Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Adi Dar
Adi Dar
Connect Directly
E-Mail vvv

What Can We Learn from Counterterrorism and National Security Efforts?

The best practices and technologies that originated in the intelligence realm can help businesses stay safer, too.

Cyber attacks changed drastically over the last few years. Cyber attackers now focus on disrupting our day-to-day operations or use attacks as a strategic weapon.

For example, in December 2016, Kiev experienced a blackout, likely as a result of a cyber attack on the Ukrainian capital's power system. In the 2016 Dyn attack, Internet of Things (IoT) devices were exploited to disrupt dozens of major Internet services. And recently, the US Department of Homeland Security and the FBI issued a rare public alert about a cyber campaign in progress that was preparing to attack US critical infrastructure companies in multiple sectors, including energy, water, aviation, and nuclear. In 2017, it was also the year that ransomware transformed from a nuisance to a massive operation with the potential to shut down global organizations and data centers. These are only a few examples of the exponential growth in attacks we have experienced recently.

It's clear we have entered the age of cyber warfare. The enemy is armed with new strategies, goals, and capabilities, and we must rethink our approaches as we prepare our organizations and nations to meet these evolving challenges. Below are four best practices utilized by national security and counterterrorism organizations that the cybersecurity industry should adopt.

1. We must acknowledge that we can't hermetically seal our borders. Homeland security organizations have worked hard to secure the borders and keep out criminals and terrorists. Even though it's not a simple task, in the physical world it’s much easier to try to close a border than in the cyber realm. While there is no such thing as a perfectly secured perimeter no matter where you operate, with persistence, attackers eventually will find a way in. As we get more creative and increase investments to try and close all the potential gaps, attackers will only get more creative, too. Continuing to invest in locking down the borders will not lead to any significant improvement in national security.

In the cybersecurity industry, we must realize that we have maxed out on our ability to lock down networks. It has become critical that we look to ways not only to prevent but to defend. To start, implement an incident response capability. If you don’t have the expertise to do this internally, that’s OK – there are a growing number of managed security service providers (MSSPs) offering these services. If you go this route, make sure you do your due diligence and work with an MSSP that has a solid reputation.

Additional firewalls and advanced intrusion-prevention systems may reduce the number of attacks, but some of the sophisticated attackers eventually will find a way in. The key is in how you respond. Instrumenting and monitoring your network so you have the information and evidence to respond is your best investment towards recovery.

2. We must assume attackers have already penetrated our defenses. National security agencies work under the assumption that terror cells have already penetrated their borders and are in the process of preparing for their next attack. The agencies focus resources on detecting potentially malicious activity and mitigating it as fast as possible, before the attack is carried out. They build and deploy numerous data collection sensors and invest in building large-scale data centers, which can analyze in real time the enormous amount of collected data and look for the smoking gun that will indicate planned terror activity.

In the same manner, cybersecurity leaders must assume that attackers have penetrated their perimeter security array. To combat this, they must set up the means to detect their activity, respond, and remediate it before a breach occurs or causes catastrophic damage. This means shifting resources from the traditional cybersecurity concepts and tools to the new generation of detection and response platforms, and to also build security operations centers (SOCs) that will let teams respond effectively and quickly.

3. We must embrace a data-centric approach. Data is the lifeblood of intelligence. Lawfully intercepted information, security footage, online chatter, mobile texting and more are all monitored continuously, resulting in massive amounts of data. This data is processed to look for suspicious behavioral patterns that will help reveal an upcoming attack. The challenge is to quickly and accurately distill high-quality intelligence from all of this data. Each piece of data on its own may look benign, but together they may tell a story that should be investigated. The challenge is to correlate data sources to produce and prioritize these insights, and then give them to the commanders in real time, enabling swift action.

In the cybersecurity world, organizations are facing the same challenges. Currently, organizations are leveraging a number of different resources to help them detect upcoming attacks, including external threat feeds, firewall alerts, endpoint sensors, or email. However, there is too much data and too few analysts to process it for actionable insights. There is also the expanding attack surface that includes OT (operational technology) networks and IoT devices, each one monitored and analyzed by a separate security system. Just as in the intelligence world, we need to get our systems talking to each other, aggregating the data into a homogenous big data platform, analyzing it with artificial intelligence, and helping limited SOC teams obtain insights faster.

4. We must collaborate. Criminal activity is global. Failing to share information leaves geographical blind spots, which criminals will exploit. Therefore, nations are continuously increasing their efforts to share timely intelligence information and alerts.

In the cybersecurity world, a security vulnerability is likely to exist across multiple organizations of the same industry segment because companies use similar technologies. Attackers look for an easy win, and after a successful attack they will attempt to replicate it against similar institutions, exploiting the same vulnerability. For example, the SWIFT heist of 2013 is believed to have been replicated in several other banks.

To address this, collaboration initiatives have begun in the IT security world, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), the financial industry's platform for threat intelligence analysis and sharing. These initiatives help organizations within similar industries jointly resolve vulnerabilities and share threat intelligence. Just like in the counterterrorism realm, we must put aside the desire to keep "bad" information to ourselves. Today, we can only confront attackers as a community.

National security and counterterrorism operations have made substantial progress over the last few years. They have become data driven and collaborative, and they've set up the processes to track down and mitigate an attack whether across or within their borders. Our industry should adopt best practices and technologies that originated in the intelligence realm and integrate them as a fundamental element of our SOCs, so we can keep our digital assets safer.

Related Content:

Adi Dar, CEO and founder of Cyberbit, is an experienced cybersecurity leader and chief executive who has repeatedly lead the development and launch of successful products and services in highly competitive markets. Previously, as CEO of ELOP (Israel's largest electro-optics ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
1/13/2018 | 7:13:41 PM
Cybersecurity and Counterterrorism
I just entered a large post which the system didn;t like, bounced me to an error page and lost my posting data. Any idea where it might have gone and what the error might have been??
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.