- Using CTI to support a back to basics approach
Cyber Threat Intelligence (CTI) can be defined in many different ways and it can simply be a threat feed. In the coming year, it will be important to use threat intelligence to provide an early warning system to customers and context to threats. In short, by doing the hard work, so customers don’t have to be dependent on the service and level of access, suppliers can actually block threats before they have a chance to do any damage.
That threat intelligence, in most cases, is simply providing guidance on ‘protecting’ using basic defences such as patch management. It’s challenging in any corporate environment expressing the severity of a vulnerability not only as a technical risk, but also a financial, human and business risk. In a perfect world we would patch all the things, but reality dictates an alternative practical world. More often than not, patching a financial system for a critical vulnerability in Java the day before end of the financial year will not whet many appetites through fear of breaking the system, despite successful pre-production patching.
Combining vulnerability management with threat intelligence is a great use case for protecting corporate environments. Customers are right to be worried about the next strain of global cyber-security incidents, but with last year’s Petya and Wannacry outbreaks, the malware used an SMB vulnerability for propagation known months earlier that simply needed patching. For example, here at Fujitsu, we actually provided a threat advisory on that patch to CTI customers three months before Petya spread. What’s more, we also provided our CTI customers with a threat advisory of the Apache Struts vulnerability Equifax was exploited with several months earlier. We also observed exploits in the wild for this attack, so there was clearly a high impact.
- Political eggshells
The line between cyber security and politics is distorted with continued reports of election tampering or breaches of government agencies and departments. Investigations surrounding the US Election will rumble on into 2018 with core concerns around the manipulation of security controls and ‘sleight of hand’. There were reports of similar inferred disruptive activity during the 2017 French election. In recent years, senior members of political parties around the world became all too familiar with concepts such as ‘Phishing’ and ‘Incident Response’. In the case of the Democratic National Committee (DNC), the infamous compromise which Crowdstrike traced back to Russia, the monthly cost of the incident response to remove the attackers from the DNC network was reportedly $50k a month.
Nation States continue to grow in cyber security expertise with the skill, will and resource to monetise from their endeavours or disrupt their neighbours. Not every threat model needs to protect against adversaries that seek to destabilise a nation, however, with the increasing adoption of digital services and frequent attribution of cyber-attacks to Nation States, it is feasible to suggest attacks against commercial entities to support political objectives will only continue to increase.
- Zero day danger
Boutique Zero day sellers such as Zerodium offer significant bounties to researchers, such as the $1.5m offered in 2017 for an iOS exploit. Initiatives by the US Government such as ‘hack the Army’ demonstrate a willingness for researchers to find exploits in the US digital services. This is an ethical approach where the US army accepted the risk of vulnerabilities being exploited and more importantly rewarded those who reported them. Shadowbrokers rose to prominence in 2017 as a group who released exploits reportedly stolen from the National Security Agency in the United States. The group released multiple zero day exploits such as ETERNALBLUE and DOUBLEPULSAR that were subsequently weaponised in cyber-attacks such as WannaCry and Adylkuzz.
The political confirmation of ‘hoarding 0days’ by the US Government was made public in 2017 in the Vulnerability Equities Policy (VEP). This policy essentially means the government can choose to withhold a disclosure if it believes it is in the interests of safety and security. Fortunately, for the major attacks observed in 2017, patches were available for the numerous vulnerabilities that were exploited allowing an element of protection or mitigation against significant damage. The alternative landscape where boutique sellers or Government agencies are compromised for their hoarded zero day exploits is unthinkable, particularly where there is no known patch or protection.
- Effective Security Monitoring
As data and our digital lives continue to grow and connect, there is an expanded internet with increasingly blurred lines for network perimeters. A consequence of this is more data to manage and an increase in cyber-attacks to detect and analyse.
A fundamental prerequisite for any business is security monitoring, however, in order to address and keep pace with the continued rise in cyber-attacks; organisations must continue to be innovative in order for the monitoring to remain effective. The threat landscape continues to grow in velocity and complexity and Security Operations Centres (SOC’s) are finding it difficult to keep up with the range of attacks facing modern day businesses. Traditional technologies using a manual approach are no longer sufficient and a fresh, proactive approach is required to counter the modern day cyber criminals.
These include analytical services such as User Entity & Behaviour Analytics (UEBA), Endpoint Detection & Response (EDR) and Managed Detection & Response (MDR) in a strong advanced threat eco-system. Blended approaches of human analytical skills underpinned by security automation and orchestration (SAO) will be necessary to address real issues facing SOCs such as alarm fatigue.
A future is certain where SOCs leverage Artificial Intelligence, machine learning and an API, playbook driven model for effective security monitoring. Automated threat intelligence enrichment for incidents freeing up valuable analyst time will be necessary as the industry faces up to the increasing cyber skills gap.
- Incident response metrics for the win
Whilst a service-level agreement (SLA) will always be the measuring stick for any delivered services, organisations will increasingly adopt new metrics to measure incident response.
UK Government guidance defines the ability to react to cyber-attacks as ‘an effective response to an attack depends upon first being aware than an attack has happened or is taking place. A swift response is essential to stop the attack, and to respond and minimise the impact or damage caused’.
An incident response metric that will be gradually adopted and used for this is Mean Time to Respond (MTTR) in order to see demonstrable reductions over time.
Incident Response and, more importantly, how fast organisations can respond to incidents will be increasingly important with the looming General Data Protection Regulation (GDPR) and Network & Information Systems (NIS) legislations. A notifiable breach has to be reported to the Information Commissioners Office (ICO) within 72 hours so reducing the Mean Time to Respond (MTTR) will become critical and businesses must have a robust Incident Response plan.
Mean Time to Dwell (MTTD) is a term used to describe the number of days an attacker is inside a network before being detected. A study by FireEye across EMEIA organisations found the average MTTD was 489 days. This adds weight to the view that the current approach of traditional SOC’s is not as effective as it could be. Attackers are continually finding innovative methods of attacking and exfiltrating data through network layers and the security industry must continue to be innovative to reduce the overall MTTD.