Technology, demographics, economic and geopolitical forces are constantly shifting, creating a fluid cybersecurity environment. Cyber criminals are designing and implementing tailored malware, advanced persistent threats, massive Distributed Denial of Service (DDoS) attacks and an endless variety of other techniques to disrupt organizations of all types, across all industries. Faced with these challenges, security teams are developing new approaches to safeguard their organizations from a variety of increasingly sophisticated attackers.
In most attack scenarios, cyber criminals follow a standardized approach to infiltrate a target, including research, preparation, deployment and control. This is also known as the “attack chain.” Each step has a distinct signature, if you know where to find it. With enough visibility into the extended network and robust intelligence, an attack can often be detected and stopped before it inflicts much damage. Intelligence comes from a variety of sources, including native intelligence from within the organization, commercially available information and ongoing analysis of user behavior. This combined intelligence enables the most effective detection of threats. Using the network to gather intelligence allows cyber defenders to gain a better understanding of what their adversaries are doing, and how to prevent it.
The most efficient way to limit the attack chain and protect valuable resources is to employ a security approach that is more sophisticated than the attackers’ abilities, and addresses the extended network environment. Since an attack can be broken down into stages, it is then essential to think of a response to an attack in stages as well – before, during and after. This cycle operates non-stop for anyone in the security profession.
Let’s take a deeper dive into each stage:
Before: Security teams are continuously scanning for areas where they may be vulnerable to infiltration. Classically, security has been all about defense. Today, teams are setting up ways to more intelligently halt intruders with total visibility into their environments – including, but not limited to protocols, users, content, physical and virtual hosts, operating systems, applications, services and network behavior. This knowledge can be used for defenders to take action before an attack has even begun.
During an attack, it is critical to understand what is occurring, and how to stop it as rapidly as possible. Security teams need to be able to continuously address threats. Tools including content inspection, behavior anomaly detection, context awareness of users, devices, location information and applications are critical to understanding an attack as it is unfolding. Security teams have to discover where, what and how users are connected to applications and resources.
After an attack or breach, security teams need to quickly understand the attack that occurred as well as how to analyze and mitigate the damage. Advanced forensics tools help defenders learn from attacks. Could anything have been done to prevent the breach? Where did the attacker come from? How did they find a hole in the network? Additionally, this type of retrospective security allows for an infrastructure that gathers and analyzes data to create security intelligence on an ongoing basis. Breaches that may have gone undetected for weeks or even months can be identified, contained and remediated much more quickly.
It logically follows that the most essential element of any defensive strategy is intelligence and understanding. Cybersecurity teams are constantly trying to learn more about who their enemies are, why they are attacking, and how. This is where the extended network provides unrivaled value with a depth of intelligence that cannot be attained anywhere else in the IT environment. Much like in counter terrorism, intelligence is central to stopping attacks.
Similar to other areas of modern warfare, security in cyberspace is often an asymmetric situation. Smaller, faster adversaries with limited means can inflict disproportionate damage on massive adversaries. In these asymmetric environments, intelligence is one of the most important assets for addressing threats. However, intelligence alone is of little benefit without an approach that optimizes the organizational and operational use of that intelligence.
Network analysis techniques provide the ability to collect IP network traffic as it enters or exits an interface, allowing security teams to correlate identity and context, and then add to that threat intelligence and analytics capabilities. This allows security teams to combine what they learn from multiple sources of information, including the web, the network, as well as an ever-expanding amount of collaborative intelligence, gathered from exchange with public and private entities to help identify and stop threats.
The most effective cybersecurity approach requires a framework that incorporates the central interests, opportunities, and challenges that an organization faces and aligns its governance, operations and enterprise capabilities to match. In other words, it allows defenders to think like attackers and better protect their environments. This framework must be guided by the enterprise security team’s own threat intelligence practice which combines commercial threat information with native analysis of user behavior to detect, protect against, and remediate security incidents as quickly and effectively as possible.