Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/29/2020
10:00 AM
Ran Shahor
Ran Shahor
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Ways to Get to Defensive When Faced by an Advanced Attack

To hold your own against nation-state-grade attacks, you must think and act differently.

It used to be that when cyber professionals heard the term "nation-state," a clear picture came to mind of countries — China, Russia, Iran, North Korea, and even the US — hiding behind the computer using keyboard strokes to attack one another's critical infrastructure, banking systems, utilities, and more.

A slight but important shift on that term is changing what businesses deal with daily. Nation-state-grade attacks use the same tools and techniques that countries employ to attack each other, but might not be state-sponsored. This puts businesses of all shapes, sizes, and focuses square in the crosshairs of highly sophisticated attacks.

Upping the Game
When Shadow Brokers, a mysterious hacking group that first appeared in summer 2016, published cyber tools created by the National Security Agency (NSA), the nation-state game changed. No longer was it only that countries were directly attacking each other or sponsoring attackers to do so on their behalf.

Now these tools that are capable of creating chaos, cost tens of millions of dollars to develop, and were used only by the most sophisticated cyber pros in the world were available for a few hundred dollars on the Dark Web. Hackers with less skill are able to up their game by easily purchasing and using these highly advanced tools against business targets of all sizes. In short, nation-state hacking tools have created nation-state level attackers and increased the threat against any business in any market in the world.

Defending Like an Attacker
Organizations today use cyber best practices and are compliant where they need to be — important steps that are not providing enough security. Our cybersecurity budgets are no longer never-ending, which requires us to be efficient and smart. We must prioritize our programs in a way that allows us to take calculated risks. And the only way to do that is to think like an attacker.

To do so, we have to figure out how to be less vulnerable, period. By putting up the right defense, we can exhaust the attackers so they move on. While it's important to be as secure as possible, what's more valuable is to be more secure than other businesses. An attacker is going to take the path of least resistance; if you can block enough holes to frustrate him/her, the likelihood they will move on to another target increases.

We need to take the normal considerations into account — things like vulnerability, budget, business impact analyses, etc. — but also need to understand how our holes and weaknesses come together to help attackers achieve their objectives. It's only then that we can look at those weaknesses in contact and resolve them in a meaningful way.

Specific Set of Cyber Skills
It sounds simple to think like an attacker, but it's an extremely difficult task that requires a specific set of skills. I've broken it down into four elements a typical organization should put in place to not only prevail against nation-state-grade attacks but become the new wave of cyber sophistication themselves:

  1. Build your team. If possible, hire highly sophisticated people to your own cybersecurity team that were formerly attackers or part of a nation-state intelligence organization. This can be challenging given that only a small percentage of US government attackers leave before retirement, and those that do are extremely expensive.

  2. Create a "defender offensive" methodology. This approach must come from an attacker's point of view. It's not enough to just identify holes or weaknesses. You have to have a plan for how to prioritize those issues so you can focus on — and solve — the ones that make you the most vulnerable. If your team comes up with 100 vulnerabilities and prioritizes them equally, nothing is going to be resolved in a meaningful way.

  3. Think holistically. Treat your organization as the complex entity it is. The cybersecurity team must think holistically and partner with various departments such as HR and supply chain to understand as many risks as possible.

  4. Automate where you can. Relieving the mundane day-to-day work that your security analysts experience every day is the goal of automation. By automating what you can, you can focus your human defenders on squashing threats from your human attackers.

It's not enough to know where your cybersecurity programs are weak or that your attackers are using the Dark Web. If you're going to hold your own against nation-state-grade attacks, you have to think and act differently. Identifying and prioritizing vulnerabilities is a good way to start, but to be most successful, have attack-side experience on your side.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Ran Shahor is the CEO and co-founder of HolistiCyber. He is a Brigadier General (Ret.) who founded the leading-edge cybersecurity program of the Israeli Defense Forces Intelligence branch. After 27 years of service, Ran had multiple leadership roles in the private sector. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13768
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
CVE-2020-13849
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
CVE-2020-13848
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
CVE-2020-11682
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
CVE-2020-12847
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...