Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

11/10/2015
10:30 AM
Kristi Horton
Kristi Horton
Commentary
50%
50%

Why Threat Intelligence Feels Like A Game Of Connect Four

In real life, solving the cybersecurity puzzle has many challenges. But shared wisdom and community defense models are making it easier to connect the dots.

You know Connect Four -- that plastic game with the vertical grid where you drop checker pieces until you get four in a row? With two good players it's deceptively simple. You have to keep your eye on all possible permutations while plotting several moves ahead.

That game reminds me of the challenges that today's threat intelligence professionals face. Except it's a three-dimensional version of that game, connecting many disparate pieces while keeping an eye on adversaries making several moves ahead. And in real life, the stakes are much higher.

As a lifelong security practitioner, I have worked everywhere from highly classified environments to critical infrastructure entities. Even in the most sophisticated, well-defended environments such as financial services, there are still many information silos. It's hard to find the threat needles in the data haystack. It's not just disparate security technologies. I am also talking about organizational, process, and data silos.

In the financial sector, three key domains come to mind: 1) information security 2) physical security and personnel and 3) anti-fraud and money laundering. Typically these are managed and executed separately.

If we could truly connect the dots between even two of these domains, we would make significant strides in better understanding the threat landscape, reducing the risk of blended threats, improving incident response, and reducing theft and losses.

Everyone is impacted
All these functional areas impact one another. Physical security impacts confidentiality and data integrity. A data security lapse can impact physical security. And when there is an enterprise security incident, many teams are impacted: the fraud team, the desktop team, the network team, the website team, the cloud security team, the physical security team, the email team, and the list goes on.

Business email compromise (BEC) is a great example of a trending blended threat where nearly all functional areas are impacted. As analysts dig into the indicators of a BEC, they need to ask: "What social engineering techniques were used; Which personnel were targeted or impersonated; What email header and payload information is available; What payment or procurement processes were perverted; What business partners or accounts were compromised; How were funds stolen or data exfiltrated?" Each new question may cross organizational, political, and technical precincts.

There are many other examples of natural silos in big organizations. What happens when new infrastructure is rolled out or when a new office is commissioned? Is the information security team part of the plan? Are vulnerabilities addressed? Is the site monitored? Is system usage authenticated and verified?

Disconnects can also happen for network security. Disparate groups monitor network performance and uptime and DDoS attacks, but may not be monitoring for a user accessing an unusual volume of customer records or systems accessed at the wrong time. Maybe ports 80 and 443 are monitored, but the firewall rules for other ports are not up to date. Maybe a system has been offline for an unusual amount of time and no one notices.

We tend to think that the more people engaged in information security, the more tools, the more budget, the more process, the better. But complexity can be detrimental to security. For example, a user opens her email and gets an alert that an infected file was found and cleaned. If the desktop team is notified, it means that everything is ok, right? But what if only part of the infection was identified and malware is still persistent, waiting to access sensitive systems? The AV team sees one puzzle piece. The network team sees one puzzle piece. But the fraud team didn’t see any of this. Where's the correlation? Where's the connection?

Not just a data or policy issue
Different teams, competing priorities, varied approaches, various critical watch lists... Many organizations are making good strides in aligning and clarifying corporate priorities to recognize that physical and cyber teams need to work together. Some companies have set up internal fusion centers. Public and private sector relationships are in place. Information sharing organizations like ISACs and ISAOs are helping facilitate the flow of real-time threat information. Standards like STIX and TAXII are helping to normalize threat data and make it more actionable. Shared wisdom and community defense models are quickly becoming the new norm.

In that spirit, I want to share four tips to help organizations get and stay connected.

  1. Understand the business: What is the business context you work in as a security team and what are its priorities? What is the worst that can happen and how do you spot it before it happens?
  2. Know thyself: No one else can know what you do, how you do it, what systems you have, or what they are supposed to do. No one else can spot what isn't supposed to be there the way you can. Like bank tellers trained on real currency so they know a fake when they see it, organizations that "know themselves" have reduced the attack surface.
  3. Look for ways to connect: Seek out ways to share information internally and externally. Sponsor regular cybersecurity simulations that involve multiple functional areas. Advocate for updates to crisis playbooks. Communicate the security roadmap broadly and especially at the executive level.
  4. Stick to the plan: Too often, security is compromised to meet the competitive and agility demands of the business, or even simply to react to the present threat landscape. Money is spent without the full context of how security fits into a strategic business plan. And, when a new threat comes along, organizations are tempted to divert from the plan and buy an expensive new tool or appliance that may not be the best fit. Don't react and don't over-react. Have a solid plan and map actions and investments to that plan.

Kristi Horton is the lead intelligence officer of the Financial Services Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC is a non-profit corporation formed in 1999 and is funded by its 6,500 member organizations. The FS-ISAC's mission is to help assure the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TedS486
100%
0%
TedS486,
User Rank: Apprentice
11/11/2015 | 12:57:46 AM
Simile on point
Well made article. Really clever use of the simile to the game of connect four.

https://www.youtube.com/c/Enigmaspyhunter
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/10/2015 | 2:47:50 PM
Endgame
Also, no matter how well you play, there's always going to be a big mess to clean up eventually.  ;)
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18986
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.
CVE-2019-18981
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.
CVE-2019-18982
PUBLISHED: 2019-11-15
bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header.
CVE-2019-18985
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks brute force protection for the 2FA token.
CVE-2019-18928
PUBLISHED: 2019-11-15
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.