How to Distinguish Between Advanced and Garden-Variety Attacks
April 28, 2016 • Christopher Pierson
The following interview is with Christopher Pierson and is from our Threat Intelligence Thought Leadership Series. Christopher is currently executive vice president, chief security officer and general counsel for Viewpost.
1. What current emerging threats concern you?
There are three threats that really cause concern for me above and beyond the normal security risks we are exposed to:
- The increase in human behavioral threats (BEC fraud/HR fraud, and other phishing).
- Threats to the underlying security services that are defacto elements of a robust network and security architecture and control framework.
- Emerging threats caused by the introduction of Internet of Things (IoT) devices that are and will continue to make their way into the corporate environment.
First, anytime an attack is based on the ability to defeat common sense or, in many instances, intelligent and well-trained employees, companies will fail.
It is simply impossible to train all employees, contractors, or third parties to not do something or to question what they are being told. As such, no security control or educational program can combat the access provided by an employee who clicks or replies as it would be in Business Email Compromise (BEC) or HR fraud targeting finance and human resources employees.
We, from the perspective of security inventors, have the real opportunity to disrupt this space as a result of the lack of mitigating controls that actually work without causing impenetrable friction to the employee base.
Second, when SSL has weaknesses that are a part of all security and networking devices, it undermines the entire fabric of security with a snap of a finger. We must ensure that the technology (SSL and other web certificates and certificate authorities) are able to be rapidly changed to ensure the underlying infrastructure is not impacted. In recent years we have seen attackers take advantage of falsely issued certificates or weak and unpatched security mechanisms that are built into the backend of the environment.
Finally, IoT devices and wearables are slowing gaining traction in every corporate environment. The ability to connect to computers or the network is becoming more real every day. The massive cost savings or adaptability of the environment by having connected thermostats, fire alarms, lights, access controls, and cameras is a great way to reduce friction involved in facilities management.
As these devices gain maturity, the security “bolted on” will be further enhanced; but right now security remains a challenge in this emerging market.
2. How useful is it to distinguish between advanced attacks and garden-variety attacks? What would that mean for security defenders?
There is no 100% security in any realm and least of which the cyber realm.
As such it is crucial to separate the garden variety attacks and baseline attackers from those who are either more sophisticated or more capable of using non-automated attack sets to find a weakness or way in. Ensuring that the lower level of attacks are handled consistently and in many cases in a simplified manner is a benefit of not only technology controls, but also of human capital.
Allowing the incident responders and forensic teams to focus on the sophisticated attackers, more difficult vectors, and constant persistence is critical to identifying an attack and potentially preventing exfiltration. Ensuring the defenders are able to engage the more sophisticated adversary is the best use of time and talent and that takes actionable intelligence.
3. What does actionable threat intelligence look like to you?
Recently actionable intelligence has become more of a buzzword in the venture capital markets, in congress, and in device manufacturing. Right now there is a lot of noise out there masquerading as “intelligence.” Actionable intelligence for me means:
- Intelligence that is lower level is able to be implemented into defensive measures at machine speed across the wire in real time.
- Intelligence that is deeper and more sophisticated is made applicable to the environment based on its unique specifications of the company and its infrastructure.
- Intelligence that takes into consideration “how” the environment is architected, thus preventing everything being a high or critical action item.
It is inescapable that, for intelligence to be actionable, it must be integrated into SIEMs or other tools for a one-pane-of-glass view. Actionable intelligence must be real and go above and beyond the commoditized nature of many “intelligence feeds” that are available today.
4. What is the best way to blend both strategic and operational intelligence into an effective security program?
Blending the two in a truly effective manner right now is problematic for most organizations.
With strategic intelligence the risks tend to be amorphous, overstated, or the likelihood too remote. Abandoning the discovery of new tactics or architecture in this realm can lessen the ability to respond to new threats or changes in tactics. Spending time reacting to current threat intelligence is easier to operationalize and the impact is more immediate for securing the environment.
The reality and import of the difference between the two is more attainable in larger companies unless they have a true partnership with a third party. I have seen the struggle of these two between large and small organizations over the past decade in earnest. Having the right strategic leader (often not the CSO or CISO, but instead a Director of SecOps or Intel) can really allow the organization to balance these two and reach a greater degree of success.
5. How’s threat intelligence helping with reducing risk?
Every organization that is serious about protecting its employee and customer data must incorporate a threat intelligence program into the foundational aspect of their security programs. The most significant value-adds with threat intelligence that reduce risk are:
- Ensuring speed of intel to operation teams.
- Introducing actionable intelligence for your specific environment.
- Enriching current feeds or other information from your environment’s sensors.
- Providing insight to the real risks that are likely to hit your company.
By making sure the intelligence is in real time, you can enhance your network defenses. Your company’s security operations team will be able to make sense of the noise and alerts they see and dismiss and pay attention to only those items or indicators that are likely to result in further compromise.
6. What do CISOs and the Board need to understand about threat intelligence?
The message for both CISOs and the Board is different.
CISOs need to understand that without a threat intelligence program, actionable intelligence, and the ability to operationalize the information into real action, their security program is not complete and is missing valuable protections.
Boards are a different type of discussion altogether — Boards must understand that the security professionals inside their company are looking beyond the perimeter and partnering with other professionals to bring in actionable information that will ultimately make the company stronger.
The ability to ascertain additional information about the attack surface of the company, the most likely attack vectors other are facing, and the unique threats (whether from device intel, open source, or the dark web) facing the company or industry are critical to the success of the team.
The Board needs to know and understand that this is also a community-based defensive measure that, when combined with other information-sharing initiatives, makes the company stronger from a common defense methodology.
7. How are ISACs (e.g., FS-ISAC) evolving to provide threat intelligence value? How effective is the sharing?
Intelligence is both an individual event and a team sport.
Security operations and intelligence professionals must make sure their company is as protected as possible and drink as much intelligence as possible to give them a picture of the threat landscape. However, a combined and mutual defense through organizations like the FS-ISAC and other information-sharing partnerships is only going to be more important as the speed and automation of these attacks increases.
Ensuring that you know what others in your sectors are facing is crucial as the specific nature of threats levied against one member often show up in an attack against another member. Since companies in the same sector use similar technology or are architected in a similar manner, knowing the attack vectors others see is important.
For many companies, the most intricate attacks are shared person to person through known relationships and this is one place the ISACs excel at enhancing.
The real answer to information-sharing organizations or automated threat indicators and other threat intelligence is this — make sure your organization defines what type of intelligence it thinks it needs, how it will operationalize this information, and how it will mix threat intelligence from personal relationships with what is electronic in nature to provide a holistic defense of the organization.
The intelligence must be actionable and add immediate and continuous value as the threat landscape increases in size and complexity.