Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

11/10/2015
10:30 AM
Kristi Horton
Kristi Horton
Commentary
50%
50%

Why Threat Intelligence Feels Like A Game Of Connect Four

In real life, solving the cybersecurity puzzle has many challenges. But shared wisdom and community defense models are making it easier to connect the dots.

You know Connect Four -- that plastic game with the vertical grid where you drop checker pieces until you get four in a row? With two good players it's deceptively simple. You have to keep your eye on all possible permutations while plotting several moves ahead.

That game reminds me of the challenges that today's threat intelligence professionals face. Except it's a three-dimensional version of that game, connecting many disparate pieces while keeping an eye on adversaries making several moves ahead. And in real life, the stakes are much higher.

As a lifelong security practitioner, I have worked everywhere from highly classified environments to critical infrastructure entities. Even in the most sophisticated, well-defended environments such as financial services, there are still many information silos. It's hard to find the threat needles in the data haystack. It's not just disparate security technologies. I am also talking about organizational, process, and data silos.

In the financial sector, three key domains come to mind: 1) information security 2) physical security and personnel and 3) anti-fraud and money laundering. Typically these are managed and executed separately.

If we could truly connect the dots between even two of these domains, we would make significant strides in better understanding the threat landscape, reducing the risk of blended threats, improving incident response, and reducing theft and losses.

Everyone is impacted
All these functional areas impact one another. Physical security impacts confidentiality and data integrity. A data security lapse can impact physical security. And when there is an enterprise security incident, many teams are impacted: the fraud team, the desktop team, the network team, the website team, the cloud security team, the physical security team, the email team, and the list goes on.

Business email compromise (BEC) is a great example of a trending blended threat where nearly all functional areas are impacted. As analysts dig into the indicators of a BEC, they need to ask: "What social engineering techniques were used; Which personnel were targeted or impersonated; What email header and payload information is available; What payment or procurement processes were perverted; What business partners or accounts were compromised; How were funds stolen or data exfiltrated?" Each new question may cross organizational, political, and technical precincts.

There are many other examples of natural silos in big organizations. What happens when new infrastructure is rolled out or when a new office is commissioned? Is the information security team part of the plan? Are vulnerabilities addressed? Is the site monitored? Is system usage authenticated and verified?

Disconnects can also happen for network security. Disparate groups monitor network performance and uptime and DDoS attacks, but may not be monitoring for a user accessing an unusual volume of customer records or systems accessed at the wrong time. Maybe ports 80 and 443 are monitored, but the firewall rules for other ports are not up to date. Maybe a system has been offline for an unusual amount of time and no one notices.

We tend to think that the more people engaged in information security, the more tools, the more budget, the more process, the better. But complexity can be detrimental to security. For example, a user opens her email and gets an alert that an infected file was found and cleaned. If the desktop team is notified, it means that everything is ok, right? But what if only part of the infection was identified and malware is still persistent, waiting to access sensitive systems? The AV team sees one puzzle piece. The network team sees one puzzle piece. But the fraud team didn’t see any of this. Where's the correlation? Where's the connection?

Not just a data or policy issue
Different teams, competing priorities, varied approaches, various critical watch lists... Many organizations are making good strides in aligning and clarifying corporate priorities to recognize that physical and cyber teams need to work together. Some companies have set up internal fusion centers. Public and private sector relationships are in place. Information sharing organizations like ISACs and ISAOs are helping facilitate the flow of real-time threat information. Standards like STIX and TAXII are helping to normalize threat data and make it more actionable. Shared wisdom and community defense models are quickly becoming the new norm.

In that spirit, I want to share four tips to help organizations get and stay connected.

  1. Understand the business: What is the business context you work in as a security team and what are its priorities? What is the worst that can happen and how do you spot it before it happens?
  2. Know thyself: No one else can know what you do, how you do it, what systems you have, or what they are supposed to do. No one else can spot what isn't supposed to be there the way you can. Like bank tellers trained on real currency so they know a fake when they see it, organizations that "know themselves" have reduced the attack surface.
  3. Look for ways to connect: Seek out ways to share information internally and externally. Sponsor regular cybersecurity simulations that involve multiple functional areas. Advocate for updates to crisis playbooks. Communicate the security roadmap broadly and especially at the executive level.
  4. Stick to the plan: Too often, security is compromised to meet the competitive and agility demands of the business, or even simply to react to the present threat landscape. Money is spent without the full context of how security fits into a strategic business plan. And, when a new threat comes along, organizations are tempted to divert from the plan and buy an expensive new tool or appliance that may not be the best fit. Don't react and don't over-react. Have a solid plan and map actions and investments to that plan.

Kristi Horton is the lead intelligence officer of the Financial Services Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC is a non-profit corporation formed in 1999 and is funded by its 6,500 member organizations. The FS-ISAC's mission is to help assure the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TedS486
100%
0%
TedS486,
User Rank: Apprentice
11/11/2015 | 12:57:46 AM
Simile on point
Well made article. Really clever use of the simile to the game of connect four.

https://www.youtube.com/c/Enigmaspyhunter
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/10/2015 | 2:47:50 PM
Endgame
Also, no matter how well you play, there's always going to be a big mess to clean up eventually.  ;)
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
CVE-2020-5217
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
CVE-2020-5223
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.