Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/29/2020
10:00 AM
Ran Shahor
Ran Shahor
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Ways to Get to Defensive When Faced by an Advanced Attack

To hold your own against nation-state-grade attacks, you must think and act differently.

It used to be that when cyber professionals heard the term "nation-state," a clear picture came to mind of countries — China, Russia, Iran, North Korea, and even the US — hiding behind the computer using keyboard strokes to attack one another's critical infrastructure, banking systems, utilities, and more.

A slight but important shift on that term is changing what businesses deal with daily. Nation-state-grade attacks use the same tools and techniques that countries employ to attack each other, but might not be state-sponsored. This puts businesses of all shapes, sizes, and focuses square in the crosshairs of highly sophisticated attacks.

Upping the Game
When Shadow Brokers, a mysterious hacking group that first appeared in summer 2016, published cyber tools created by the National Security Agency (NSA), the nation-state game changed. No longer was it only that countries were directly attacking each other or sponsoring attackers to do so on their behalf.

Now these tools that are capable of creating chaos, cost tens of millions of dollars to develop, and were used only by the most sophisticated cyber pros in the world were available for a few hundred dollars on the Dark Web. Hackers with less skill are able to up their game by easily purchasing and using these highly advanced tools against business targets of all sizes. In short, nation-state hacking tools have created nation-state level attackers and increased the threat against any business in any market in the world.

Defending Like an Attacker
Organizations today use cyber best practices and are compliant where they need to be — important steps that are not providing enough security. Our cybersecurity budgets are no longer never-ending, which requires us to be efficient and smart. We must prioritize our programs in a way that allows us to take calculated risks. And the only way to do that is to think like an attacker.

To do so, we have to figure out how to be less vulnerable, period. By putting up the right defense, we can exhaust the attackers so they move on. While it's important to be as secure as possible, what's more valuable is to be more secure than other businesses. An attacker is going to take the path of least resistance; if you can block enough holes to frustrate him/her, the likelihood they will move on to another target increases.

We need to take the normal considerations into account — things like vulnerability, budget, business impact analyses, etc. — but also need to understand how our holes and weaknesses come together to help attackers achieve their objectives. It's only then that we can look at those weaknesses in contact and resolve them in a meaningful way.

Specific Set of Cyber Skills
It sounds simple to think like an attacker, but it's an extremely difficult task that requires a specific set of skills. I've broken it down into four elements a typical organization should put in place to not only prevail against nation-state-grade attacks but become the new wave of cyber sophistication themselves:

  1. Build your team. If possible, hire highly sophisticated people to your own cybersecurity team that were formerly attackers or part of a nation-state intelligence organization. This can be challenging given that only a small percentage of US government attackers leave before retirement, and those that do are extremely expensive.

  2. Create a "defender offensive" methodology. This approach must come from an attacker's point of view. It's not enough to just identify holes or weaknesses. You have to have a plan for how to prioritize those issues so you can focus on — and solve — the ones that make you the most vulnerable. If your team comes up with 100 vulnerabilities and prioritizes them equally, nothing is going to be resolved in a meaningful way.

  3. Think holistically. Treat your organization as the complex entity it is. The cybersecurity team must think holistically and partner with various departments such as HR and supply chain to understand as many risks as possible.

  4. Automate where you can. Relieving the mundane day-to-day work that your security analysts experience every day is the goal of automation. By automating what you can, you can focus your human defenders on squashing threats from your human attackers.

It's not enough to know where your cybersecurity programs are weak or that your attackers are using the Dark Web. If you're going to hold your own against nation-state-grade attacks, you have to think and act differently. Identifying and prioritizing vulnerabilities is a good way to start, but to be most successful, have attack-side experience on your side.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Ran Shahor is the CEO and co-founder of HolistiCyber. He is a Brigadier General (Ret.) who founded the leading-edge cybersecurity program of the Israeli Defense Forces Intelligence branch. After 27 years of service, Ran had multiple leadership roles in the private sector. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21620
PUBLISHED: 2021-02-24
A cross-site request forgery (CSRF) vulnerability in Jenkins Claim Plugin 2.18.1 and earlier allows attackers to change claims.
CVE-2021-21621
PUBLISHED: 2021-02-24
Jenkins Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information, which can include the session ID of the user creating the support bundle in some configurations.
CVE-2021-21622
PUBLISHED: 2021-02-24
Jenkins Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
CVE-2020-28599
PUBLISHED: 2021-02-24
A stack-based buffer overflow vulnerability exists in the import_stl.cc:import_stl() functionality of Openscad openscad-2020.12-RC2. A specially crafted STL file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2020-7846
PUBLISHED: 2021-02-24
Helpcom before v10.0 contains a file download and execution vulnerability caused by storing hardcoded cryptographic key. It finally leads to a file download and execution via access to crafted web page.