By Greg Akers — Senior Vice President, Advanced Security Initiatives Group – Threat Response Intelligence and Development, Cisco
Major changes in technology, demographics, economic and geopolitical forces are creating an even more dynamic landscape for cybersecurity. Attackers are deploying highly customized malware, advanced persistent threats, large-scale Denial of Service attacks and many other tools to compromise organizations of all types. Facing these challenges, cyber defenders are tasked with developing new models for protecting their organizations from a variety of increasingly sophisticated threats.
Malicious cyber actors frequently follow a multi-step approach to successfully attack a target, including reconnaissance, packaging of the exploit, delivery, installation and control. This is also known as the “attack chain.” Each step has a distinct signature, if you know where to find it. With proper visibility into the extended network and robust intelligence, an attack can often be detected and stopped before causing significant damage.
Intelligence comes from a variety of sources, including native intelligence from within the organization, commercially available information and ongoing analysis of user behavior, which enables the rapid and successful detection of threats. By using the network to gain intelligence, cyber defenders will gain a better understanding of what their adversaries are doing, and how to circumvent it.
The only way to halt the progress of the attack chain and protect valuable resources is to employ a security approach that is advanced beyond the attackers’ abilities, and addresses the extended network. Since an attack can be broken down into stages, it is then pragmatic to think of a response to an attack in stages as well — before, during and after. This is a cycle that operates constantly for anyone in the security profession.
Let’s take a closer look at each of these stages:
Before: Security teams are diligently looking for areas where they may be compromised. Historically, security had been all about defense. Today, teams are setting up ways to more intelligently halt intruders by giving them total visibility into their environments — including, but not limited to physical and virtual hosts, operating systems, applications, services, protocols, users, content and network behavior. This knowledge can be used for defenders to take action before an attack has even begun.
During the attack, security teams need to understand what is happening, and how to stop it as quickly as possible to minimize impact. They need to be able to continuously address threats, not just at a point in time. Tools including content inspection, behavior anomaly detection, context awareness of users, devices, location information and applications are critical to understanding an attack, as it is occurring. Security teams have to discover where, what and how users are connected to applications and resources.
After an incident, teams have to understand the attack that occurred and how to mitigate the damage. Advanced forensics and assessment tools help security teams learn from attacks. Where did the attacker come from? How did they find a hole in the network? Could anything have been done to prevent the breach? More important, retrospective security allows for an infrastructure that can continuously gather and analyze data to create security intelligence. Compromises that would have gone undetected for weeks or months can be identified, scoped, contained and remediated.
It then follows that the most important element of any defensive strategy is intelligence and understanding. Cybersecurity teams are constantly trying to learn more about who their enemies are, why they are attacking, and how. This is where the extended network provides unexpected value — delivering a depth of intelligence that cannot be attained anywhere else in the computing environment. Much like in counter terrorism, intelligence is key to stopping attacks before they happen.
Similar to other areas of modern warfare, security in cyberspace is often an asymmetric situation. Relatively small adversaries with limited means can inflict disproportionate damage on larger adversaries. In these asymmetric environments, intelligence is one of the most important assets for addressing threats. But intelligence alone is of little benefit without an approach that optimizes the organizational and operational use of intelligence.
For example, with network analysis techniques that provide the ability to collect IP network traffic as it enters or exits an interface, security teams can correlate identity and context, and then add to that threat intelligence and analytics capabilities. This allows security teams to combine what they learn from multiple sources of information, including what they know from the Web, what they know that’s happening in the network, as well as a growing amount of collaborative intelligence, gleaned from exchange with public and private entities, to help identify and stop threats.
A successful and effective cybersecurity approach requires a framework that understands the overriding interest, opportunity and challenges that an organization faces and aligns its governance, operations and enterprise capabilities to match. In other words, it allows defenders to think like attackers and better protect their environments. This framework must be guided by the enterprise security team’s own threat intelligence practice which combines commercial threat information with native analysis of user behavior to detect, protect against, and remediate security incidents more quickly and effectively than ever before.