March 15, 2016 • RFSID
Addictive, isn’t it?
Hunting threats. Remediating vulnerabilities. Tirelessly staying abreast of the latest threat intelligence.
And as your knowledge grows, you realize how much more you could be doing to keep your organization safe. So now that you have the fundamentals covered, what’s next?
With these three threat intelligence tweaks, you can take your cyber security from the basics to the world-class level.
Think of your security mechanisms like an army in peacetime. Just because nothing much seems to be happening right now, doesn’t mean you should sit back and wait.
Internal hunting is the process of aggressively tracking and eliminating threats. This includes things like device and network mapping, distinguishing between good and bad behavior, searching for anomalies, and setting up/monitoring honeypots.
This type of proactive security work has a whole host of benefits, including:
And on the face of it, these proactive activities seem like sensible security measures, which of course they are.
But there’s more to it than that.
During times of peace, armies don’t simply conduct exercises with the aim of maintaining skills in shooting, building clearance, and so on. They do it because it stops the troops from becoming soft and lazy.
When a war breaks out, you don’t just need soldiers with well-practiced skills, you need them to be mentally ready.
The same is true of your information security teams.
By engaging in internal hunting, your security teams will constantly hone and develop their skills. This is exactly what threat actors are doing, so why let your defenses fall behind?
They’ll also learn to work effectively as a team. People inevitably have strengths and weaknesses, which can be brought to the fore through enhanced teamwork and information sharing.
Last, and perhaps most difficult to quantify, is the tangible evidence of return on investment (ROI) to the organization. Executive teams are increasingly becoming aware of how damaging a successful breach can be, but very few security or threat intelligence activities can be reliably be measured in terms of ROI.
On the other hand, the success of an internal hunting operation is eminently measurable, and bound to be well received.
Action: Aggressively track and eliminate threats through internal hunting.
Result: Tried and tested security teams.
When you start to take threat intelligence seriously, there’s one fact that should always be kept firmly in mind.
Nobody sees everything. Not even the NSA.
And knowing this, you’ll be able to approach vendors with realistic expectations. Their solutions can provide strategic threat intelligence, but they probably aren’t going to provide information about specific events within your network.
And this is not to say that you should avoid open source intelligence (OSINT) platforms. They provide a great deal of value, and will enable you to make informed, contextual decisions about both proactive and reactive security activities.
But what it does mean is that, under the right circumstances, an internal effort to create a proprietary threat intelligence capability can be an excellent use of resources.
Do you have a need that isn’t serviced by the market? Then perhaps it’s time to solve your own problem.
Imagine, for instance, that you develop a crawler to analyze the (web) page code of the organization’s top 5,000 daily Internet destinations. Each day this crawler will provide tangible data points, which over time become an extremely effective mechanism for identifying drive-by attacks, or other anomalous activity.
This is the sort of valuable threat intelligence that you’ll never receive from an off-the-shelf solution, but which could potentially help you prevent (or minimize the impact of) future breaches.
Not only that, if you develop the solution in-house, you’ll be honing skillsets that could become extremely handy in the future.
Action: Develop in-house cyber security capabilities.
Result: Threat intelligence that’s tailored to your environment.
Running real-world, or proof of concept (POC) exercises is truly a sign of next-level security.
You may technically be prepared for certain threat actor tactics, techniques, and procedures (TTPs), but until you’ve done it in practice you never really know.
That’s where your red team comes in.
The idea is to employ real-world TTPs in a controlled environment to see what affect they would have in your environment. And when you start doing this, you might be surprised by the results.
That malware you thought you were safe from? Turns out that when deployed in your environment it has a completely unexpected side effect that you might not be prepared to resolve.
By engaging in rigorous red team testing procedures, you can identify these little surprises ahead of time, and greatly improve your organization’s defensive capability.
Now, of course, building these real-world scenarios and measuring the effectiveness of your defensive controls requires time and resources. If you want real results, this is not something that can be dumped on already-busy security professionals.
But if you really want to develop a world-class security facility, rigorously and routinely testing your defensive capabilities is an absolute must.
Action: Use POC exercises to rigorously test your defensive capabilities.
Result: Greater understanding of the potential impact a breach might have on your environment.
You’ve noticed, no doubt, that each of the approaches suggested above is highly proactive.
And there’s a good reason for that.
Threat actor TTPs continue to evolve, and simply building a wall around your assets is no longer enough to keep them out. If you want to defend against determined, skilled attackers, you’re going to need to start thinking the way they do.
If you can manage to do that reliably, you’re a long way towards fielding a truly world-class cyber security facility.
This information is also available to view as a SlideShare presentation.