Cyber attacks changed drastically over the last few years. Cyber attackers now focus on disrupting our day-to-day operations or use attacks as a strategic weapon.
For example, in December 2016, Kiev experienced a blackout, likely as a result of a cyber attack on the Ukrainian capital's power system. In the 2016 Dyn attack, Internet of Things (IoT) devices were exploited to disrupt dozens of major Internet services. And recently, the US Department of Homeland Security and the FBI issued a rare public alert about a cyber campaign in progress that was preparing to attack US critical infrastructure companies in multiple sectors, including energy, water, aviation, and nuclear. In 2017, it was also the year that ransomware transformed from a nuisance to a massive operation with the potential to shut down global organizations and data centers. These are only a few examples of the exponential growth in attacks we have experienced recently.
It's clear we have entered the age of cyber warfare. The enemy is armed with new strategies, goals, and capabilities, and we must rethink our approaches as we prepare our organizations and nations to meet these evolving challenges. Below are four best practices utilized by national security and counterterrorism organizations that the cybersecurity industry should adopt.
1. We must acknowledge that we can't hermetically seal our borders. Homeland security organizations have worked hard to secure the borders and keep out criminals and terrorists. Even though it's not a simple task, in the physical world it’s much easier to try to close a border than in the cyber realm. While there is no such thing as a perfectly secured perimeter no matter where you operate, with persistence, attackers eventually will find a way in. As we get more creative and increase investments to try and close all the potential gaps, attackers will only get more creative, too. Continuing to invest in locking down the borders will not lead to any significant improvement in national security.
In the cybersecurity industry, we must realize that we have maxed out on our ability to lock down networks. It has become critical that we look to ways not only to prevent but to defend. To start, implement an incident response capability. If you don’t have the expertise to do this internally, that’s OK – there are a growing number of managed security service providers (MSSPs) offering these services. If you go this route, make sure you do your due diligence and work with an MSSP that has a solid reputation.
Additional firewalls and advanced intrusion-prevention systems may reduce the number of attacks, but some of the sophisticated attackers eventually will find a way in. The key is in how you respond. Instrumenting and monitoring your network so you have the information and evidence to respond is your best investment towards recovery.
2. We must assume attackers have already penetrated our defenses. National security agencies work under the assumption that terror cells have already penetrated their borders and are in the process of preparing for their next attack. The agencies focus resources on detecting potentially malicious activity and mitigating it as fast as possible, before the attack is carried out. They build and deploy numerous data collection sensors and invest in building large-scale data centers, which can analyze in real time the enormous amount of collected data and look for the smoking gun that will indicate planned terror activity.
In the same manner, cybersecurity leaders must assume that attackers have penetrated their perimeter security array. To combat this, they must set up the means to detect their activity, respond, and remediate it before a breach occurs or causes catastrophic damage. This means shifting resources from the traditional cybersecurity concepts and tools to the new generation of detection and response platforms, and to also build security operations centers (SOCs) that will let teams respond effectively and quickly.
3. We must embrace a data-centric approach. Data is the lifeblood of intelligence. Lawfully intercepted information, security footage, online chatter, mobile texting and more are all monitored continuously, resulting in massive amounts of data. This data is processed to look for suspicious behavioral patterns that will help reveal an upcoming attack. The challenge is to quickly and accurately distill high-quality intelligence from all of this data. Each piece of data on its own may look benign, but together they may tell a story that should be investigated. The challenge is to correlate data sources to produce and prioritize these insights, and then give them to the commanders in real time, enabling swift action.
In the cybersecurity world, organizations are facing the same challenges. Currently, organizations are leveraging a number of different resources to help them detect upcoming attacks, including external threat feeds, firewall alerts, endpoint sensors, or email. However, there is too much data and too few analysts to process it for actionable insights. There is also the expanding attack surface that includes OT (operational technology) networks and IoT devices, each one monitored and analyzed by a separate security system. Just as in the intelligence world, we need to get our systems talking to each other, aggregating the data into a homogenous big data platform, analyzing it with artificial intelligence, and helping limited SOC teams obtain insights faster.
4. We must collaborate. Criminal activity is global. Failing to share information leaves geographical blind spots, which criminals will exploit. Therefore, nations are continuously increasing their efforts to share timely intelligence information and alerts.
In the cybersecurity world, a security vulnerability is likely to exist across multiple organizations of the same industry segment because companies use similar technologies. Attackers look for an easy win, and after a successful attack they will attempt to replicate it against similar institutions, exploiting the same vulnerability. For example, the SWIFT heist of 2013 is believed to have been replicated in several other banks.
To address this, collaboration initiatives have begun in the IT security world, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), the financial industry's platform for threat intelligence analysis and sharing. These initiatives help organizations within similar industries jointly resolve vulnerabilities and share threat intelligence. Just like in the counterterrorism realm, we must put aside the desire to keep "bad" information to ourselves. Today, we can only confront attackers as a community.
National security and counterterrorism operations have made substantial progress over the last few years. They have become data driven and collaborative, and they've set up the processes to track down and mitigate an attack whether across or within their borders. Our industry should adopt best practices and technologies that originated in the intelligence realm and integrate them as a fundamental element of our SOCs, so we can keep our digital assets safer.