Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/11/2016
10:30 AM
Vincent Berk
Vincent Berk
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Cyber Hunters, Incident Response & The Changing Nature Of Network Defense

Or how I learned that network defense needs to evolve from a game of "stumbled upon" to "search and discover."

Security is a human problem. Computers don't hack computers. Computers don't steal each other’s data. Security breaches are the consequence of intent, which is something humans have, computers don't.

Although we probably all agree with those observations, we don't all act accordingly in defending our computer networks. From the earliest recorded days of warfare we know that the art of defending oneself from an intruder involves a multi-faceted strategy:

  1. Understand the territory you are defending.
  2. Build your walls where you are most vulnerable.
  3. Observe your enemy respond.

That last step is where we often go wrong. The computer security industry spends billions per year on understanding risks and building the walls. This spans the gamut from risk assessments, red-teaming, to deploying access control, firewalls, and encryption. But we still get hacked, and data is still stolen, and websites still go offline. So we blame our walls, and build better walls, higher walls, and stronger walls.

In fact, the state of network defensive products is at an all-time high. The walls we erect are so strong that now many of us believe that it is becoming increasingly more difficult for our own workforce to actually do their job. So what is going wrong?

Network security operations are typically completely centered around "incident response." Once we discover something is wrong, we act. Whether responding to an alert, a log, a complaint, or a threat, most of security is reactive, not proactive. We monitor the indicators of compromise, and deal with them in triage fashion: scariest one first, then the others. Although this is a necessary part of security operations, it is not sufficient for a true defense.

Once we truly accept that network defense is a game that is played by humans, we see the folly of our ways.

We must evolve the game of network defense from "stumbled upon" to "search and discover." We must realize that step three above actually changes the territory we are analyzing in step one. Each time we erect a wall, or respond to an incident, the attacker learns. And then the attacker adapts. If we simply erect defenses, but remain blind to the changing behaviors of our adversaries, then we will ultimately be just as vulnerable as we were before as the attacker learns new ways to maneuver in the changed territory.

Thankfully, making the necessary changes is actually very easy. Understanding that we are dealing with a human threat, we can enable folks in our organization to seek out the adversaries, track them, learn who they are, and how they operate. These "cyber hunters" are different than your existing incident response team although they should both work closely together.

Cyber hunters are observers only, while incident responders are responsible for taking defensive actions. The hunters needs only telemetry so give them as much visibility into the infrastructure as possible.  They are building "case files" on the adversary. Often the adversary has already penetrated the organization and it is up to the hunter to learn where, how far, and how wide. Only when the hunting is done, can effective incident response begin.

And, although uncomfortable, in some cases it may be important to avoid shutting down the adversary until the true scope of the compromise is understood.  After all, you don't want to tip your hand prematurely. You need to ensure that your response will be sudden, forceful, and effective.

Related Content:

Dr. Vincent Berk is CEO of FlowTraq with 15 years of IT security and network management experience. He is a member of ACM and the IEEE. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
CVE-2020-5217
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
CVE-2020-5223
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.