When Attacks Surge, Turn to Data to Strengthen Detection and Response
News of cyber criminals and nation-state actors capitalizing on events, planned or unplanned, for financial gain or to wreak havoc have dominated the headlines over the past few years. From COVID to elections to devastating weather events, and now the tragic conflict in Ukraine. We’ve seen threat actors launch ransomware, supply chain attacks and other sophisticated tactics to compromise organizations and the services they deliver. But the human spirit is strong. We are wired to persevere, so time and again we rise to difficult situations.
When it comes to cyber threats, the security industry has two important mechanisms in place to help organizations understand the motivations of attackers and their tactics, techniques, and procedures (TTPs) so they can strengthen detection and response: intelligence sources and information sharing. Let’s look at how to get the most value from each.
Intelligence sources – When attacks happen, there’s an immediate uptick in threat information often available for free and open to the public from disparate sources, including commercial threat intelligence providers, governments, your existing security vendors, open-source feeds and frameworks like MITRE ATT&CK. With the current situation in Ukraine, which brings an added dimension of cyberwarfare, the U.S. federal government has issued an unprecedented series of alerts and plans with technical details and mitigation recommendations. Valuable information and preventative measures are also available from hundreds of news outlets, research blogs, commercial reports and GitHub repositories. Between the variety of sources and formats of intelligence, how do you make it all usable within your infrastructure?
A security operations platform that includes out-of-the-box connectors makes importing this information easy. However, many of the sources have no ready-made connectors to allow them to plug into existing security infrastructure. Enter both unstructured data parsers and custom connectors. The platform needs to be able to ingest, normalize and correlate unstructured data from reports or other sources. In addition, the platform needs the capability to create custom connectors that can be written and deployed within hours to allow you to ingest data from additional threat data sources as they become available. When you augment and enrich event data aggregated from your internal data sources—including your SIEM system, log management repository, case management system and security infrastructure—with this external data, you can start to see the big picture, assess your security posture and mitigate risk.
Information sharing – Thus far we’ve focused on data coming in, but we all know there is strength in numbers, so sharing data out is equally important. Information Sharing and Analysis Centers (ISACs), initiatives from the U.S. federal government, and platforms that enable internal sharing across an organization’s previously siloed tools and teams, all help to make sharing more efficient and effective.
Most organizations are members of an ISAC focused on threats to their sector. ISACs provide the culture, technology and processes by which organizations can share information with other organizations. And they continually work to provide contextual threat information by creating a community that helps individuals and their organizations grow in maturity and capability. Historically, member organizations are happy to receive intelligence, but can be hesitant to share specific, actionable information due to their own internal legal restrictions. ISACs can only work as intended if there is a give and take between all members. Information can be genericized enough so as not to disclose personally identifiable information or corporate proprietary information, but still help others to protect themselves and look in their own networks to see if they have also been targeted and missed the threat.
The U.S. federal government has also heightened its focus on information sharing. The first requirement outlined in the May 12, 2021 Executive Order involves removing barriers to sharing threat information. Since then, under the leadership of Jen Easterly, the Cybersecurity and Infrastructure Security Agency (CISA) has launched several supporting initiatives. Among the most recent is Shields Up, designed to foster reporting of cyber activity and incidents so that CISA can use that information to help prevent other organizations and entities from falling victim to a similar attack.
There’s also room for improvement in sharing information between the teams and organizations that make up your entire enterprise to achieve enterprise-wide risk management. Typically, organizations have one central team responsible for collecting, analyzing and prioritizing internal and external threat and event data to provide relevant threat intelligence. Sharing across the organization requires a platform that facilitates curating all this intelligence so that it is relevant to different teams and locations, and also makes data easy to access and use as part of existing workflows. Support for bi-directional communication allows the central team to collect feedback on the disseminated intelligence for learning and improvement.
As threat actors continue to evolve their TTPs to take advantage of crises and outbreaks, the intelligence sources and information sharing mechanisms available to help will become even more important. Security professionals can rise to the occasion by ensuring their security operations is data-driven, so they can get the most value from each.