Threat Intelligence
9/18/2017
10:30 AM
Liz Maida
Liz Maida
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

To Be Ready for the Security Future, Pay Attention to the Security Past

It's easy to just move on to the next problem, ignoring what's happened -- but that's a mistake.

"The past is never where you think you left it."Katherine Anne Porter

Cybersecurity is a fast-paced industry, one that combats an ever-changing threat landscape. It's a semi-organized chaos of point solutions, patches, and processes designed to keep companies protected from the cyber attack(s) of the day. In the limited time not spent on addressing current threats, most practitioners are focused on what might come next. But little emphasis is put on how past incidents affect current and future threats.

Some of you reading that last sentence might think, "I can barely keep up with current threats; why should I care about past incidents?" I understand how this might sound counterproductive on the surface. However, the past can provide much-needed context for understanding future threats. Here's why the past matters in cybersecurity:

  • Find commonality: Past events could be connected to current events — not in the sense that the same threat is re-emerging, but that a previous threat could have shared attributes with a current threat, or that threats could be connected after applying machine learning or prediction algorithms. For example, security information and event management alerts might uncover a phishing email that an analyst then investigates and resolves. As part of that investigation, the analyst has probably identified a malicious IP address. Even though this incident is resolved, the IP address may resurface as the initiator of a future attack. If this information is not widely accessible, the next analyst may overlook the fact that there is a connection between attacks.
  • Adapt to evolution: If a past threat evolves into a new one, it's important to understand the original intent and basis for the attack. Rather than responding with an entirely new tactic, you may only need to tweak a past response to adapt to the new threat. Ransomware is a perfect example of an evolving threat that remains similar at its core, with tweaks to its deployment. Information learned in the past is a valuable part of adapting future responses.
  • Apply unique insight: After an incident is resolved, security teams file away unique insights learned from that event. However, when a similar event arises again, those insights remain filed away, instead of being used to address a new threat. This can result in duplicate work on the next problem, because the analyst might not be privy to the past insights found by a colleague.
  • Identify patterns: Recognizing patterns not only addresses current events but also helps predict and eliminate future threats. For example, individual events can be deemed harmless, but in the context of a series of events, a benign event could be part of a larger, more serious incident. Once a pattern emerges, it's then easier to predict what might happen next, raise the priority level of a current threat, and influence how the threat is resolved. For example, the past helps to uncover targeted attacks as criminals and nation-states try to infiltrate a network, attempting over and over again to achieve success. They often will change their methodologies but frequently there will be some pattern that emerges only if the past can be compared with the present and future.

The past should be neither ignored nor forgotten, especially in cybersecurity. However, security teams can easily overlook the past if it is not prioritized because of the rapid nature of the job. To stay one step ahead of hackers, find ways to use the past to better inform the present and secure a better future.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Liz Maida is instrumental in building and leading the company and its technology, which is founded on core elements of her graduate school research examining the application of graph theory to network interconnection. She was formerly a senior director at Akamai Technologies, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mjohnson681
50%
50%
mjohnson681,
User Rank: Apprentice
10/6/2017 | 6:45:24 PM
Redefine the Future
Why shouldn't we redefine the futrue of cybersecurity by making the data worthless for those who want to steal it?

https://www.linkedin.com/pulse/give-up-cybersecurity-programs-matthew-r-johnson-cpa-cisa/ 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/22/2017 | 11:18:25 PM
Re: Learn from History
@jcavery: We've already been seeing this in the financial services space, which used to be very anti-sharing when it came to threat intelligence. Since cybersecurity has started to be seen as a "greater good" issue impacting the entire industry and national security, many are now clamoring to join the table with each other.
jcavery
50%
50%
jcavery,
User Rank: Moderator
9/18/2017 | 1:22:31 PM
Re: Learn from History
Agree Joe, and any new attack methods captured by honeypots or otherwise need to be shared as soon as possible so we can benefit from the information, instead of acting reactively as you mentioned.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/18/2017 | 1:19:36 PM
Re: Learn from History
This really comes down to acting proactively instead of always running around acting reactively. Given that history repeats itself -- and many hackers tend to be lazy and recycle the same old attacks and malicious code in what can sometimes be a predictable pattern -- frameworks need to be constructed and adhered to that allow for a layered, proactive, ever-vigilant approach.
jcavery
50%
50%
jcavery,
User Rank: Moderator
9/18/2017 | 11:34:23 AM
Learn from History
It will be true for computing as long as new technologies and concepts are invented. For example, quantum computing will force us to re-visit all the same problems we originally faced with the internet in its infancy. Even though it is "just" an increase in processing speed, we will still need to apply old lessons to this new capability in order to avoid all those original problems. Example: Password entropy standards will need to move. Perhaps two-factor auth will need to be looked at again as well. All of these original security solutions we have already solved in the past will need to be fresh in our minds for future changes if we are to avoid original failures. Yes, new concepts will need to be invented, however we do not want to reinvent the wheel on the road to the new concepts.
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Be a unicorn, not a donkey...
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.