“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle” – Sun Tzu, The Art of War
As cyber security slowly morphs its way into cyber warfare, a paradigm shift is required on how we protect our information assets. Gone are the days where you could put security measures in place based on what ‘you knew about yourself’ and hope it would stop all the attacks coming your way. As attacks become more targeted and advanced, it is critical to know who your adversaries are and what are they looking for so that you can then create a security strategy that will protect you.
So how do you go about doing this?
This requires an approach that takes into account who your adversaries are and what they are looking for, and then designing a security strategy that reflects this context. This approach is outlined and explained below:
Know yourself first – The first step in designing an overall security strategy should be understanding your internal security posture. Know what your security weaknesses are against any one of the many recognised security standards such as ISO 27001. This will help determine a baseline and allow you to understand what needs to be done to establish a minimum security standard.
Know thy enemy – The next step is perhaps the more important step. This involves understanding who is trying to attack you and why, in order to understand the context and scenarios you need protect against, and to provide the evidence necessary to the ‘powers that be’. This will vary depending on your industry and your current business. As an example, someone manufacturing high-tech military equipment is more likely to be attacked than a charity and as such the level of security controls implemented needs to reflect this risk profile. It can be difficult to understand who is targeting you and why. One of the key sources of this information is threat intelligence information garnered from the dark markets. A simple definiton of the dark markets are forums where cyber criminals ply their trade online. A few security providers are now providing this information gathering this data using a variety of means. The key activities here to make the most of this information are:
1. Understand who is targeting you and why and bolstering your defences accordingly. It is all about knowing your enemy and preparing for the attack
2. Understanding the chatter in the dark markets and looking for that specific information in your security logs. Again, a way to do this will be corrolating the information gathered from the dark markets to your security logs and determining any malicious activities that may be an indicator of a compromise.
What is important to remember is that controls implemented need to reflect all three of protection, detection and response. Implement protective tools and controls such as firewalls, etc. to stop attackers in the first place. Recognise that compromises will happen and have detection tools and controls, such as IDSs, in place to detect attacks and have adequate response capabilities in place to repsond to any compromises that may eventuate. The response capability requires a robust and tested incident response plan. Engage in war gaming exercises to simulate attack scenarios based on information gathered in the dark markets to test and improve your response capability. Expand the response capability to include all aspects such as legal, media management, etc. and not just technical.
You must also ensure that the ‘predict, prevent, detect and respond’ measures you come up with address all three basic controls types to ensure full coverage. These control types are as follows:
• Administrative – security policies and procedures that provide guidance on how to protect critical information assets e.g. IT Security Policy
• Physical – locks, keys, etc. that prevent intruders from gaining physical access to systems processing or holding critical information assets
• Technical – technology e.g. firewall utilised to stop intruders from gaining logical unauthorised access to critical information assets
Putting in security measures without understanding the adversary and their motivations is akin to shooting in the dark. Every now and then you may get success, but this not guaranteed. We must remember that we have to get it right every time. Attackers only have to get it right once! This is the security challenge we face today which is why we need a ‘consequence-based security approach underpinned by threat intelligence’.