Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/6/2018
10:30 AM
Martin Dion
Martin Dion
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Stripping the Attacker Naked

How cyber threat intelligence can help you gain a better understanding of the enemy and why that gives security teams the upper hand.

When it comes to cyberattacks, nobody is immune. Some of the largest enterprises and most important government agencies have been victims of intrusions where sensitive corporate or client data and classified information was stolen and put in the public domain.

Given the fact that no one can prevent breaches from happening, everyone must be as prepared as possible to handle threats. Preparation requires enhancement not only of defenses but of response processes too, and to accomplish this, it's essential to gain a better understanding of the enemy.

There are a few key areas that demand our sustained focus in order to achieve these goals. First, security personnel must identify the "crown jewels" — the vital data needing protection. It's then important to understand what the motivation and profile of an attacker is. After establishing this, the next steps involve identifying who has legitimate access to those assets, then, finally, working out what the potential attack vectors are against legitimate users and the infrastructure that hosts the crown jewels themselves.

It's imperative to have a clear vision and understanding of the cyber terrain, assets being protected, and capabilities of the enemy. This enables us to better re-enforce defenses where we can and have the know-how to respond properly where we can't. Ultimately, it's about establishing a process that will eventually lead to the infusion of cyber threat intelligence information into the defense and response apparatus.

For example, if a company is engaged in selling goods online, one of the crucial assets to protect is the financial information of product buyers. Of all the attackers out there, we can likely deduce that nation-states, corporate spies, and most "script kiddies" up for a challenge are not prime suspects. This leaves cybercriminals. Usually, our thinking stops there — but that's a mistake. What's needed is to push the reflection further and think about the attack itself.

Yes, cybercriminals might want to steal credit card numbers, but this is obvious, and so it's important to think a bit more like them to work out what else they might be after. Can they lock down a part of a system using ransomware that will prevent selling products? Is this a type of bribery to keep the company out of large distributed denial-of-service attacks? Is the organization selling products delivered in unidentified brown boxes of a very personal nature to buyers, and, therefore, is the mere fact that customer names end up in the public sphere going to create problems?

Based on more specific attack scenarios, it may be easier to align defensive measures — but this brings up additional questions. For instance, if a company only sells products to US-based customers, could you block foreign connections using geolocation? It might also open questions related to legal liabilities, due care, and diligence obligations, which could drive more specific processes on how to respond to different types of incidents.

Regarding cyber threat intelligence more specifically, understanding attackers can allow for the extraction of very specific indicators of attack or of compromise from the various databases commercially available. This might enable the focus to be a little more on criminal adversaries and their modus operandi instead of going very wide and generating a ton of false positives. Then, it could be possible to study their techniques and ask ourselves if we have what we need in our infrastructure to prevent them from using their tools and techniques.

By using a more practical and specific approach, organizations can gain the ability to invest precious cybersecurity dollars on things that matter most to a business model and its protection. By knowing the enemy inside out, and by being one step ahead, control is regained. What adversaries consider their attack playground is effectively our arena, and as security professionals, we rule it. It is for us to step up and — when they trespass on our turf — leave them standing naked and defenseless.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Originally from Montreal, Martin has been navigating the tormented water of cybersecurity for over 20 years. He was the founder and CTO at Above Security Canada where he worked locally and in the Caribbean's. Twelve years ago, he moved to Switzerland to launch SecureIT, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
4/11/2018 | 12:48:40 PM
Re: Not Worth Reading
As an alternative to the "crown jewels" analogy, consider this: "Data is the life's blood of the modern enterprise".  If you accept that, just what part of your organization's life's blood isn't worth protecting?  How much of a leak is acceptable?  Which parts do you need to keep uncontaminated?  When is it Ok for any of it not to get to where it's needed? 

As to why Information System architects aren't ready, willing or best suited to take point in protecting data assets: the metrics for job performance are skewed toward finding new, better and faster ways to exploit an organization's data.  What stakeholders have failed to realize is that their people aren't the only ones good at doing that!  The scattered debris field left by all the (well rewarded), shortcuts, design-as-you-go, secure-it-later, data-ecology strip-mining and hope-it-holds patching is a godsend to those who realize what can be made from the bits and pieces. 
MartinDionCH
50%
50%
MartinDionCH,
User Rank: Author
4/10/2018 | 2:59:12 PM
Re: Not Worth Reading
Thanks Brian for your feedback! Two things, editorial guidelines limits the article lenght and this article is not claiming to be about cyber security strategy at large. I generally agree with your comment but cyber is not limited to data protection. From my viewpoint, its about enterprise resilience, hence crown jewels are broader than data. I also think that although IT have an important role, that security personnel must lead the charge and facilitate the transversal conversation. Finally, its important to focus on what is both the most valuable and vulnerable right now since most enterprise dont have the luxury of securing everything, its just sound risk management practices. Best regards Martin
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
4/10/2018 | 1:29:03 PM
Re: Not Worth Reading
@Martin: Nothing wrong with suggesting strategy or doctrine, rather than implementation tactics.  Too little thought goes into creating a sustainable, orchestrated, holistic and heuristic approach to cybersecurity, in many organizations.  Putting tactics first, you can win lots of battles, yet still lose the war. 

"First, security personnel must identify the "crown jewels" — the vital data needing protection."

I do have an issue with the "crown jewels" analogy - as it suggests that most (of the now vast amounts of), data that enterprises collect, share, store, transmit or process doesn't require protection. It's impossible to know to what use some entity, at some point in the future, might make of "ordinary" data, especially in combination with data collected from other sources. 

Also, I would not task "security personnel" with identifying or evaluating data assets, or establishing the need-to-know access mechanisms - that's a job for the information system's architects. 
MartinDionCH
50%
50%
MartinDionCH,
User Rank: Author
4/9/2018 | 2:21:28 PM
Re: Not Worth Reading
I am sorry you feel this way, if you are looking for implementation guidelines, may I suggest you read my other post? As well, you must understand that I do appreciate your feedback and to ensure I do better next time, it would be important for me to understand what you would expect or even to get specific questions so we could interact constructively. Best regards, Martin.
ANON1251724318124
50%
50%
ANON1251724318124,
User Rank: Apprentice
4/9/2018 | 1:14:09 PM
Not Worth Reading
There are no insights here just conjecture.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.