Cyber-incidents are like home burglaries: We need to understand how someone got in, where they went, what they did, and how they came back. This understanding will allow us to reframe discussions and focus on the proper response. I feel a shift in the way we talk about cybersecurity threats. We have the opportunity to improve upon the breaches of Equifax and Target, as well as the recent revelations about the SUNBURST supply chain and Microsoft Exchange Server Hafnium attacks.
The historical focus has been on defensive technologies that prevent an attack from reaching the network. Email phishing and ransomware followed. The threats seem to multiply at an alarming rate, but our response has not kept up. This could be finally changing.
As we learn more information about these attacks, we also learn more about the techniques, techniques, and procedures (TTPs), that bad actors use in order to penetrate systems. As I’ve written before, the hacker community does an excellent job of sharing information about which TTPs are effective and which ones don’t. They also reveal which attack vectors are still available and which vulnerabilities have been protected by the intended victims. The sharing of successful attack TTPs is a key factor in the explosion in attacks, whether it’s nation states or organized criminal entities. Fortunately, ISACs, ISAOs, and other organizations have made progress in countering the sharing information for good.
Reframing the discussion to focus on response
Security is still a very defensive topic. One analogy that I like to use is to assume that we will be attacked or likely breached. This does not necessarily mean data will be stolen or exposed to the public, but it is important to view cybersecurity discussions from the perspective of high likelihood. Only then can we shift the conversation to be more focused on detection and response, and not just defensive prevention. However, this does not mean that defensive preventive measures are not important. These are crucial, but realistically they are not.
If a nation state or an organized crime syndicate targets your company, which they most likely will, they will win the initial battle and gain entry. To protect your business and electronic assets, you need the right resources.
Cyber incidents are almost like a home break-in. How did the criminal gain entry? They may have broken a window or picked a lock to gain entry. Where did they go once they got in? Did they go to the dining area or did they go into each bedroom and basement? What were they doing in each room? Did they just look around, or did they open drawers and cabinets to see what they saw? Is it important to ask if they took anything (one of our most important questions). Most importantly, are they still there? If they are still around, where are they? Are they still in the dining room or have they moved around the house (or across your network laterally)? How did they leave? Did they leave the same way as they came in? Or did they create another entry point as they left? And did they clone their keys so that they could re-enter whenever it was convenient for them?
Although it may seem simple in concept, I don’t believe we have ever thought about cybersecurity in such a specific way as an industry. It is important to know if someone knocks on your door to try to gain access to your networks. However, it is equally important to understand how they entered your network and what they did while there.
We need to be better cyber detectives
We learn more about successful attacks as we get more information. This includes whether data was altered or exfiltrated, how long the attackers were in the system, and many other details. This information, which was previously the domain of forensic investigators who enter after an attack has been confirmed, should be part of our routine cybersecurity discourse.
Only by having a reliable way of tracking and detecting unauthorized activity on our networks can we shift the balance in favor the organizations being targeted. This is a change I can see coming. The question is when.
A Biden Administration Executive Order on cybersecurity will be released in the near future. This should be the U.S. government’s most comprehensive cybersecurity policy statement. Many observers believe this will be a step in the right direction.