Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/11/2016
10:30 AM
Vincent Berk
Vincent Berk
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Cyber Hunters, Incident Response & The Changing Nature Of Network Defense

Or how I learned that network defense needs to evolve from a game of "stumbled upon" to "search and discover."

Security is a human problem. Computers don't hack computers. Computers don't steal each other’s data. Security breaches are the consequence of intent, which is something humans have, computers don't.

Although we probably all agree with those observations, we don't all act accordingly in defending our computer networks. From the earliest recorded days of warfare we know that the art of defending oneself from an intruder involves a multi-faceted strategy:

  1. Understand the territory you are defending.
  2. Build your walls where you are most vulnerable.
  3. Observe your enemy respond.

That last step is where we often go wrong. The computer security industry spends billions per year on understanding risks and building the walls. This spans the gamut from risk assessments, red-teaming, to deploying access control, firewalls, and encryption. But we still get hacked, and data is still stolen, and websites still go offline. So we blame our walls, and build better walls, higher walls, and stronger walls.

In fact, the state of network defensive products is at an all-time high. The walls we erect are so strong that now many of us believe that it is becoming increasingly more difficult for our own workforce to actually do their job. So what is going wrong?

Network security operations are typically completely centered around "incident response." Once we discover something is wrong, we act. Whether responding to an alert, a log, a complaint, or a threat, most of security is reactive, not proactive. We monitor the indicators of compromise, and deal with them in triage fashion: scariest one first, then the others. Although this is a necessary part of security operations, it is not sufficient for a true defense.

Once we truly accept that network defense is a game that is played by humans, we see the folly of our ways.

We must evolve the game of network defense from "stumbled upon" to "search and discover." We must realize that step three above actually changes the territory we are analyzing in step one. Each time we erect a wall, or respond to an incident, the attacker learns. And then the attacker adapts. If we simply erect defenses, but remain blind to the changing behaviors of our adversaries, then we will ultimately be just as vulnerable as we were before as the attacker learns new ways to maneuver in the changed territory.

Thankfully, making the necessary changes is actually very easy. Understanding that we are dealing with a human threat, we can enable folks in our organization to seek out the adversaries, track them, learn who they are, and how they operate. These "cyber hunters" are different than your existing incident response team although they should both work closely together.

Cyber hunters are observers only, while incident responders are responsible for taking defensive actions. The hunters needs only telemetry so give them as much visibility into the infrastructure as possible.  They are building "case files" on the adversary. Often the adversary has already penetrated the organization and it is up to the hunter to learn where, how far, and how wide. Only when the hunting is done, can effective incident response begin.

And, although uncomfortable, in some cases it may be important to avoid shutting down the adversary until the true scope of the compromise is understood.  After all, you don't want to tip your hand prematurely. You need to ensure that your response will be sudden, forceful, and effective.

Related Content:

Dr. Vincent Berk is CEO of FlowTraq with 15 years of IT security and network management experience. He is a member of ACM and the IEEE. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...