Cyberthreat: Learning to live with the risk
And bring your tools, people and partners together
Cyberthreats are like the common cold or some other infectious virus; eventually you’re going to get sick. It’s a part of life. They’re always there, lurking just around the corner, waiting to make your life that little bit harder.
At the same time, you can’t focus entirely on potential risks to your business at the expense of developing it. You must protect yourself without freezing everything and preventing future development. That means adopting a grown-up approach to risk management, and allocating your budget judiciously to give yourself the maximum protection while still keeping your IT systems flexible enough to support new ways of doing things. So how does that work?
Understand the chain of events that make up a modern attack
Before you can live with a risk, you have to understand what it looks like, and map its potential evolution as it turns into an attack. Defense firm Lockheed looked to the military for the answer, borrowing from it the concept of the kill chain, originally used to describe the structure of a kinetic attack.
Eric Stevens, director of strategic security consulting services at Forcepoint, describes the kill chain slightly differently to Lockheed:
- Reconnaissance: In the early stage of an attack, a malicious actor will gather as much intelligence about the target’s network and organization as possible.
- Lure: Lockheed calls this step ‘weaponization’, but Stevens characterises it as the creation of lures, such as email, social media posts, or other content posing as legitimate links.
- Redirect: Lockheed’s kill chain calls this ‘delivery’. The lures redirect users to pages that contain exploit links, according to Stevens.
- Exploitation: During the exploitation phase, an exploit kit scans for weak points in the target’s system to gain privilege. A phishing attacker may succeed in accessing user credentials. A malicious payload may hook a vulnerability in an unpatched software product.
- Installation/Dropper file: The exploit kit finds a weakness which is then used to deliver a dropper file with malware that infects the system and then begins finding extractable data.
- Command-and-control: The payload then phones home to the attackers, and creates a control channel that they can use to manipulate it, giving them the opportunity to execute the final phase.
- Actions on objectives: This is the money stage. The malware can be used to create whatever effects the attackers want within the system, including stealing data and intellectual property, or sabotaging internal resources.
How to distinguish between different types of attack, and what kinds of tools can help?
Describing the second stage as a lure and accepting a fluid approach to its stages solves one of the popular criticisms of the Lockheed model, which is that it focuses on malware and excludes phishing attacks. “Not all threats need to use every stage, and stages may loop back to prior stages, extending the seven-stage process significantly,” Stevens said. “These steps provide cybercriminals with hundreds or even thousands of ways to create and execute APTs over extended periods of time.”
That presents a big haystack and a lot of needles for security pros trying to protect their organizations against these threats. They must spot different types of attacks, distinguish between them where necessary, or draw correlations between small events that could be insignificant in isolation but may signal something more serious when viewed in context.
Tools are essential to help security pros understand what is going on, said Lee Neely, a mentor at the SANS Institute who also works as a security professional at Lawrence Livermore National Laboratory. “You need good instrumentation. You definitely need an event correlation engine, but it has to be looking for the right events,” he said.
Advanced security teams can take things a stage further, using the instrumentation layer as a source of data that you can then use with other statistical analysis tools to model normal behaviour on a network, he explained. This will then help security teams to detect anomalous behaviour more easily. That isn’t a push-button solution, though. “It took maturity to get there,” he said, describing one project he worked on that took this approach.
Seeing and understanding everything can sometimes be a tall order. “There are also places where we don't have visibility, where you couldn't correlate two small events,” Neely pointed out.
How to set budgetary priorities for your security team
If it’s difficult to keep eyes on everything at once, then a little triage may go a long way. The savvy organization will set priorities in its cybersecurity operation that span its tools, and its skills. That means having a lens to help you focus on what’s important, Stevens said.
“Start by aligning all of your security activities to an actual security model, a framework that is really focused on IT security,” he advised. NIST’s own security framework is a first port of call for him. There are government tools and private practices that can help organizations map other frameworks in sector-specific areas to NIST. Other frameworks that you may need to bridge include COSO, which starts from a risk management perspective, ISACA’s COBIT for IT governance, PCI-DSS for the storing of credit card data, HIPPAA for US healthcare operations, and FedRAMP, which is the US federal government’s standard approach to security assessment and monitoring.
“Each of these requirements in PCI map to these requirements in the NIST framework,” he said. “It lets you map all the third party requirements and internal business requirements together, so that you can knowingly go in and select where you need to put your security controls in place.” The idea is to understand how and where to judiciously apply your security tools budget for maximum effect. A good risk assessment, combined with an understanding of which security tools are best for which risks, can help a CISO to prioritise their spending.
But even that may not be sufficient in the long run. There are many more attackers than there are defenders, and the attackers are much better funded. That’s a cat-and-mouse game that gets harder to win every year. Relying on multiple best-of-breed point products can lead to an avalanche of alerts and network noise, adding more complexity, rather than clarity, to your security posture. In a very real sense, the security industry’s focus on the trees rather than the forest, as it were, has arguably failed to deliver reliable, actionable data in a timely matter that would allow IT pros to catch threats sooner than much later. A movement toward a more holistic approach to more quickly and accurately separate the threats from the noise is emerging among some cyber defense providers.
In some lower-risk areas, it may make sense to make do with employee training as a stopgap one year, and then roll out a technology solution the following year to reinforce it and provide more protection.
How to move beyond gut feel with automation and analytics
The human element is important here. Tools can provide appropriate data, but it still needs a sharp eye to interpret them, said Neely. A good analyst or two on your team will be worth their weight in gold. As security practices evolve, he envisions analysts drawing more on automation and analytics to complement their gut feel.
To reach that level of sophistication, they’ll need external threat data in addition to their own internal instrumentation, he warned. We’ll see more of that as information sharing evolves. ISACS in the US already make it easier to share information security threats. We’re also seeing the beginnings of automated, structured sharing of information, using API-driven services like Facebook’s ThreatExchange, and using taxonomies and protocols designed to describe emerging security incidents, such as STIX, IODEF, and RID. There’s also VERIS, which is a language for documenting incidents after the fact so that we can learn from them.
Sponsored: Becoming a Pragmatic Security Leader