10:30 AM
Adi Dar
Adi Dar
Connect Directly
E-Mail vvv

What Can We Learn from Counterterrorism and National Security Efforts?

The best practices and technologies that originated in the intelligence realm can help businesses stay safer, too.

Cyber attacks changed drastically over the last few years. Cyber attackers now focus on disrupting our day-to-day operations or use attacks as a strategic weapon.

For example, in December 2016, Kiev experienced a blackout, likely as a result of a cyber attack on the Ukrainian capital's power system. In the 2016 Dyn attack, Internet of Things (IoT) devices were exploited to disrupt dozens of major Internet services. And recently, the US Department of Homeland Security and the FBI issued a rare public alert about a cyber campaign in progress that was preparing to attack US critical infrastructure companies in multiple sectors, including energy, water, aviation, and nuclear. In 2017, it was also the year that ransomware transformed from a nuisance to a massive operation with the potential to shut down global organizations and data centers. These are only a few examples of the exponential growth in attacks we have experienced recently.

It's clear we have entered the age of cyber warfare. The enemy is armed with new strategies, goals, and capabilities, and we must rethink our approaches as we prepare our organizations and nations to meet these evolving challenges. Below are four best practices utilized by national security and counterterrorism organizations that the cybersecurity industry should adopt.

1. We must acknowledge that we can't hermetically seal our borders. Homeland security organizations have worked hard to secure the borders and keep out criminals and terrorists. Even though it's not a simple task, in the physical world it’s much easier to try to close a border than in the cyber realm. While there is no such thing as a perfectly secured perimeter no matter where you operate, with persistence, attackers eventually will find a way in. As we get more creative and increase investments to try and close all the potential gaps, attackers will only get more creative, too. Continuing to invest in locking down the borders will not lead to any significant improvement in national security.

In the cybersecurity industry, we must realize that we have maxed out on our ability to lock down networks. It has become critical that we look to ways not only to prevent but to defend. To start, implement an incident response capability. If you don’t have the expertise to do this internally, that’s OK – there are a growing number of managed security service providers (MSSPs) offering these services. If you go this route, make sure you do your due diligence and work with an MSSP that has a solid reputation.

Additional firewalls and advanced intrusion-prevention systems may reduce the number of attacks, but some of the sophisticated attackers eventually will find a way in. The key is in how you respond. Instrumenting and monitoring your network so you have the information and evidence to respond is your best investment towards recovery.

2. We must assume attackers have already penetrated our defenses. National security agencies work under the assumption that terror cells have already penetrated their borders and are in the process of preparing for their next attack. The agencies focus resources on detecting potentially malicious activity and mitigating it as fast as possible, before the attack is carried out. They build and deploy numerous data collection sensors and invest in building large-scale data centers, which can analyze in real time the enormous amount of collected data and look for the smoking gun that will indicate planned terror activity.

In the same manner, cybersecurity leaders must assume that attackers have penetrated their perimeter security array. To combat this, they must set up the means to detect their activity, respond, and remediate it before a breach occurs or causes catastrophic damage. This means shifting resources from the traditional cybersecurity concepts and tools to the new generation of detection and response platforms, and to also build security operations centers (SOCs) that will let teams respond effectively and quickly.

3. We must embrace a data-centric approach. Data is the lifeblood of intelligence. Lawfully intercepted information, security footage, online chatter, mobile texting and more are all monitored continuously, resulting in massive amounts of data. This data is processed to look for suspicious behavioral patterns that will help reveal an upcoming attack. The challenge is to quickly and accurately distill high-quality intelligence from all of this data. Each piece of data on its own may look benign, but together they may tell a story that should be investigated. The challenge is to correlate data sources to produce and prioritize these insights, and then give them to the commanders in real time, enabling swift action.

In the cybersecurity world, organizations are facing the same challenges. Currently, organizations are leveraging a number of different resources to help them detect upcoming attacks, including external threat feeds, firewall alerts, endpoint sensors, or email. However, there is too much data and too few analysts to process it for actionable insights. There is also the expanding attack surface that includes OT (operational technology) networks and IoT devices, each one monitored and analyzed by a separate security system. Just as in the intelligence world, we need to get our systems talking to each other, aggregating the data into a homogenous big data platform, analyzing it with artificial intelligence, and helping limited SOC teams obtain insights faster.

4. We must collaborate. Criminal activity is global. Failing to share information leaves geographical blind spots, which criminals will exploit. Therefore, nations are continuously increasing their efforts to share timely intelligence information and alerts.

In the cybersecurity world, a security vulnerability is likely to exist across multiple organizations of the same industry segment because companies use similar technologies. Attackers look for an easy win, and after a successful attack they will attempt to replicate it against similar institutions, exploiting the same vulnerability. For example, the SWIFT heist of 2013 is believed to have been replicated in several other banks.

To address this, collaboration initiatives have begun in the IT security world, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), the financial industry's platform for threat intelligence analysis and sharing. These initiatives help organizations within similar industries jointly resolve vulnerabilities and share threat intelligence. Just like in the counterterrorism realm, we must put aside the desire to keep "bad" information to ourselves. Today, we can only confront attackers as a community.

National security and counterterrorism operations have made substantial progress over the last few years. They have become data driven and collaborative, and they've set up the processes to track down and mitigate an attack whether across or within their borders. Our industry should adopt best practices and technologies that originated in the intelligence realm and integrate them as a fundamental element of our SOCs, so we can keep our digital assets safer.

Related Content:

Adi Dar, CEO and founder of Cyberbit, is an experienced cybersecurity leader and chief executive who has repeatedly lead the development and launch of successful products and services in highly competitive markets. Previously, as CEO of ELOP (Israel's largest electro-optics ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Moderator
1/13/2018 | 7:13:41 PM
Cybersecurity and Counterterrorism
I just entered a large post which the system didn;t like, bounced me to an error page and lost my posting data. Any idea where it might have gone and what the error might have been??
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-12-12
An out-of-bounds read in dns_validate_dns_response in dns.c was discovered in HAProxy through 1.8.14. Due to a missing check when validating DNS responses, remote attackers might be able read the 16 bytes corresponding to an AAAA record from the non-initialized part of the buffer, possibly accessing...
PUBLISHED: 2018-12-12
An issue was discovered in dns.c in HAProxy through 1.8.14. In the case of a compressed pointer, a crafted packet can trigger infinite recursion by making the pointer point to itself, or create a long chain of valid pointers resulting in stack exhaustion.
PUBLISHED: 2018-12-12
IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the 'HttpOnly' attribute on authorization tokens or session cookies. If a Cross-Site Scripting vulnerability also existed attackers may be able to get the cookie values via malicious JavaScript and then hijack the user sessi...
PUBLISHED: 2018-12-12
IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 140763.
PUBLISHED: 2018-12-12
IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent...