip-mining and hope-it-holds patching is a godsend to those who realize what can be made from the bits and pieces. 
MartinDionCH
50%
50%
MartinDionCH,
User Rank: Author
4/10/2018 | 2:59:12 PM
Re: Not Worth Reading
Thanks Brian for your feedback! Two things, editorial guidelines limits the article lenght and this article is not claiming to be about cyber security strategy at large. I generally agree with your comment but cyber is not limited to data protection. From my viewpoint, its about enterprise resilience, hence crown jewels are broader than data. I also think that although IT have an important role, that security personnel must lead the charge and facilitate the transversal conversation. Finally, its important to focus on what is both the most valuable and vulnerable right now since most enterprise dont have the luxury of securing everything, its just sound risk management practices. Best regards Martin
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
4/10/2018 | 1:29:03 PM
Re: Not Worth Reading
@Martin: Nothing wrong with suggesting strategy or doctrine, rather than implementation tactics.  Too little thought goes into creating a sustainable, orchestrated, holistic and heuristic approach to cybersecurity, in many organizations.  Putting tactics first, you can win lots of battles, yet still lose the war. 

"First, security personnel must identify the "crown jewels" — the vital data needing protection."

I do have an issue with the "crown jewels" analogy - as it suggests that most (of the now vast amounts of), data that enterprises collect, share, store, transmit or process doesn't require protection. It's impossible to know to what use some entity, at some point in the future, might make of "ordinary" data, especially in combination with data collected from other sources. 

Also, I would not task "security personnel" with identifying or evaluating data assets, or establishing the need-to-know access mechanisms - that's a job for the information system's architects. 
MartinDionCH
50%
50%
MartinDionCH,
User Rank: Author
4/9/2018 | 2:21:28 PM
Re: Not Worth Reading
I am sorry you feel this way, if you are looking for implementation guidelines, may I suggest you read my other post? As well, you must understand that I do appreciate your feedback and to ensure I do better next time, it would be important for me to understand what you would expect or even to get specific questions so we could interact constructively. Best regards, Martin.
ANON1251724318124
50%
50%
ANON1251724318124,
User Rank: Apprentice
4/9/2018 | 1:14:09 PM
Not Worth Reading
There are no insights here just conjecture.
Microsoft, Mastercard Aim to Change Identity Management
Kelly Sheridan, Staff Editor, Dark Reading,  12/3/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19980
PUBLISHED: 2018-12-08
Anker Nebula Capsule Pro NBUI_M1_V2.1.9 devices allow attackers to cause a denial of service (reboot of the underlying Android 7.1.2 operating system) via a crafted application that sends data to WifiService.
CVE-2018-19961
PUBLISHED: 2018-12-08
An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because TLB flushes do not always occur after IOMMU mapping changes.
CVE-2018-19962
PUBLISHED: 2018-12-08
An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because small IOMMU mappings are unsafely combined into larger ones.
CVE-2018-19963
PUBLISHED: 2018-12-08
An issue was discovered in Xen 4.11 allowing HVM guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because x86 IOREQ server resource accounting (for external emulators) was mishandled.
CVE-2018-19964
PUBLISHED: 2018-12-08
An issue was discovered in Xen 4.11.x allowing x86 guest OS users to cause a denial of service (host OS hang) because the p2m lock remains unavailable indefinitely in certain error conditions.