Are you exhausted chasing rabbits?

by Azeem Aleem

23 April 2021

Three team members in a meeting

There’s an ancient Chinese proverb that says ‘the man who chases two rabbits catches neither’. Right now, this is an excellent philosophy for cybersecurity specialists.

As economies slowly open up, rather than reducing the cybersecurity challenge, many organizations face an even broader threat landscape. On one hand, Chief Information Officers (CIOs) are managing new, complex risks from employees’ working locations, patterns, endpoint security and authentication. On the other hand, many have reduced resources and increased gaps in their threat intelligence – potentially impacting their ability to tackle existing vulnerabilities within both their digital and OT networks.

The urgency to tackle known vulnerabilities has become front-page news since the beginning of the year. Cyber-actors were first detected exploiting zero-day vulnerabilities in MES software – infecting networks with web shells and accessing email accounts on unpatched computers across the globe. Just a few weeks ago, Microsoft and other industry specialists shared detection tools, patches and other information to help organizations identify and mitigate the impact of these intrusions.

By mid-March, national government action was added to the global firefight to remove web shells from as many systems as possible. Although much has been written about the action taken by the FBI, it’s not only the US government that has become directly involved in remediation. The Australian Cyber Security Centre (ACSC) and the UK's National Cyber Security Centre (NCSC), are also collaborating with local organizations to remove malware from infected servers. That’s a lot of necessary and arduous rabbit chasing.

Business professionals in a meeting

Globally, efforts to take on cyberthreats have increased, but organizations need a proactive approach to this growing challenge

Cybersecurity leaders are faced with a choice – continue the exhausting firefighting or regain control with a renewed focus on proactive, layered defense built on actionable intelligence. So, what’s happening to take the fight back to the cybercriminals and state actors threatening our global resilience?

Hunter not hunted

Step 1. Identify the rabbit

As these recent events demonstrate, in our cyber-world ‘chasing the rabbit’ is a good description of how it feels when we find ourselves relentlessly responding to threats. For security teams, a proactive approach is more efficient and effective than constantly reacting to incidents on a case-by-case basis – which is frustrating, impacts decision-making and perhaps most significantly, hampers specialists from being strategic partners within the business.

As cyber-professionals, we know where the crown jewels are within our data, applications, devices and systems that we need to defend.  This knowledge will inform our understanding of how an attacker will potentially go about gaining access to that asset and guide our actions. Whether facing zero-day threats or prioritizing essential system updates and patch management.

Understanding attackers and the tools, procedures and tactics being used within their cyber-kill chain is fundamental to designing a monitoring and response plan. This forms part of the actionable intelligence of an organization.

Step 2 – Change the traps

Unlike some of the underlying technology within an organization’s infrastructure, cyberthreats don’t become obsolete or irrelevant. Futureproofing systems in the main requires cyber-professionals to inject resilience based on learnings about both relevant historic and current threats. This can be particularly difficult at one end for legacy operational technology (OT) systems and at the other end for new IoT devices, due to a lack of transparency within the software on which they rely.

Understanding attackers and their targets will allow security teams to re-examine their network from a cyber-actor's point of view and work out how to make life as difficult as possible.  By making changes to an organization’s infrastructure, based on gathered intelligence, can deflect an attacker by forcing them to adapt their tools. The chances are that nine out of ten actors won’t try again.

Many organizations are also implementing (micro) segmentation across their network, making it more difficult for cyber-actors to move laterally – minimizing disruption and costs to remediate systems.

Business meeting with the team in a room

Step 3 – Stop chasing rabbits with actionable intelligence

There’s no shortage of threat intelligence. There’s so much intelligence out there that it can be challenging for organizations to decide what’s relevant to their specific environment and circumstances. In other words, how do organizations decide who’s attacking them and define that footprint?

What do we mean by actionable intelligence? Simply put, it’s the output of collected information, leading to a set of data that, following analysis, can be used in the defense and contextualization of events on the network. Or in other words, actionable intelligence means that you can stop chasing rabbits and focus resources on a more proactive mission.

To focus on the value of actionable intelligence organizations need to define:

  1. Business and risk alignment: Understanding the objective, scope and authority needed to mitigate risk.
  2. Visibility: Define the visibility required to achieve mission readiness.
  3. Content: Build enablement for detection — including use cases, situational awareness, and baseline.
  4. Applied intelligence and analytics: Analyse, attribute and predict the threat to refocus the goal.

Step 4 – When the rabbit’s out of the hat – Incident Response

When the worst happens, it can feel as if an organization is invaded by rabbits. An effective Incident Response (IR) plan is the best way to ensure any incident is handled quickly – reducing the costs and impact on cyber and business confidence. Having a very clear focus on what to do when an incident occurs and who to talk to is critical for an effective response.

Most importantly – test your plan. We test fire evacuation plans, and IR shouldn’t be any different. Ideally, the tests would be hosted by external organizations that create test scenarios and review the plan to ensure all team members are responding appropriately. This external team can then identify any gaps and provide additional assistance and training where required.

No one enjoys chasing rabbits. The pressure on cyber-leaders to retain specialist skills requires a clear, proactive purpose to keep teams engaged. Automating whatever is possible to ensure that effort, investment and confidence aren’t undermined by a failure to maintain the resilience of ever more complex infrastructure and use actionable intelligence to make the right decisions.

 

Azeem Aleem

Azeem Aleem

VP, Cybersecurity Consulting, NTT Ltd.