The last 14 months have highlighted that attacks domains are expanding. We have seen the trends with OPM data breach, to sensitive PII information leak at Anthem breach and Vtech breach. The extortion malware impacting organizations, to an advanced coordinated attack at Ukrainian Power grid highlights the complexity around the anatomy of attacks.
To better understand the topic we have been talking with Azeem Aleem Director for the Advanced Cyber Defense Services Practice – EMEA at RSA. Azeem is responsible for overall professional services engagement for Global Incident Response/Discovery (IR/D), breach readiness, remediation, SOC/CIRC redesign and proactive computer network defense. Prior to RSA, Azeem was the Director for the Centre for E-crime and earlier, led cyber security consultancy services for advanced cyber threats to the law enforcement agencies, Big 4, public sector and the private financial services.
Aristotle (Aristotle, 384-322BC) said, “ It must be expected that something unexpected must occur” . The current time is the unexpected as we are passing through an era of phenomenon technological revolution. From the realm of the international space exploration ( Scott Kelly and Mikhail Kornienko returned on 2 March after spending 340 days in the space ) to the immense growth of the smart tablets (Apple’s iPad 2 rivals the Cray 2 supercomputer, the world’s fastest computer in 1985) highlights how technology is molding our civilisation to the new heights.
Unfortunately, crime follows opportunity and with this technological advancement we are seeing a rise in the advanced cyber attacks . These days the attacks we are seeing are more focused towards Zero day attack bringing in sophistication and complexity. Rogue Nation-state actors are on the rise and have developed a more diverse and stealthy network of operations. They are devising intelligent way of using the leak data for commercial and national security implications. The hunt for these attacks is not an easy phenomenon. Cyber Criminals are not bound with any rules; their attacks are shielded/ hidden across the organization network. Traditional perimeter is melting and the attack service is increasing which requires holistic view of how we protect the echo systems. Not in my back yard Siloed approach does not work anymore. No doubt there is a long journey for Security industry to cover however, the Security Industry leaps and bound towards maturity – Simultaneously the customer familiarity of security has increased and they now expect from vendors security as an essential discriminator.
The threat landscape is shifting fast – every day there is a new threat domain that hackers have utilized to impact the organisations. We can divide the threat landscape around four main areas:
Two areas where we are going wrong are: Preventive Mindset and Analysis Paralysis Syndrome. In the first case we need to understand the attack telemetry; while there is an agreement on the complexity of advanced attack, what we see is that organizations are still trying to protect them using traditional controls around signature based framework. Organizations are lacking in the right visibility and still relying on the traditional tools like SIEM for advanced monitoring – which is only able to detect 1% of the Advanced Attacks. We are witnessing that traditional prevention approach has become a failed strategy. You will be get breach and it is the move towards proactive defense that will enable organizations to preempt where the next attack would be forthcoming from. Comprehensive visibility for full packet capture to gather what is happening in your network is the way forward. In the second aspect what we see as those organizations that understand rational of collecting the data from end points, network flow/packets, cloud based apps and network perimeter are facing a problem flux of data. To detect the pattern they have a task of finding a needle in the haystack; they lack the capability to integrate into a single normalized platform to detect the behavioral classification of these cyber criminals.
Security programmes solely focus on compliance won’t work. There is no such thing as an isolated incident and there is a need to manage the whole incident space by developing the threat intelligence capability – pervasive visibility is essential but they need to develop the capability to tackle TTPs (Tactics, Techniques & Procedures). The element of time has changed its now a matter of minutes and seconds on how do we respond to an attack. Nurturing threat intelligence capability will enable them to act as hunters, and help them classify the behaviour and pattern of cyber criminals. The value of the threat Intel is how we use it and put it to action- operationalize the platform- automating the raw data into a tangible Intel is the key. Developing the niche capability will help unveil the opponents and force the adversaries to change/edit their strategies which in turn enhancing the ability to respond. Organization requires a mindset change to develop hunting methodology and enable their staff. Breeding the right culture is very important. To nurture the hunting capabilities you need to accept mistakes. Our industry is building itself on illusions (one fix work all)- organizations need to develop filters to chalk out the white noise and follow patterns of attacks that are specific to organizations.
Changing any culture is not easy. Within the security department, training, education and new norms for doing security hunting need to be established. This may also require bringing in new staff members fresh to the new ways of doing things. It is also necessary to evangelize the new approach to those more senior staff in the organisation, to ensure that they understand and support the new approaches, as well as to those personnel and departments that interact with security. Central to this is promoting the metrics ( whether security is working or not ) so that the success (or the failure) can be clearly seen by all. Azeem Aleem has been staunch supporter of convergence and been actively writing to highlight the need for converged methodology to tackle these advanced attacks
Development of educational route is very important to develop talent career progression. The recent move of recognizing Masters degree by GCHQ for selected 10 UK universities will enable the students to take security as a career. We need a stronger partnership among academia, public and private sector – universities students final year MSc project and PHD thesis could be an excellent route to work on Industry live work case examples. Element of research needs to be enabled by developing this partnership. For example at RSA we are working with number of universities such as Brighton, Napier and Macquarie University to develop various areas of research where university researchers can contribute towards our efforts in fights against advanced adversaries. From technology viewpoint organizations are overwhelmed with legacy technologies. This is creating an impact around productivity and creating a dizzying whirlpool of reality (that we are secured). They are getting all the alerts but no real credibility and tangible intel. Traditional Perimeter have melted away and this requires holistic view of how we protect the echo system. Closer integration of the supply chain is very important- continuous monitoring needs to be done and silted approach needs to be taken out.
About the Author Emma Pietrafesa
Dr Emma Pietrafesa (Ph.D.) researcher and communicator. Postgraduate specializations in management and public communication, international relations and diplomatic studies. She has been working in the field of research and communication for over 12 years, focused on: ICT and social media, open source, cyber harassments, cyberbullying, international relations, gender issues, health and safety at work. She is Author for Italian digital magazines www.TechEconomy.it and www.girlgeeklife.com.
(Security Affairs – Azeem Aleem, cybercrime)