Adam Meyers from CrowdStrike looks at how intelligence is often the missing part of the puzzle for organisations focusing on keeping out the bad guys.
Today, every organisation is a potential attack target, regardless of vertical, specialty and geographic location. Threats are evolving by the second and a vast ecosystem of adversaries are preying on our intellectual property. A combination of opportunistic criminals, hacktivists looking to advance their agenda and targeted actors focused on espionage or destructive attacks have led us to fear the next ‘mega breach’ on the horizon. This has created a fever pitch where an understanding of how these criminals work and the tools, techniques and procedures they employ, has never been more critical to business.
While many organisations have thrown money at the problem to shore up defense and build capabilities to withstand these ongoing attacks, many have failed to understand the missing link in the continuous ‘people, process and technology’ conversation.
Intelligence is no longer a ‘nice to have’
The primary motivation behind global cyber activity has shifted from disparate activities carried out by individuals, groups and criminal gangs pursuing short-term financial gain, to skilled adversaries driven by strategic global conflicts. As such, we can’t properly interpret today’s threat landscape without understanding the impact of global economic developments and geopolitical events. It may be that something happened miles away, but that doesn’t mean it won’t have wider reaching impacts in the form of an attack where you are, in the long-run.
Cyber risk mitigation starts with anticipating and detecting potential threats and being prepared to defend against new approaches. That can only be done successfully with access to the right insight. Without intelligence and a well-trained team to monitor, capture and analyse threat data effectively, we cannot understand what adversaries are looking for and how they think, in order to prepare and react. That leaves companies vulnerable to paying for their lack of insight in the loss of revenue, jobs, intellectual property and shareholder value. As a result, threat intelligence is no longer a ‘nice to have’ but a mandatory element of any comprehensive security programme.
Yet, at the moment many security professionals are cast in the role of passively reviewing alert data, much of which are false positives. To get out of reactive mode and prevent breaches, businesses must take steps to prioritise actionable intelligence so that they can get ahead of the threats that could compromise their business.
Move with the times – known bads go stale quickly
In the same spirit as the passive review of data, teams are also spending too much time tracking indicators of compromise (IoCs), despite the fact that information on these ‘known bads’ goes stale quickly.
Focusing on the symptoms of the adversary problem isn’t enough in the new age of cyber security. Firms must be poised to assess what tools criminals are using for exploitation; understand how they have managed to propagate the network, and then determine next steps once a presence has been established. Enabling this kind of security posture starts with expanding the scope of operations, using technologies that can identify indicators of attack (IoAs). This enables teams to track the effects of what the adversary is trying to accomplish, so that they can understand where the adversary has been, what its objectives are, and where it is today.
New era, new mantra – detection and response
It’s easy to talk about what organisations aren’t doing and how they need to adapt, but combining intelligence, detection and remediation capabilities into a unified strategy can be enough to make any business leader run for the hills. By developing a step by step approach, security becomes easier to digest.
This starts with focusing on the endpoint, which is the typical starting point for adversaries when launching an attack. Factoring scalable endpoint protection into corporate risk mitigation strategies means businesses can enhance their attack readiness. Next, they must focus on how they will achieve the pace and scale needed to stay ahead of their opponents. Maintaining regular system updates is a key part of this and cloud-based models are a particularly safe bet to deliver the flexibility, speed and scale the business needs. In fact, cloud-based endpoint protection provides organisations with the ability to monitor and learn from attackers as it tests attack strategies, crowdsources threat intelligence and provides seamless upgrades.
Ultimately, steering clear of the ‘mega breach’ comes down to two key points, speed and agility. Being able to assess any intrusion and contain it immediately is the only way to future-proof your business. A combination of intelligence and trained personnel is critical to ensure that no matter where the bad guys move, or whatever new tactics they deploy, we can monitor these movements and be prepared to act.