Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/29/2020
10:00 AM
Ran Shahor
Ran Shahor
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Ways to Get to Defensive When Faced by an Advanced Attack

To hold your own against nation-state-grade attacks, you must think and act differently.

It used to be that when cyber professionals heard the term "nation-state," a clear picture came to mind of countries — China, Russia, Iran, North Korea, and even the US — hiding behind the computer using keyboard strokes to attack one another's critical infrastructure, banking systems, utilities, and more.

A slight but important shift on that term is changing what businesses deal with daily. Nation-state-grade attacks use the same tools and techniques that countries employ to attack each other, but might not be state-sponsored. This puts businesses of all shapes, sizes, and focuses square in the crosshairs of highly sophisticated attacks.

Upping the Game
When Shadow Brokers, a mysterious hacking group that first appeared in summer 2016, published cyber tools created by the National Security Agency (NSA), the nation-state game changed. No longer was it only that countries were directly attacking each other or sponsoring attackers to do so on their behalf.

Now these tools that are capable of creating chaos, cost tens of millions of dollars to develop, and were used only by the most sophisticated cyber pros in the world were available for a few hundred dollars on the Dark Web. Hackers with less skill are able to up their game by easily purchasing and using these highly advanced tools against business targets of all sizes. In short, nation-state hacking tools have created nation-state level attackers and increased the threat against any business in any market in the world.

Defending Like an Attacker
Organizations today use cyber best practices and are compliant where they need to be — important steps that are not providing enough security. Our cybersecurity budgets are no longer never-ending, which requires us to be efficient and smart. We must prioritize our programs in a way that allows us to take calculated risks. And the only way to do that is to think like an attacker.

To do so, we have to figure out how to be less vulnerable, period. By putting up the right defense, we can exhaust the attackers so they move on. While it's important to be as secure as possible, what's more valuable is to be more secure than other businesses. An attacker is going to take the path of least resistance; if you can block enough holes to frustrate him/her, the likelihood they will move on to another target increases.

We need to take the normal considerations into account — things like vulnerability, budget, business impact analyses, etc. — but also need to understand how our holes and weaknesses come together to help attackers achieve their objectives. It's only then that we can look at those weaknesses in contact and resolve them in a meaningful way.

Specific Set of Cyber Skills
It sounds simple to think like an attacker, but it's an extremely difficult task that requires a specific set of skills. I've broken it down into four elements a typical organization should put in place to not only prevail against nation-state-grade attacks but become the new wave of cyber sophistication themselves:

  1. Build your team. If possible, hire highly sophisticated people to your own cybersecurity team that were formerly attackers or part of a nation-state intelligence organization. This can be challenging given that only a small percentage of US government attackers leave before retirement, and those that do are extremely expensive.

  2. Create a "defender offensive" methodology. This approach must come from an attacker's point of view. It's not enough to just identify holes or weaknesses. You have to have a plan for how to prioritize those issues so you can focus on — and solve — the ones that make you the most vulnerable. If your team comes up with 100 vulnerabilities and prioritizes them equally, nothing is going to be resolved in a meaningful way.

  3. Think holistically. Treat your organization as the complex entity it is. The cybersecurity team must think holistically and partner with various departments such as HR and supply chain to understand as many risks as possible.

  4. Automate where you can. Relieving the mundane day-to-day work that your security analysts experience every day is the goal of automation. By automating what you can, you can focus your human defenders on squashing threats from your human attackers.

It's not enough to know where your cybersecurity programs are weak or that your attackers are using the Dark Web. If you're going to hold your own against nation-state-grade attacks, you have to think and act differently. Identifying and prioritizing vulnerabilities is a good way to start, but to be most successful, have attack-side experience on your side.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Ran Shahor is the CEO and co-founder of HolistiCyber. He is a Brigadier General (Ret.) who founded the leading-edge cybersecurity program of the Israeli Defense Forces Intelligence branch. After 27 years of service, Ran had multiple leadership roles in the private sector. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7779
PUBLISHED: 2020-11-26
All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, [email protected]-----------------------------------------------------------!.
CVE-2020-7778
PUBLISHED: 2020-11-26
This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.
CVE-2020-29128
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
CVE-2020-27251
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVE-2020-27253
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.