The cyberthreat landscape is evolving, the barrier to entry to carry out effective hacks is consistently being lowered, and hackers continue to innovate and increase in skill. Semi-automated commodity toolkits have improved to a level where even a novice hacker can compromise corporate and government systems. Highly organized global cybercrime groups have developed very efficient data-theft rings, marketing identity information or sensitive corporate data in online black markets. Nation-states have devoted entire departments of their intelligence and security apparatus to conduct offensive cyber operations, implementing highly sophisticated pieces of software customized to their targets. These are all signs that point toward a continued evolution of the cyberthreat landscape, and an increased need for very focused, relevant and calculated security practices to combat the growing threat.
Remember that behind every cyberthreat you will find a human being who has his or her own particular motives for action, and a finite means with which to act.
Current State of Information Security
To effectively combat cyberthreats, we must deeply understand our adversaries and how they operate. But just as importantly, we must know ourselves and how our vulnerabilities, paired with the right threat, create unique and specific risk.
As stated earlier, cyberthreat can be understood by framing the threat in traditional terms of motive, means and opportunity. Motive, of course, meaning a hacker’s intent to act on a particular target. The means is the hacker’s capability to act on his or her motives. If a hacker then has the motive and means to attack a particular target, there must be a vulnerability to exploit — this is the opportunity.
This threat model can be understood by thinking of a tripod where motive, means and opportunity are the legs. Atop this tripod rests a cyberthreat tailored to its target. You need all three legs in order to support the threat. If one leg is missing, the threat topples. As such, even a hacker possessing the intent and capability to breach your networks, without a vulnerability present to exploit, that missing leg of the tripod topples the threat. Likewise, a vulnerability may exist on your systems and a sophisticated nation-state hacker may certainly possess the means to exploit it; however, the actor may not have the motive to target you and thereby does not present a threat.
How to Effectively Combat the Threat:
A Proactive Defensive Strategy and Intelligence-Based Risk Reduction
The most effective organizations are taking a proactive approach to information security. Traditional information security programs based solely on preventative tools are now much less effective in defending against cyberthreats. Effective organizations employ strong preventative controls, but realize that despite best efforts motivated attackers will eventually breach their security. Four main considerations are the key to combating cyberthreat.
Despite the onslaught of frightening headlines, there is a clear path to winning in the cyber arena.
1. Stick to the Basics: Security basics are key to enabling the prevention, detection and response to cyberthreat actors. Patching workstations, servers and infrastructure is essential to the prevention of attacks. Most breaches involve the exploitation of a known, patchable vulnerability in the victim’s systems. Controlling privileged accounts and authentication is another core principle. Many breaches — such as the Target breach in 2014 — involved the compromise of a privileged credential that enabled an attacker to accomplish his objectives. Utilizing properly configured antivirus, intrusion detection, file integrity monitoring, application whitelisting, and a SIEM solution (Security Information and Event Management) enables an effective security team to face off against all tiers of cyberthreats.
2. Team Selection and Enablement: Hiring, coaching and training intelligent security analysts is fundamental to a successful program. Think of analysts as surgeons or medical practitioners — they need coaching, practice, and continuous training to be effective. Developing a technical track within your organization that is a parallel and equally as-incentivized career path as a management track will enable continued technical advancements. As cyberthreat intelligence professional Bob Stasio recently told PraescientAnalytics.com, “High-end cybersecurity analysts are grown though intense professional development, much like a physician. Both fields require a significant amount of formalized education — but when your education is finished, you must still work under a master operator, (e.g. “attending doctor”) for on-the-job training. True cyberskill development means actually doing the job and acquiring experience.” Through education, practical implementation of skills, and mentorship, information security operators will become highly skilled cyber “surgeons” who will defeat cyberthreats with the precision of a scalpel.
3. Intelligence: Many cutting-edge organizations are taking a proactive approach to information security. Traditional information security programs based almost solely on antivirus and firewalls are becoming less effective in defending against current cyberthreats. Perimeter security and antivirus based on atomic indicators such as known bad IP addresses or known malware signatures is no doubt still an essential layer of a good defense-in-depth security model. However, to defeat a cyberthreat before it is able to do damage requires a comprehensive strategy incorporating cyberthreat intelligence. Intelligence has been used for centuries to give an advantage on the battlefield, and these same processes can be applied to cybersecurity very effectively.
It is important to understand what intelligence is. Intelligence is not merely raw information, but it is the product resulting from the intelligence process — the key steps of which are data collection, processing, analysis, production and dissemination. As described in a paper titled “The Operational Levels of Cyber Intelligence” by the Intelligence and National Security Alliance, “When analyzed and placed in context, information becomes intelligence; and it is intelligence that reduces uncertainty and enables more timely, relevant and cost-effective policy, as well as high-quality operational and investment decisions.”
Of course, having a cyberthreat intelligence program alone is far from a silver bullet; however, when teamed with functions such as perimeter defense, incident response, access control and security awareness, an information security organization can be highly effective at combating the cyberthreats we face. Cooperation across all of these functions and development of repeatable processes create a force multiplier that greatly enhances effectiveness.
4. A Measurable and Repeatable Program: When implementing and managing an information security program that will win the fight against evolving cyberthreats, effectiveness is essential. Processes and procedures must be measurable and repeatable; you must know your data inside and out. Your information security strategy should be based on industry best practices, tailored threat and vulnerability analysis, and very specific risk assessments relevant to your organization. An information security strategy must also evolve to be effective against changing cyberrisk. Actions must be repeatable in order to audit and measure effectiveness. Measurements should be translated into metrics that are reviewed on a regular basis in order to focus time and resources on the components of the strategy that have proved to work.
Organizations that implement strong security basics, foster strong security analysts, guide their programs based upon threat intelligence practices, and measure effectiveness through repeatable processes will reduce their risk and “win” in the cyber arena when compared with their peers. From consumers to global enterprises, we now realize the extent of the cyberthreats we face, and we have the tools and skills to combat them.
Cyberthreats are no longer science fiction, no longer a risk that may or may not be relevant to each and every person and organization. Cyberthreats are undoubtedly a very real and active risk to individuals, corporations and nations. Technology, information on demand and global interconnectedness are great things that have enabled education, innovation and community beyond our dreams. Use these gifts, but know your risks, and always weigh convenience and privacy with potential risks.
Andrew Munger, CISSP, CISM, CISA, is a Business Support Lead for Cyber Threat Intelligence.
Andrew Swartwood, information security professional, contributed substantively to this story.