Threat Intelligence

9/18/2017
10:30 AM
Liz Maida
Liz Maida
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

To Be Ready for the Security Future, Pay Attention to the Security Past

It's easy to just move on to the next problem, ignoring what's happened -- but that's a mistake.

"The past is never where you think you left it."Katherine Anne Porter

Cybersecurity is a fast-paced industry, one that combats an ever-changing threat landscape. It's a semi-organized chaos of point solutions, patches, and processes designed to keep companies protected from the cyber attack(s) of the day. In the limited time not spent on addressing current threats, most practitioners are focused on what might come next. But little emphasis is put on how past incidents affect current and future threats.

Some of you reading that last sentence might think, "I can barely keep up with current threats; why should I care about past incidents?" I understand how this might sound counterproductive on the surface. However, the past can provide much-needed context for understanding future threats. Here's why the past matters in cybersecurity:

  • Find commonality: Past events could be connected to current events — not in the sense that the same threat is re-emerging, but that a previous threat could have shared attributes with a current threat, or that threats could be connected after applying machine learning or prediction algorithms. For example, security information and event management alerts might uncover a phishing email that an analyst then investigates and resolves. As part of that investigation, the analyst has probably identified a malicious IP address. Even though this incident is resolved, the IP address may resurface as the initiator of a future attack. If this information is not widely accessible, the next analyst may overlook the fact that there is a connection between attacks.
  • Adapt to evolution: If a past threat evolves into a new one, it's important to understand the original intent and basis for the attack. Rather than responding with an entirely new tactic, you may only need to tweak a past response to adapt to the new threat. Ransomware is a perfect example of an evolving threat that remains similar at its core, with tweaks to its deployment. Information learned in the past is a valuable part of adapting future responses.
  • Apply unique insight: After an incident is resolved, security teams file away unique insights learned from that event. However, when a similar event arises again, those insights remain filed away, instead of being used to address a new threat. This can result in duplicate work on the next problem, because the analyst might not be privy to the past insights found by a colleague.
  • Identify patterns: Recognizing patterns not only addresses current events but also helps predict and eliminate future threats. For example, individual events can be deemed harmless, but in the context of a series of events, a benign event could be part of a larger, more serious incident. Once a pattern emerges, it's then easier to predict what might happen next, raise the priority level of a current threat, and influence how the threat is resolved. For example, the past helps to uncover targeted attacks as criminals and nation-states try to infiltrate a network, attempting over and over again to achieve success. They often will change their methodologies but frequently there will be some pattern that emerges only if the past can be compared with the present and future.

The past should be neither ignored nor forgotten, especially in cybersecurity. However, security teams can easily overlook the past if it is not prioritized because of the rapid nature of the job. To stay one step ahead of hackers, find ways to use the past to better inform the present and secure a better future.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Liz Maida is instrumental in building and leading the company and its technology, which is founded on core elements of her graduate school research examining the application of graph theory to network interconnection. She was formerly a senior director at Akamai Technologies, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mjohnson681
50%
50%
mjohnson681,
User Rank: Apprentice
10/6/2017 | 6:45:24 PM
Redefine the Future
Why shouldn't we redefine the futrue of cybersecurity by making the data worthless for those who want to steal it?

https://www.linkedin.com/pulse/give-up-cybersecurity-programs-matthew-r-johnson-cpa-cisa/ 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/22/2017 | 11:18:25 PM
Re: Learn from History
@jcavery: We've already been seeing this in the financial services space, which used to be very anti-sharing when it came to threat intelligence. Since cybersecurity has started to be seen as a "greater good" issue impacting the entire industry and national security, many are now clamoring to join the table with each other.
jcavery
50%
50%
jcavery,
User Rank: Moderator
9/18/2017 | 1:22:31 PM
Re: Learn from History
Agree Joe, and any new attack methods captured by honeypots or otherwise need to be shared as soon as possible so we can benefit from the information, instead of acting reactively as you mentioned.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/18/2017 | 1:19:36 PM
Re: Learn from History
This really comes down to acting proactively instead of always running around acting reactively. Given that history repeats itself -- and many hackers tend to be lazy and recycle the same old attacks and malicious code in what can sometimes be a predictable pattern -- frameworks need to be constructed and adhered to that allow for a layered, proactive, ever-vigilant approach.
jcavery
50%
50%
jcavery,
User Rank: Moderator
9/18/2017 | 11:34:23 AM
Learn from History
It will be true for computing as long as new technologies and concepts are invented. For example, quantum computing will force us to re-visit all the same problems we originally faced with the internet in its infancy. Even though it is "just" an increase in processing speed, we will still need to apply old lessons to this new capability in order to avoid all those original problems. Example: Password entropy standards will need to move. Perhaps two-factor auth will need to be looked at again as well. All of these original security solutions we have already solved in the past will need to be fresh in our minds for future changes if we are to avoid original failures. Yes, new concepts will need to be invented, however we do not want to reinvent the wheel on the road to the new concepts.
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...