Your personal photos have been stolen, sold, and published. The media have picked up the story, and your reputation is taking a beating. Once it’s released, you cannot get the digital data back under lock and key, so you try to minimize the damage, add this breach to your list of lessons learned, and implement the appropriate personal security patches or behavioral changes to prevent future incidents.
In the world of personal digital security, your data made public is an obvious “Indicator of Compromise” (IoC) – solid evidence that some part of your personal security has been breached. In enterprise security, there are more subtle IoCs, digital evidence across an organization’s infrastructure indicating that an environment has been penetrated. They could mean the theft, vandalism, or kidnapping of your organization’s digital information and computing resources.
The digital security industry has been talking about IoCs for a couple of years now. We use criminal investigative terms like incident response and forensic analysis. We design tools that share indicators between various security systems, to try to reduce or eliminate copycats and repeat-crimes using the same technique. Many people today are buying digital forensic tools, coming in after the crime to try to identify the perpetrators, victims, and even what, exactly, was affected. Unfortunately, this approach addresses problems after the system has been breached and data stolen. Worse, most of the major data thefts in the past year can be attributed to a small number of attack methods, indicating that the current usage of IoCs, while necessary, is not sufficient to address this growing threat. Although IoC data exists for the attack, organizations aren’t able to use it to prevent data exfiltration.
Cyber criminals are moving quickly and aggressively, relentlessly attempting to infiltrate digital devices of all kinds. They are uncovering and exploiting security weaknesses and software flaws, sharing with others on the darknet, and employing legions of computers to attempt by brute force what they cannot accomplish by other means. In order to be tough on cybercrime, we need to address the problem long before our (metaphorical) personal photos are compromised. We need to act, and share, earlier and more effectively, when we have an Indicator of Attack (IoA).
Indicators of Attack are changes in system behavior, signs that someone could be “casing the joint,” probing for vulnerabilities, or masquerading as a legitimate person or process. Some common IoAs today are multiple failed login attempts, authentic-looking emails with links to malicious addresses, changes in network traffic patterns or volumes, and programmed access to systems normally used only by humans. The capabilities exist today to detect these and other suspicious behaviors. Unfortunately, many of our security controls are “selfish”: They keep the information they need to do their own job, and discard the rest.
If we are going to win this battle, we need to reduce the selfish tendency in our products, and build an architecture that gives us a sustainable advantage against the criminals. In my next post, I will discuss the tools and technologies that are providing earlier warning and response, improving your digital immune system to neutralize attacks before you are compromised.