Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/11/2016
10:30 AM
Vincent Berk
Vincent Berk
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Cyber Hunters, Incident Response & The Changing Nature Of Network Defense

Or how I learned that network defense needs to evolve from a game of "stumbled upon" to "search and discover."

Security is a human problem. Computers don't hack computers. Computers don't steal each other’s data. Security breaches are the consequence of intent, which is something humans have, computers don't.

Although we probably all agree with those observations, we don't all act accordingly in defending our computer networks. From the earliest recorded days of warfare we know that the art of defending oneself from an intruder involves a multi-faceted strategy:

  1. Understand the territory you are defending.
  2. Build your walls where you are most vulnerable.
  3. Observe your enemy respond.

That last step is where we often go wrong. The computer security industry spends billions per year on understanding risks and building the walls. This spans the gamut from risk assessments, red-teaming, to deploying access control, firewalls, and encryption. But we still get hacked, and data is still stolen, and websites still go offline. So we blame our walls, and build better walls, higher walls, and stronger walls.

In fact, the state of network defensive products is at an all-time high. The walls we erect are so strong that now many of us believe that it is becoming increasingly more difficult for our own workforce to actually do their job. So what is going wrong?

Network security operations are typically completely centered around "incident response." Once we discover something is wrong, we act. Whether responding to an alert, a log, a complaint, or a threat, most of security is reactive, not proactive. We monitor the indicators of compromise, and deal with them in triage fashion: scariest one first, then the others. Although this is a necessary part of security operations, it is not sufficient for a true defense.

Once we truly accept that network defense is a game that is played by humans, we see the folly of our ways.

We must evolve the game of network defense from "stumbled upon" to "search and discover." We must realize that step three above actually changes the territory we are analyzing in step one. Each time we erect a wall, or respond to an incident, the attacker learns. And then the attacker adapts. If we simply erect defenses, but remain blind to the changing behaviors of our adversaries, then we will ultimately be just as vulnerable as we were before as the attacker learns new ways to maneuver in the changed territory.

Thankfully, making the necessary changes is actually very easy. Understanding that we are dealing with a human threat, we can enable folks in our organization to seek out the adversaries, track them, learn who they are, and how they operate. These "cyber hunters" are different than your existing incident response team although they should both work closely together.

Cyber hunters are observers only, while incident responders are responsible for taking defensive actions. The hunters needs only telemetry so give them as much visibility into the infrastructure as possible.  They are building "case files" on the adversary. Often the adversary has already penetrated the organization and it is up to the hunter to learn where, how far, and how wide. Only when the hunting is done, can effective incident response begin.

And, although uncomfortable, in some cases it may be important to avoid shutting down the adversary until the true scope of the compromise is understood.  After all, you don't want to tip your hand prematurely. You need to ensure that your response will be sudden, forceful, and effective.

Related Content:

Dr. Vincent Berk is CEO of FlowTraq with 15 years of IT security and network management experience. He is a member of ACM and the IEEE. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13991
PUBLISHED: 2020-09-24
vm/opcodes.c in JerryScript 2.2.0 allows attackers to hijack the flow of control by controlling a register.
CVE-2020-15160
PUBLISHED: 2020-09-24
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8
CVE-2020-15162
PUBLISHED: 2020-09-24
In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.
CVE-2020-15843
PUBLISHED: 2020-09-24
ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFILES%\ActiveFax\Terminal\. The folder permissions allow "Full Control" t...
CVE-2020-17365
PUBLISHED: 2020-09-24
Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allows a local user to corrupt system files: a local user can create a specially craf...