Attacks/Breaches

1/12/2018
10:30 AM
Adi Dar
Adi Dar
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

What Can We Learn from Counterterrorism and National Security Efforts?

The best practices and technologies that originated in the intelligence realm can help businesses stay safer, too.

Cyber attacks changed drastically over the last few years. Cyber attackers now focus on disrupting our day-to-day operations or use attacks as a strategic weapon.

For example, in December 2016, Kiev experienced a blackout, likely as a result of a cyber attack on the Ukrainian capital's power system. In the 2016 Dyn attack, Internet of Things (IoT) devices were exploited to disrupt dozens of major Internet services. And recently, the US Department of Homeland Security and the FBI issued a rare public alert about a cyber campaign in progress that was preparing to attack US critical infrastructure companies in multiple sectors, including energy, water, aviation, and nuclear. In 2017, it was also the year that ransomware transformed from a nuisance to a massive operation with the potential to shut down global organizations and data centers. These are only a few examples of the exponential growth in attacks we have experienced recently.

It's clear we have entered the age of cyber warfare. The enemy is armed with new strategies, goals, and capabilities, and we must rethink our approaches as we prepare our organizations and nations to meet these evolving challenges. Below are four best practices utilized by national security and counterterrorism organizations that the cybersecurity industry should adopt.

1. We must acknowledge that we can't hermetically seal our borders. Homeland security organizations have worked hard to secure the borders and keep out criminals and terrorists. Even though it's not a simple task, in the physical world it’s much easier to try to close a border than in the cyber realm. While there is no such thing as a perfectly secured perimeter no matter where you operate, with persistence, attackers eventually will find a way in. As we get more creative and increase investments to try and close all the potential gaps, attackers will only get more creative, too. Continuing to invest in locking down the borders will not lead to any significant improvement in national security.

In the cybersecurity industry, we must realize that we have maxed out on our ability to lock down networks. It has become critical that we look to ways not only to prevent but to defend. To start, implement an incident response capability. If you don’t have the expertise to do this internally, that’s OK – there are a growing number of managed security service providers (MSSPs) offering these services. If you go this route, make sure you do your due diligence and work with an MSSP that has a solid reputation.

Additional firewalls and advanced intrusion-prevention systems may reduce the number of attacks, but some of the sophisticated attackers eventually will find a way in. The key is in how you respond. Instrumenting and monitoring your network so you have the information and evidence to respond is your best investment towards recovery.

2. We must assume attackers have already penetrated our defenses. National security agencies work under the assumption that terror cells have already penetrated their borders and are in the process of preparing for their next attack. The agencies focus resources on detecting potentially malicious activity and mitigating it as fast as possible, before the attack is carried out. They build and deploy numerous data collection sensors and invest in building large-scale data centers, which can analyze in real time the enormous amount of collected data and look for the smoking gun that will indicate planned terror activity.

In the same manner, cybersecurity leaders must assume that attackers have penetrated their perimeter security array. To combat this, they must set up the means to detect their activity, respond, and remediate it before a breach occurs or causes catastrophic damage. This means shifting resources from the traditional cybersecurity concepts and tools to the new generation of detection and response platforms, and to also build security operations centers (SOCs) that will let teams respond effectively and quickly.

3. We must embrace a data-centric approach. Data is the lifeblood of intelligence. Lawfully intercepted information, security footage, online chatter, mobile texting and more are all monitored continuously, resulting in massive amounts of data. This data is processed to look for suspicious behavioral patterns that will help reveal an upcoming attack. The challenge is to quickly and accurately distill high-quality intelligence from all of this data. Each piece of data on its own may look benign, but together they may tell a story that should be investigated. The challenge is to correlate data sources to produce and prioritize these insights, and then give them to the commanders in real time, enabling swift action.

In the cybersecurity world, organizations are facing the same challenges. Currently, organizations are leveraging a number of different resources to help them detect upcoming attacks, including external threat feeds, firewall alerts, endpoint sensors, or email. However, there is too much data and too few analysts to process it for actionable insights. There is also the expanding attack surface that includes OT (operational technology) networks and IoT devices, each one monitored and analyzed by a separate security system. Just as in the intelligence world, we need to get our systems talking to each other, aggregating the data into a homogenous big data platform, analyzing it with artificial intelligence, and helping limited SOC teams obtain insights faster.

4. We must collaborate. Criminal activity is global. Failing to share information leaves geographical blind spots, which criminals will exploit. Therefore, nations are continuously increasing their efforts to share timely intelligence information and alerts.

In the cybersecurity world, a security vulnerability is likely to exist across multiple organizations of the same industry segment because companies use similar technologies. Attackers look for an easy win, and after a successful attack they will attempt to replicate it against similar institutions, exploiting the same vulnerability. For example, the SWIFT heist of 2013 is believed to have been replicated in several other banks.

To address this, collaboration initiatives have begun in the IT security world, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), the financial industry's platform for threat intelligence analysis and sharing. These initiatives help organizations within similar industries jointly resolve vulnerabilities and share threat intelligence. Just like in the counterterrorism realm, we must put aside the desire to keep "bad" information to ourselves. Today, we can only confront attackers as a community.

National security and counterterrorism operations have made substantial progress over the last few years. They have become data driven and collaborative, and they've set up the processes to track down and mitigate an attack whether across or within their borders. Our industry should adopt best practices and technologies that originated in the intelligence realm and integrate them as a fundamental element of our SOCs, so we can keep our digital assets safer.

Related Content:

Adi Dar, CEO and founder of Cyberbit, is an experienced cybersecurity leader and chief executive who has repeatedly lead the development and launch of successful products and services in highly competitive markets. Previously, as CEO of ELOP (Israel's largest electro-optics ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
tcritchley07
50%
50%
tcritchley07,
User Rank: Moderator
1/13/2018 | 7:13:41 PM
Cybersecurity and Counterterrorism
I just entered a large post which the system didn;t like, bounced me to an error page and lost my posting data. Any idea where it might have gone and what the error might have been??
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-8298
PUBLISHED: 2018-09-24
Multiple SQL injection vulnerabilities in the login page in RXTEC RXAdmin UPDATE 06 / 2012 allow remote attackers to execute arbitrary SQL commands via the (1) loginpassword, (2) loginusername, (3) zusatzlicher, or (4) groupid parameter to index.htm, or the (5) rxtec cookie to index.htm.
CVE-2018-14825
PUBLISHED: 2018-09-24
A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges. This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable...
CVE-2018-17437
PUBLISHED: 2018-09-24
Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file.
CVE-2018-17438
PUBLISHED: 2018-09-24
A SIGFPE signal is raised in the function H5D__select_io() of H5Dselect.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack.
CVE-2018-17439
PUBLISHED: 2018-09-24
An issue was discovered in the HDF HDF5 1.10.3 library. There is a stack-based buffer overflow in the function H5S_extent_get_dims() in H5S.c. Specifically, this issue occurs while converting an HDF5 file to a GIF file.