The accelerated development in the field of intelligence-driven cybersecurity (cyber intelligence) shows great promise as it helps predict how cybercriminals might target an organization. There is a need to not look at it as just another tool for patching technical vulnerabilities in the system and its associated networks. Its real strength lies in helping organizations define their whole approach to cybersecurity, integrating business directions, imperatives, governance, risk, monitoring, defenses, and responses to attacks.
By Kumar Ritesh, Chairman and CEO, CYFIRMA
In the wake of the recent series of cyber-attacks that hit major companies and crippled governments across the globe, the C-suite is now wanting to know more. How does one limit the damage when a breach wreaks havoc on their systems? How does one bolster their defences against a similar attack happening in the future? How do you set up an incidence response team? What’s the next battlefront – and how do you defend the organization against it?
There are infinite questions. But the idea of a more proactive and predictive approach holds a key message: malicious software is becoming ever-more sophisticated in avoiding detection, and new methods of attack come to the fore. This year, for instance, saw ransomware make headlines with several high-profile attacks that hit organizations below the belt, including WannaCry, Petya, and Bad Rabbit outbreaks. When researchers got together and tried to analyse these attacks, they found patterns in their origination and the methodology for spreading them. Patterns in the business domains, the regions where they were carried out, the manner in which they were carried out and so on. But researchers were more surprised with the fact that these threats are still spreading.
Thus, we now dig into the heads of the C-suite and hackers alike, to know more about their approach towards cybersecurity and cybercrime.
Organization’s Approach vs Hackers’ Approach
The Traditional approach used is to install new security appliances, software and hardware; create firewalls and layered defences, thinking it will provide better protection. But this has clearly not worked. Organizations are always looking inwards without understanding what they’re up against–who are their adversaries, their motivation, their state of readiness, the tools, techniques and methods.
Whereas if you look at the hackers, they are sharing hacked information, vulnerability/exploits and attack methods, with each other more efficiently than ever before.
On one side we do not understand the external risk profiles properly and neither share threat information, whereas hackers are collaborating.
The ancient warfare principle of knowing your enemy relies on intelligence about the adversary’s motives, access to resources, strengths, and weaknesses to secure victory. But sadly, this has been adapted by the hackers and not the organizations. Intelligence agencies apply the concept of Tools, Tactics, Techniques, and Procedures, or TTTPs, to map out how individual hackers orchestrate and conduct attacks. But is this enough?
Current Issues with Cyber Threat Visibility and Intelligence Programs
- Cyber intelligence companies are primarily focused on operational intelligence, while equally important strategic and management intelligence is often overlooked. This translates to incomplete intelligence and hence, a lack of preparedness against upcoming attacks.
- Failure to get quicker insights into which cyber-attacks can be carried out, who are the suspects, what were they looking for. In short, it is a failure to understand the WHO, WHY, WHAT, WHEN and HOW of cyber-attacks.
- A majority of the organizations still have a ‘reactive’ approach to cybersecurity events. They fail to employ cyber threat intelligence and insights beforehand. Having proactive cyber posture management helps in identifying threats at the planning stage of cyber-attacks. But organizations miss this trick.
- Threat hunting often starts with fact-finding and using Indicators of Compromise (IOCs), whereas national intelligence agencies always start with an Indicator that could be as simple as a conversation or geopolitical issue driving the cyber threat. This hard-coded approach needs to change and evolve.
- Consumption of intelligence is limited to just the security controls. If you give a serious thought, intelligence can actually be applied to all other verticals of cyber posture management, including managing risk register, compliance management, governance, investment, and resource management.
- A distinct lack of deeper insights into situational awareness, news, cyber event, incidents, vulnerabilities, technology or regulatory shift.
- It is being limited only to technology i.e. security controls and not on people and processes.
- The main focus is only on operational/tactical intelligence; everybody is talking about Indicators of Attack (IOAs) and Indicators of Compromise (IOCs).
- We have multiple data feeds giving us the same information rather than focussing on the wider spectrum.
- Missing contextual information in threat feed.
- Frequency of intelligence is not aligned with the speed of hackers.
- No emphasis is been given on mapping of attack surface and scenarios with intelligence capability.
