Security is a human problem. Computers don't hack computers. Computers don't steal each other’s data. Security breaches are the consequence of intent, which is something humans have, computers don't.
Although we probably all agree with those observations, we don't all act accordingly in defending our computer networks. From the earliest recorded days of warfare we know that the art of defending oneself from an intruder involves a multi-faceted strategy:
- Understand the territory you are defending.
- Build your walls where you are most vulnerable.
- Observe your enemy respond.
That last step is where we often go wrong. The computer security industry spends billions per year on understanding risks and building the walls. This spans the gamut from risk assessments, red-teaming, to deploying access control, firewalls, and encryption. But we still get hacked, and data is still stolen, and websites still go offline. So we blame our walls, and build better walls, higher walls, and stronger walls.
In fact, the state of network defensive products is at an all-time high. The walls we erect are so strong that now many of us believe that it is becoming increasingly more difficult for our own workforce to actually do their job. So what is going wrong?
Network security operations are typically completely centered around "incident response." Once we discover something is wrong, we act. Whether responding to an alert, a log, a complaint, or a threat, most of security is reactive, not proactive. We monitor the indicators of compromise, and deal with them in triage fashion: scariest one first, then the others. Although this is a necessary part of security operations, it is not sufficient for a true defense.
Once we truly accept that network defense is a game that is played by humans, we see the folly of our ways.
We must evolve the game of network defense from "stumbled upon" to "search and discover." We must realize that step three above actually changes the territory we are analyzing in step one. Each time we erect a wall, or respond to an incident, the attacker learns. And then the attacker adapts. If we simply erect defenses, but remain blind to the changing behaviors of our adversaries, then we will ultimately be just as vulnerable as we were before as the attacker learns new ways to maneuver in the changed territory.
Thankfully, making the necessary changes is actually very easy. Understanding that we are dealing with a human threat, we can enable folks in our organization to seek out the adversaries, track them, learn who they are, and how they operate. These "cyber hunters" are different than your existing incident response team although they should both work closely together.
Cyber hunters are observers only, while incident responders are responsible for taking defensive actions. The hunters needs only telemetry so give them as much visibility into the infrastructure as possible. They are building "case files" on the adversary. Often the adversary has already penetrated the organization and it is up to the hunter to learn where, how far, and how wide. Only when the hunting is done, can effective incident response begin.
And, although uncomfortable, in some cases it may be important to avoid shutting down the adversary until the true scope of the compromise is understood. After all, you don't want to tip your hand prematurely. You need to ensure that your response will be sudden, forceful, and effective.