Stripping the Attacker Naked

When it comes to cyberattacks, nobody is immune. Some of the largest enterprises and most important government agencies have been victims of intrusions where sensitive corporate or client data and classified information was stolen and put in the public domain.

Given the fact that no one can prevent breaches from happening, everyone must be as prepared as possible to handle threats. Preparation requires enhancement not only of defenses but of response processes too, and to accomplish this, it's essential to gain a better understanding of the enemy.

There are a few key areas that demand our sustained focus in order to achieve these goals. First, security personnel must identify the "crown jewels" — the vital data needing protection. It's then important to understand what the motivation and profile of an attacker is. After establishing this, the next steps involve identifying who has legitimate access to those assets, then, finally, working out what the potential attack vectors are against legitimate users and the infrastructure that hosts the crown jewels themselves.

It's imperative to have a clear vision and understanding of the cyber terrain, assets being protected, and capabilities of the enemy. This enables us to better re-enforce defenses where we can and have the know-how to respond properly where we can't. Ultimately, it's about establishing a process that will eventually lead to the infusion of cyber threat intelligence information into the defense and response apparatus.

For example, if a company is engaged in selling goods online, one of the crucial assets to protect is the financial information of product buyers. Of all the attackers out there, we can likely deduce that nation-states, corporate spies, and most "script kiddies" up for a challenge are not prime suspects. This leaves cybercriminals. Usually, our thinking stops there — but that's a mistake. What's needed is to push the reflection further and think about the attack itself.

Yes, cybercriminals might want to steal credit card numbers, but this is obvious, and so it's important to think a bit more like them to work out what else they might be after. Can they lock down a part of a system using ransomware that will prevent selling products? Is this a type of bribery to keep the company out of large distributed denial-of-service attacks? Is the organization selling products delivered in unidentified brown boxes of a very personal nature to buyers, and, therefore, is the mere fact that customer names end up in the public sphere going to create problems?

Based on more specific attack scenarios, it may be easier to align defensive measures — but this brings up additional questions. For instance, if a company only sells products to US-based customers, could you block foreign connections using geolocation? It might also open questions related to legal liabilities, due care, and diligence obligations, which could drive more specific processes on how to respond to different types of incidents.

Regarding cyber threat intelligence more specifically, understanding attackers can allow for the extraction of very specific indicators of attack or of compromise from the various databases commercially available. This might enable the focus to be a little more on criminal adversaries and their modus operandi instead of going very wide and generating a ton of false positives. Then, it could be possible to study their techniques and ask ourselves if we have what we need in our infrastructure to prevent them from using their tools and techniques.

By using a more practical and specific approach, organizations can gain the ability to invest precious cybersecurity dollars on things that matter most to a business model and its protection. By knowing the enemy inside out, and by being one step ahead, control is regained. What adversaries consider their attack playground is effectively our arena, and as security professionals, we rule it. It is for us to step up and — when they trespass on our turf — leave them standing naked and defenseless.

Related Content:

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.