Hardly a week goes by where there isn’t coverage of a major security breach in the media. Organisations are spending more and more money on cyber security preventive measures yet the breaches seem to keep increasing. I am often asked “what are the top things that need to change to stem this flow?”.
I often hear security professionals and vendors talk about how great their products and offerings are in terms of speeds, feeds, throughput, etc. Yet it is the business that spends money to acquire these technologies and services. Unfortunately what ends up happening is that the business does not quite understand what they are buying and why and as a result this investment can be misdirected.
The first thing that needs to change is IT Security Professionals need to start relating their offerings to how it will support the business so that the business can understand the need and benefits of these investments and make them in a more informed manner. A great example of this is all the digital transformation this is currently going on within organisations. A lot of these initiatives are being driven by the business without necessarily the involvement from IT Security. It begs the question – why is this?
The answer unfortunately is that the business does not necessarily see the value that IT Security can provide. We can change this by partnering with the business to enable their digital transformation journey securely. Let’s get involved from the start of the project and ensure that security is built in by design. Let’s make sure that the business understands that IT Security is here to ensure that the system or application that is being developed will be resilient to attacks and this in turn will mitigate risks such as reputation risks, financial risks, etc. It is this change in thinking and a partnership approach that will allow IT Security teams and businesses to work better towards a more secure environment.
The second thing that needs to change is the language that we use. Boards and Executives who normally approve funding for IT Security projects do not speak tech! They speak the language of ROI, NPV, etc. IT Security professionals need to start speaking this language so that the business can understand the need and benefits of such investments.
Without this change, the business will always hesitate to spend money on what will be perceived as non-revenue generating activities. Indeed cyber security needs to be about cyber risk management. We must ensure that the business understands that cyber security is simply another form of risk management and indeed it should be part of the overall Enterprise Risk Management framework and managed as such.
The last point is really two related points combined as one. Cyber security is quickly morphing into cyber warfare. There will come a time in the not too distant future when a country attacking another country will take out its critical infrastructure and systems, crippling them before launching a physical assault. Just as in physical warfare, we need to learn and apply some lessons here to cyber warfare and security. In order to protect itself, a country does two things:
- Gather intelligence on its adversaries so that they know what they are up to
- Bolster its defences based on the knowledge on how it may be attacked.
Unfortunately, this approach is seldom taken by organisations when it comes to cyber security. Organisations need to gather cyber intelligence to understand who may be attacking them and why. A critical part of this is dark market intelligence. The dark markets is where stolen data is traded. Unless it is traded here, it is not monetised. And unless it is monetised, it is worthless to the hacker and is a waste of their time.
Hacking is now largely about making money and time is money! Based on this, it does make a lot of sense to scan the dark markets for any leaked data or chatter on any activities aimed at attacking you. This will allow an organisation to do two things:
- Proactively manage a breach if one has occurred by activating their incident response procedures
- Gaining intelligence on any potential attacks and preparing to thwart it
The send part of this point is understanding who may try to attack you and how, and bolstering your defences accordingly.
Arguably, the method of choice for attackers now is phishing. They use this method to trick users and get access to their device. Once the user has taken the bait, the attacker will get into the organisation’s IT environment with the intent of finding and exfiltration critical data and information.
I have depicted this attack methodology below and have explained it in simple terms:
- Email or web based attack – initially the attacker will send an email with a link or an attachment that will either contain or direct a user to malware.
- Malware download – Once the user opens the attachment or clicks on the link, the malware will be downloaded to the user’s device. This usually exploits a missing patch on the device
- Local device takeover – Once the malware has been downloaded to the device, the attacker will look at taking over control of the infected device
- Privilege escalation – the attacker will then look to move laterally within the network and try to gain higher privileges. Once this is attained ,the attacker will then start looking for critical data that they want to exfiltrate
- Data Exfiltration – once the attacker the found the data, they will try to copy it off to another location under their control.
Now that we have discussed how an attacker can get into an organisation (please note this is not the only way), let’s look at how we can come up with controls that can help stop this type of attack.
Controls within a cyber-security context generally falls into four categories. I have illustrated and described the categories below:
- Predict – systems, tools, policies and procedures that help detect vulnerabilities in systems and predict potential avenues of attack
- Prevent – systems, tools, policies and procedures that prevent threats affecting your systems. An example would be the corporate firewall
- Detect – systems, tools, policies and procedures that give you the ability to detect threats that may be affecting your system. An example here would be an Intrusion Detection System
- Respond – systems, tools, policies and procedures that allow you to respond to threats and contain / eradicate them. A policy example would be the corporate Incident Response Plan and associated tools such as a Security Information and Event Management (SIEM) system.
Now comes the important part – what we must do is look at all the steps in the attack methodology and apply controls for each category of control for each step to help stop the attack. The simplest way of doing this is in a table as illustrated below:
| Email & Web Attack | Malware Download | Machine Takeover | Privilege Escalation | Data Exfiltration | |
| Predict | DM Scanning; Web / Email Filtering; NGFW; UBA / NBA; Analytics | Web / Email Filtering; Advanced Endpoint Protection; NGFW; UBA / NBA; Analytics | Advanced Endpoint Protection; UBA / NBA; Analytics | Advanced Endpoint Protection; UBA / NBA; Analytics | Advanced Endpoint Protection; UBA / NBA; Analytics |
| Protect | Web / Email Filtering; User Education and Anti – Phishing S/ware; NGFW / Stealth | Web / Email Filtering; Advanced Endpoint Protection; Patch & Vul Mgmt; NGFW / Stealth | Advanced Endpoint Protection; Patch & Vul Mgmt | PAM; IdM; Patch & Vul Mgmt | Advanced Endpoint Protection; NGFW / Stealth; DLP |
| Detect | Web / Email Filtering; NGFW | Web / Email Filtering; Advanced Endpoint Protection; NGFW | Advanced Endpoint Protection | Advanced Endpoint Protection | Advanced Endpoint Protection; NGFW; DLP |
| Respond (Attack Successful) | NGFW (IPS); SIEM; SOC | NGFW (IPS); SIEM; SOC | NGFW (IPS); SIEM; SOC | NGFW (IPS); SIEM; SOC | NGFW (IPS); SIEM; SOC |
Please note that the above table is an example only and the controls / technologies listed is not an exhaustive list. I have also concentrated on technical controls in the above example. This does not negate the need for policy and people controls.
For the technologies listed above, appropriate policies and procedures should be documented on their use and deployment. Technical staff must be trained in their use, general users must be provided with user awareness and training so that they can spot attack attempts and not fall for them.
This simple methodology will allow you to achieve two things:
- Understand how you are being attacked and implement controls accordingly. The chain of attack activities will allow you to put controls in context and prioritise your investments
- It allows the business to understand the need to the various investments being asked for and how it will help make the business more secure. Most Execs understand phishing. Let’s start with something familiar. Explain how this actually works to steal data and then contextualise the security investments required accordingly.
Once we start to understand who is trying to attack us based on cyber intelligence and how based on an attack methodology, we can start to add the necessary context to the security investments required. This will aid in prioritising and justifying the investments.
The cyber security landscape is changing quickly, threats and their severity are increasing dramatically with speed. We need to take a risk based approach focused on business outcomes and get our language right. A new approach is required to deal with this threat. Proactive intelligence and attack based contextualization – not reactive and one that is without context. Only then can we add value and opportunity to the business and manage compliance, legislative, reputation and financial risks.
About the author
Ashwin Pal is the Unisys Director of Security Services responsible for the delivery of Unisys’s security business in the Asia Pacific region.