The new cybersecurity threat actors are more creative than ever, their goals are changing, and their playground is expanding. Attackers leverage the converging IT/OT attack surface to launch multi-vector attacks and use ransomware not only to lock down workstations but to damage entire businesses.
The new attackers have scaled up their goals, aiming to cause massive damage, often politically motivated. The recent DHS Report of a Russian cyber campaign against US critical infrastructure is a nation-state initiative leveraging IT vulnerabilities to stage a colossal OT cyberattack on energy, water and manufacturing companies in the US. These attacks are evasive, lack any indicative signs (IOCs) and repeatedly outsmart traditional security systems. Combined with the 2016 Kiev Black Energy Attack, the Dyn attack, or the Bangladesh SWIFT heist, these attacks serve as a warning sign, indicating the exponential growth in the new levels of campaigns we should expect.
In order to adapt to this new reality, I suggest that we look at other domains, who went through a similar transformation. In early 2000, global terror campaigns became a reality and nations increased their investments in forming intelligence organizations, in an effort to block the spread of terror organizations, both locally and globally.
The way to do that was built upon two pillars:
- Reinforcing border protection and control
- Establishing unprecedented Intelligence systems that collect, store and analyze data from numerous sources, and implementing mathematical approaches to identify potential risks or anomalies in their early stages and enable response before these terror cells actively engage in malicious activities.
The approach of intelligence organizations was to collect data by tapping into multiple communications channels, messaging apps and social media activity and to use technology for analyzing this data and surfacing threats to intelligence analysts for investigation. Another key component was the global cooperation between intelligence organizations and nations, which shared information and conducted borderless counter-terror operations.
Connecting this to the cyber domain – our challenges are similar: borderless cyber threats, nation-state attackers, exponentially growing threat vectors which are covert and signature-less, and massive volumes of information to analyze, comprising a complex puzzle. Only when the pieces of this puzzle are connected, analysts have a chance of generating insights. In addition to that, in a very similar way to terror activities – cyber threats have become time sensitive. If we don’t respond effectively and within minutes – in many cases, we lost our chance to prevent the damage or even the spread of the malicious activity.
I suggest that we, as cybersecurity leaders, adapt these three best practices used by national security organizations:
1) Understand that some attackers will get through
Just like nation-states, we have maximized our ability to secure our perimeter. No matter the investment, homeland security organizations assume that terror cells have penetrated their defenses. Therefore, they invest in detecting signs of attacks before the attack is carried out. Successful intelligence organizations focus on collecting as much data as possible from numerous sensors and aggregate it in large-scale data repositories – analyzing it in real time to surface suspicious activity.
Similarly, we, as information security leaders, should always assume that an attack is underway and invest in establishing the infrastructure and processes for detecting it and responding efficiently, to eradicate it before the breach occurs. This is done by spreading numerous different sensors throughout our converged spectrum of networks as well as establishing high-performance SOCs, and by setting up incident response playbooks and testing them. We have to control not only our perimeters but make sure that we have full visibility to every corner in our networks and IT platforms, making sure no attacker can “hide” or leverage them to its benefit.
2) Leverage data and converge our systems
As I’ve mentioned, intelligence organizations base their success on collecting and analyzing data. Moreover – they need to generate insights from massive volumes of data. It often takes a broad view of similarly meaningless pieces of information, to “connect the dots” and surface a story that requires investigation. The challenge is to correlate data sources, identify signs of evasive actions, produce insights, prioritize them, and hand them over to the field in a digestible format that field officers can understand and act upon.
In the cyber domain, challenges are similar. We use numerous channels for alerts and data enrichment but lack the people to process the data and produce insights. We are dealing with a converged attack surface combining IT, OT and IoT devices, but these attack surfaces are monitored by point solutions which are not integrated. Similar to intelligence systems we should integrate our detection and response systems into a homogenous big-data platform, and use AI to analyze it. The current “Silos” approach that is dominating the market today – will never be effective enough in this new era.
3) Attacks are borderless – work together
Terror actions cross borders. Therefore, nations who can successfully share intelligence information are much more likely to stay safe. Same goes for cyberattacks, where vulnerabilities and attack tactics often span across an entire vertical, as we’ve seen in the 2013 SWIFT heist.
The cybersecurity industry is making good progress with regards to information sharing, with initiatives like the Financial Services Information Sharing and Analysis Center (FS-ISAC), promoting threat intelligence analysis and sharing for financial industry, and the National Health Information Sharing and Analysis Center (NH-ISAC) which is a similar security information sharing community for the health industry. As we learned in nation-state attacks, keeping information close to our chests is not the preferred approach and we must learn to join forces to confront attackers.
Intelligence operations have made substantial progress over the last few years. They have set up the best practices for responding to attacks whether inside or on their country borders, and they are leveraging data & algorithmic analysis, and collaboration, to successfully mitigate terror attacks. We, as cybersecurity leaders, can embrace many of these disciplines to confront our own adversaries and build a more resilient future.
Adi Dar is CEO of Cyberbit