Setting the Stage for Cybersecurity with Threat Intelligence

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.sys-con.com/node/3126765

Ransomware is the latest example of the increasingly sophisticated and
damaging inventions of hackers. Individuals and organizations of all sizes
are finding that their data has been locked down or encrypted until a
ransom is paid. One program, CryptoLocker, infected more than 300,000
computers before the FBI and international law enforcement agencies
disabled it. A few days later, Cryptowall showed up to take its place.
Companies paid $1.3 billion last year in insurance to help offset the costs
of combatting data attacks like these.

Other examples include highly customized malware, advanced persistent
threats and large-scale Distributed Denial of Service (DDoS) attacks.
Security professionals must remain ever vigilant to both known and new
threats on the rise. However, with proper visibility into the extended
network and robust intelligence, an attack can often be detected and
stopped before it causes significant damage. By using the network to gain
intelligence, cyber defenders can gain greater visibility of adversary
actions and quickly shut them down.

Since an attack can be broken down into stages, it is helpful to think of a
response to an attack in stages as well: before, during and after. This is
standard operating procedure for anyone in the security profession. Let's
examine each stage:

Before: Cyber defenders are constantly on the lookout for areas of
vulnerability. Historically, security had been all about defense. Today,
teams are developing more intelligent methods of halting intruders. With
total visibility into their environments - including, but not limited, to
physical and virtual hosts, operating systems, applications, services,
protocols, users, content and network behavior -defenders can take action
before an attack has even begun.

During the attack, impact can be minimized if security staff understands
what is happening and how to stop it as quickly as possible. They need to
be able to continuously address threats, not just at a single point in
time. Tools including content inspection, behavior anomaly detection,
context awareness of users, devices, location information and applications
are critical to understanding an attack as it is occurring. Security teams
need to discover where, what and how users are connected to applications
and resources.

After the attack, cyber defenders must understand the nature of the attack
and how to minimize any damage that may have occurred. Advanced forensics
and assessment tools help security teams learn from attacks. Where did the
attacker come from? How did they find a vulnerability in the network? Could
anything have been done to prevent the breach? More important,
retrospective security allows for an infrastructure that can continuously
gather and analyze data to create security intelligence. Compromises that
would have gone undetected for weeks or months can instead be identified,
scoped, contained and remediated in real time or close to it.

The two most important aspects of a defensive strategy, then, are
understanding and intelligence. Cybersecurity teams are constantly trying
to learn more about who their enemies are, why they are attacking and how.
This is where the extended network provides unexpected value: delivering a
depth of intelligence that cannot be attained anywhere else in the
computing environment. Much like in counterterrorism, intelligence is key
to stopping attacks before they happen.

Virtual security, as is sometimes the case in real-world warfare, is often
disproportionate to available resources. Relatively small adversaries with
limited means can inflict disproportionate damage on larger adversaries. In
these unbalanced situations, intelligence is one of the most important
assets for addressing threats. But intelligence alone is of little benefit
without an approach that optimizes the organizational and operational use
of intelligence.

Security teams can correlate identity and context, using network analysis
techniques that enable the collection of IP network traffic as it enters or
exits an interface, and then add to that threat intelligence and analytics
capabilities.

This allows security teams to combine what they learn from multiple sources
of information to help identify and stop threats. Sources include what they
know from the Web, what they know that's happening in the network and a
growing amount of collaborative intelligence gleaned from exchange with
public and private entities.

Cryptowall will eventually be defeated, but other ransomware programs and
as-yet-unknown attacks will rise to threaten critical data. Effective
cybersecurity requires an understanding of what assets need to be protected
and an alignment of organizational priorities and capabilities.
Essentially, a framework of this type enables security staff to think like
malicious actors and therefore do a better job of securing their
environments. The security team's own threat intelligence practice, uniting
commercial threat information with native analysis of user behavior, will
detect, defend against and remediate security events more rapidly and
effectively than once thought possible.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!