Threat Intelligence

4/6/2018
10:30 AM
Martin Dion
Martin Dion
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Stripping the Attacker Naked

How cyber threat intelligence can help you gain a better understanding of the enemy and why that gives security teams the upper hand.

When it comes to cyberattacks, nobody is immune. Some of the largest enterprises and most important government agencies have been victims of intrusions where sensitive corporate or client data and classified information was stolen and put in the public domain.

Given the fact that no one can prevent breaches from happening, everyone must be as prepared as possible to handle threats. Preparation requires enhancement not only of defenses but of response processes too, and to accomplish this, it's essential to gain a better understanding of the enemy.

There are a few key areas that demand our sustained focus in order to achieve these goals. First, security personnel must identify the "crown jewels" — the vital data needing protection. It's then important to understand what the motivation and profile of an attacker is. After establishing this, the next steps involve identifying who has legitimate access to those assets, then, finally, working out what the potential attack vectors are against legitimate users and the infrastructure that hosts the crown jewels themselves.

It's imperative to have a clear vision and understanding of the cyber terrain, assets being protected, and capabilities of the enemy. This enables us to better re-enforce defenses where we can and have the know-how to respond properly where we can't. Ultimately, it's about establishing a process that will eventually lead to the infusion of cyber threat intelligence information into the defense and response apparatus.

For example, if a company is engaged in selling goods online, one of the crucial assets to protect is the financial information of product buyers. Of all the attackers out there, we can likely deduce that nation-states, corporate spies, and most "script kiddies" up for a challenge are not prime suspects. This leaves cybercriminals. Usually, our thinking stops there — but that's a mistake. What's needed is to push the reflection further and think about the attack itself.

Yes, cybercriminals might want to steal credit card numbers, but this is obvious, and so it's important to think a bit more like them to work out what else they might be after. Can they lock down a part of a system using ransomware that will prevent selling products? Is this a type of bribery to keep the company out of large distributed denial-of-service attacks? Is the organization selling products delivered in unidentified brown boxes of a very personal nature to buyers, and, therefore, is the mere fact that customer names end up in the public sphere going to create problems?

Based on more specific attack scenarios, it may be easier to align defensive measures — but this brings up additional questions. For instance, if a company only sells products to US-based customers, could you block foreign connections using geolocation? It might also open questions related to legal liabilities, due care, and diligence obligations, which could drive more specific processes on how to respond to different types of incidents.

Regarding cyber threat intelligence more specifically, understanding attackers can allow for the extraction of very specific indicators of attack or of compromise from the various databases commercially available. This might enable the focus to be a little more on criminal adversaries and their modus operandi instead of going very wide and generating a ton of false positives. Then, it could be possible to study their techniques and ask ourselves if we have what we need in our infrastructure to prevent them from using their tools and techniques.

By using a more practical and specific approach, organizations can gain the ability to invest precious cybersecurity dollars on things that matter most to a business model and its protection. By knowing the enemy inside out, and by being one step ahead, control is regained. What adversaries consider their attack playground is effectively our arena, and as security professionals, we rule it. It is for us to step up and — when they trespass on our turf — leave them standing naked and defenseless.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Originally from Montreal, Martin has been navigating the tormented water of cybersecurity for over 20 years. He was the founder and CTO at Above Security Canada where he worked locally and in the Caribbean's. Twelve years ago, he moved to Switzerland to launch SecureIT, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
4/11/2018 | 12:48:40 PM
Re: Not Worth Reading
As an alternative to the "crown jewels" analogy, consider this: "Data is the life's blood of the modern enterprise".  If you accept that, just what part of your organization's life's blood isn't worth protecting?  How much of a leak is acceptable?  Which parts do you need to keep uncontaminated?  When is it Ok for any of it not to get to where it's needed? 

As to why Information System architects aren't ready, willing or best suited to take point in protecting data assets: the metrics for job performance are skewed toward finding new, better and faster ways to exploit an organization's data.  What stakeholders have failed to realize is that their people aren't the only ones good at doing that!  The scattered debris field left by all the (well rewarded), shortcuts, design-as-you-go, secure-it-later, data-ecology strip-mining and hope-it-holds patching is a godsend to those who realize what can be made from the bits and pieces. 
MartinDionCH
50%
50%
MartinDionCH,
User Rank: Author
4/10/2018 | 2:59:12 PM
Re: Not Worth Reading
Thanks Brian for your feedback! Two things, editorial guidelines limits the article lenght and this article is not claiming to be about cyber security strategy at large. I generally agree with your comment but cyber is not limited to data protection. From my viewpoint, its about enterprise resilience, hence crown jewels are broader than data. I also think that although IT have an important role, that security personnel must lead the charge and facilitate the transversal conversation. Finally, its important to focus on what is both the most valuable and vulnerable right now since most enterprise dont have the luxury of securing everything, its just sound risk management practices. Best regards Martin
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
4/10/2018 | 1:29:03 PM
Re: Not Worth Reading
@Martin: Nothing wrong with suggesting strategy or doctrine, rather than implementation tactics.  Too little thought goes into creating a sustainable, orchestrated, holistic and heuristic approach to cybersecurity, in many organizations.  Putting tactics first, you can win lots of battles, yet still lose the war. 

"First, security personnel must identify the "crown jewels" — the vital data needing protection."

I do have an issue with the "crown jewels" analogy - as it suggests that most (of the now vast amounts of), data that enterprises collect, share, store, transmit or process doesn't require protection. It's impossible to know to what use some entity, at some point in the future, might make of "ordinary" data, especially in combination with data collected from other sources. 

Also, I would not task "security personnel" with identifying or evaluating data assets, or establishing the need-to-know access mechanisms - that's a job for the information system's architects. 
MartinDionCH
50%
50%
MartinDionCH,
User Rank: Author
4/9/2018 | 2:21:28 PM
Re: Not Worth Reading
I am sorry you feel this way, if you are looking for implementation guidelines, may I suggest you read my other post? As well, you must understand that I do appreciate your feedback and to ensure I do better next time, it would be important for me to understand what you would expect or even to get specific questions so we could interact constructively. Best regards, Martin.
ANON1251724318124
50%
50%
ANON1251724318124,
User Rank: Apprentice
4/9/2018 | 1:14:09 PM
Not Worth Reading
There are no insights here just conjecture.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-10727
PUBLISHED: 2018-07-20
camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive ...
CVE-2018-8018
PUBLISHED: 2018-07-20
Apache Ignite 2.5 and earlier serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a spe...
CVE-2018-14415
PUBLISHED: 2018-07-20
An issue was discovered in idreamsoft iCMS before 7.0.10. XSS exists via the fourth and fifth input elements on the admincp.php?app=prop&do=add screen.
CVE-2018-14418
PUBLISHED: 2018-07-20
In Msvod Cms v10, SQL Injection exists via an images/lists?cid= URI.
CVE-2018-14419
PUBLISHED: 2018-07-20
MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page.