- Lack of domain expertise.
Cyber intelligence insights form the basis of any cybersecurity strategy. A cybersecurity strategy and goal can be defined only when an organization has the correct and precise information of the looming cyber threats. Knowing the issues helps in applying intelligence more effectively and efficiently on the people, process, and technology, and your organization possesses, and helps you prepare for possible cyber-attacks. Defining a strategy requires you to ask the right questions.
The 4 Ws and H of a Cyber Intelligence Program
It is important to understand that an effective cyber threat intelligence program should provide answers to your questions of WHO, WHY, WHAT, WHEN, and HOW. If your cyber threat visibility and intelligence program are not answering the above questionnaire, then you need to re-look and review your overall program.
WHO – Who are the individuals, hackers, groups interested in you? Their background, past acts.
WHY – Why are they interested in you? What is their motivation (financial gains, reputation damage, productivity loss) behind attacking you?
WHAT – What do they want from you? Personally identifiable information (PII), financial information, sensitive data including patents / Intellectual property/credentials.
WHEN – When can they potentially target you? Based on a hacker’s readiness or an organization’s readiness?
HOW – How can they target you? What are the potential tools, techniques, and the method they can use to target you?
Once these questions are answered, you gain insights into your organization as well as the hacker’s mindset. For better understanding and knowledge of different teams of your organization, cyber intelligence is further divided into three sections.
The 3 Layers of Cyber Intelligence
A successful cyber threat visibility and intelligence program, has three layers of intelligence: Strategic, Management and Tactical intelligence.
Strategic and Management intelligence should at least answer WHO, WHY, WHAT and WHEN, whereas, Tactical intelligence should tell us HOW.
Strategic Intelligence: It should answer the questions: “WHO is interested?” and “WHY?”. Strategic Intelligence should provide insights to cyber risks by attributing threat actors, their background, motives, tools and techniques. It should allow you to apply cyber intelligence to strategy, governance and policies.
Management Intelligence: The questions: “WHAT is exciting the hackers?” and “WHEN an organization can be targeted?” should be answered here. It should allow integration of insights on threat actor campaigns, attack mechanisms and tools into internal processes like incident management process, change, configuration, and release management process.
Operational/Tactical Intelligence: It answers the question: “HOW will your organization respond to a cyber-attack?” It should enable SOCs to proactively respond to cyber threats, support day-to-day detection and response to improve the enterprise’s cyber posture by using malicious IP, malware signatures and mutex, phishing domains, command, and control centers.
Key Elements
The three key elements to look for in an effective Cyber Threat Visibility and Intelligence Program are:
Predictability: Early warning about potential cyber risk.
Applicability: Can it be applied at all three levels; Strategic, Management and Tactical.
Accuracy: How relevant and actionable intelligence program is to the current target.
Conclusion
Cyber threat visibility and intelligence are about to grab center stage in cyber posture management. With massive incline towards e-commerce and online trade management, this is the ideal time for organizations to incorporate proper cyber threat visibility and intelligence program. Having a secure plan helps in early threat detection and containment, and if there is a tool or a platform in the cybersecurity space that provides it, then that can be deemed equivalent to, “Finding a Pearl in an Oyster”. For this, your search need not go too far — CYFIRMA is your Oyster and the proprietary award-winning cloud-based Cyber Intelligence Analytics Platform (CAP) v2.0 is the pearl you are searching for. CYFIRMA is committed to educating organizations to employ the ‘Outside-In’ approach to cybersecurity.
On an ongoing basis, and to better prepare and protect against imminent cyber-attacks, organizations need to look at the application of threat visibility and intelligence to their strategies, governance, process, procedure, controls, and people. Additionally, organizations must realize that the onus to protect their data, infrastructure, and reputation ultimately rests with them. Information security hinges massively on secured systems, constantly revisited data management practices, and an inclusive approach involving employees, third-parties, and other entities in the organization’s extended supply chains. While threats will inevitably evolve, their intended targets can always stay a step ahead with predictive threat visibility and intelligence.
Disclaimer: The article has been edited in accordance with the guidelines of CISO MAG. CISO MAG does not endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. Views expressed in this article are personal.