Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/18/2017
10:30 AM
Liz Maida
Liz Maida
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

To Be Ready for the Security Future, Pay Attention to the Security Past

It's easy to just move on to the next problem, ignoring what's happened -- but that's a mistake.

"The past is never where you think you left it."Katherine Anne Porter

Cybersecurity is a fast-paced industry, one that combats an ever-changing threat landscape. It's a semi-organized chaos of point solutions, patches, and processes designed to keep companies protected from the cyber attack(s) of the day. In the limited time not spent on addressing current threats, most practitioners are focused on what might come next. But little emphasis is put on how past incidents affect current and future threats.

Some of you reading that last sentence might think, "I can barely keep up with current threats; why should I care about past incidents?" I understand how this might sound counterproductive on the surface. However, the past can provide much-needed context for understanding future threats. Here's why the past matters in cybersecurity:

  • Find commonality: Past events could be connected to current events — not in the sense that the same threat is re-emerging, but that a previous threat could have shared attributes with a current threat, or that threats could be connected after applying machine learning or prediction algorithms. For example, security information and event management alerts might uncover a phishing email that an analyst then investigates and resolves. As part of that investigation, the analyst has probably identified a malicious IP address. Even though this incident is resolved, the IP address may resurface as the initiator of a future attack. If this information is not widely accessible, the next analyst may overlook the fact that there is a connection between attacks.
  • Adapt to evolution: If a past threat evolves into a new one, it's important to understand the original intent and basis for the attack. Rather than responding with an entirely new tactic, you may only need to tweak a past response to adapt to the new threat. Ransomware is a perfect example of an evolving threat that remains similar at its core, with tweaks to its deployment. Information learned in the past is a valuable part of adapting future responses.
  • Apply unique insight: After an incident is resolved, security teams file away unique insights learned from that event. However, when a similar event arises again, those insights remain filed away, instead of being used to address a new threat. This can result in duplicate work on the next problem, because the analyst might not be privy to the past insights found by a colleague.
  • Identify patterns: Recognizing patterns not only addresses current events but also helps predict and eliminate future threats. For example, individual events can be deemed harmless, but in the context of a series of events, a benign event could be part of a larger, more serious incident. Once a pattern emerges, it's then easier to predict what might happen next, raise the priority level of a current threat, and influence how the threat is resolved. For example, the past helps to uncover targeted attacks as criminals and nation-states try to infiltrate a network, attempting over and over again to achieve success. They often will change their methodologies but frequently there will be some pattern that emerges only if the past can be compared with the present and future.

The past should be neither ignored nor forgotten, especially in cybersecurity. However, security teams can easily overlook the past if it is not prioritized because of the rapid nature of the job. To stay one step ahead of hackers, find ways to use the past to better inform the present and secure a better future.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Liz Maida is instrumental in building and leading the company and its technology, which is founded on core elements of her graduate school research examining the application of graph theory to network interconnection. She was formerly a senior director at Akamai Technologies, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
jcavery
50%
50%
jcavery,
User Rank: Moderator
9/18/2017 | 11:34:23 AM
Learn from History
It will be true for computing as long as new technologies and concepts are invented. For example, quantum computing will force us to re-visit all the same problems we originally faced with the internet in its infancy. Even though it is "just" an increase in processing speed, we will still need to apply old lessons to this new capability in order to avoid all those original problems. Example: Password entropy standards will need to move. Perhaps two-factor auth will need to be looked at again as well. All of these original security solutions we have already solved in the past will need to be fresh in our minds for future changes if we are to avoid original failures. Yes, new concepts will need to be invented, however we do not want to reinvent the wheel on the road to the new concepts.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/18/2017 | 1:19:36 PM
Re: Learn from History
This really comes down to acting proactively instead of always running around acting reactively. Given that history repeats itself -- and many hackers tend to be lazy and recycle the same old attacks and malicious code in what can sometimes be a predictable pattern -- frameworks need to be constructed and adhered to that allow for a layered, proactive, ever-vigilant approach.
jcavery
50%
50%
jcavery,
User Rank: Moderator
9/18/2017 | 1:22:31 PM
Re: Learn from History
Agree Joe, and any new attack methods captured by honeypots or otherwise need to be shared as soon as possible so we can benefit from the information, instead of acting reactively as you mentioned.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/22/2017 | 11:18:25 PM
Re: Learn from History
@jcavery: We've already been seeing this in the financial services space, which used to be very anti-sharing when it came to threat intelligence. Since cybersecurity has started to be seen as a "greater good" issue impacting the entire industry and national security, many are now clamoring to join the table with each other.
mjohnson681
50%
50%
mjohnson681,
User Rank: Apprentice
10/6/2017 | 6:45:24 PM
Redefine the Future
Why shouldn't we redefine the futrue of cybersecurity by making the data worthless for those who want to steal it?

https://www.linkedin.com/pulse/give-up-cybersecurity-programs-matthew-r-johnson-cpa-cisa/ 
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8818
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
CVE-2020-8819
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
CVE-2020-9385
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
CVE-2020-9382
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
CVE-2020-1938
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...