As attackers are seemingly always a few steps ahead of corporate lines of defence, a more active and outward focused approach to security incident response has emerged the past several years. Some call it hunting, the kill-chain or active defence, or will use other terminology to make a clear point: We will no longer sit back and wait passively for attacks to respond to. The often militaristic terms to describe these new lines of defence is a good indication of the proactive and perhaps more aggressive nature of what may better be classed as counter-attack. It is an approach whereby you seek out the attackers before they strike you. Recently JP Morgan announced that it had set up a new cyber defence unit, largely staffed with ex-military cyber warriors. A new security operation centre was subsequently established conveniently close to NSA’s headquarters in order to attract the much needed talent. Is this a trend much in the same way as air force pilots who make their way into commercial aviation following their military careers? Perhaps too early to tell, but there is clear evidence that more organisations are standing up a much more pro-active response to cyber-attacks than we have seen over the past decade or so.
But when does pro-active response turn into hacking back. And what about the legal boundaries of what is permitted and what not, not to mention the many jurisdictions a typical cyber-attack usually spans. My guess is that the courts will have to produce much new jurisprudence on this complicated matter, with legislators trailing behind. This will create somewhat of a paradoxical situation over time, as the very same nation states that will need to pass these new cyber laws will be reluctant to curb their own cyber-war capabilities at the same time.
Most companies however are far removed from establishing hunt teams, and have yet to start with establishing a more organised response to cyber-attacks in an adequate security operation centre. Before doing so an interesting exercise is a reality check on how many of the implemented security controls are preventative in nature versus more detection oriented. As we know that the prevention paradigm is behind us, it is striking to see how much of enterprise security is still based on prevention. In most cases at least seventy percent prevention oriented I wager. With that I am not suggesting that we should do away with preventative security controls altogether, many of them have a place in the mix. However, if you want to move towards an informed and more proactive cyber-defence organisation, you will need to provide your hunt teams with the intelligence gathered from internal and external sources in order for them to be effective. For most this will require a security transformation, a move away from the fortress approach and towards the detection and proactive response paradigm.
Where we used to think that it was possible to protect corporate networks and systems and prevent them from being compromised, we are now seeing a level of persistence; organisation and skill that makes these break ins inevitable. Organisations are better off assuming to be breached, a mindset that will allow us to get beyond the prevention paradigm from yesterday and implement a much more effective approach to cyber-defense, one that is largely based on response.
But where do we start? How about with the question what is worth stealing or disrupting? What are your crown jewels, your prized possessions and critical processes? This is often where the confusion starts. Although at first glance similar, there is a fundamental difference between “what are you looking to protect”, and “what are you looking to defend?”. The former looks at your valuable data such as intellectual property and critical business processes, where the latter is really about your attack surface or infrastructure. I say let’s worry about what attackers may be after first and then think about how best safeguard it.
Many organisations are still transforming from a perimeter focused approach and in the process of including more security layers, embedded throughout vital parts of the business architecture. The problem with the disappearing perimeter however is that if you try and protect everything with the same level of security you will eventually fail. Not in the least because it will break your budget. Equally, if your strategy is still based on a pure protection approach this will also lead to failure. The more successful strategies I have seen are based on at least sixty percent response as opposed to protection. The first question asked on this subject is if a predominantly response based security approach will not allow for attackers to always claim success. Not necessarily. Implement prevention technology and processes where they make sense , and response oriented controls across the board starting with continuous monitoring.
The key is to focus on your valuables, the stuff that really matters. This is where data classification usually comes in, managing the sensitivity of information and giving it labels such as classified or even top secret. The issue here is often over-classification. When in doubt label it classified, just to be sure. That is what many people will do, not realizing that this dilutes the process and makes the classification senseless. Simple data classification is not good enough in today’s world, and more rigorous steps are required to ensure that the organisation understands what is truly critical to protect to manage the business successfully.
Once you know the answer to that question naturally you will need to then provide an appropriate security architecture and organisation to address the risk of a breach of these valuables and an appropriate level of security for the rest. Much of this will be based on a more modern response framework and not just protection. This will include continuous monitoring, threat intelligence, incident analysis and response and hopefully an incident response team organised in a Security Operations Center. We have seen new methods of incident response hunt teams with a proactive approach as opposed to only following security events and incidents. This goes a long way in further complicating an attack, which is absolutely critical in stopping it. By complication your incident response team will have the valuable time that it needs to stop an attack in its tracks prior to it succeeding in exfiltrating your data or disrupting your business process.
Such a modern approach to cyber defense, in what can be classed as an a-symmetric battle, needs to start with the assumption that your organisation is breached. It will make the subsequent security transformation a lot more successful.