top of page
Search
Writer's pictureShadowscape
Mar 10, 2020

KNOW THYSELF// KNOW THY ENEMY

Updated: Mar 25, 2020

James McCarter | March 10, 2020

Table of Contents

  • I. Introduction.

  • II. What is Intelligence-Driven Security?

  • III. Why does this keep happening?

  • IV. How do we get to success?

  • V. Intelligence-Driven Security Services

  • VI. Threat Intelligence Meets Risk Management

  • VII. Risk Driven Gap Analysis with the ATT&CK Navigator

  • VIII. Conclusion


“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” ― Sun Tzu, The Art of War


I. Introduction

Recent projections have estimated the annual cost of cybercrime to cost between $4 and $6 trillion by 2021. (1) Ginni Rometty, IBM Corp.’s Chairman, President and CEO asserts that “cybercrime may be the greatest threat to every company in the world.” (3)It’s safe to say at this point that the problem is neither subsiding nor can it simply be considered a technical issue. Malicious hackers are now attacking computers and networks at a rate of one attack every 39 seconds… and they’re getting smarter. “Fileless attacks were used in 77% of successful compromises in 2018 because they’re increasingly effective at evading detection; as a consequence, the trend is bound to increase”, “In 2018, polymorphic malware accounted for 94% of all malicious executables”(4). The bottom line is that the risks that cyber threats pose affect the entire enterprise, not just the IT dept.


The stats go on and on. Right now, there is a better chance than ever that there is/are malicious hacker(s) plotting to do damage to your organization. This is a conflict like any other, with human beings that have a clear motive. The computer is just their toolbox. We need to focus on aggregating what we know from their methods, behaviors and errors in their own OPSEC (operational security) and use that information to our advantage. It is incumbent upon organizations to put real stock in assessing the threats and their risks of intrusion, perpetrated by these malicious actors. The allocation of resources to network defenses can no longer be considered an afterthought. Organizations must ensure that cyber threats are closely monitored and assessed in order to minimize the impact of these events. It’s crucial that mitigation of these risks take place in a prioritized manner, commensurate with the most pressing threats, as part of budgeted operating costs. This paper aims to give a brief overview of how to accomplish that.


II. What is Intelligence-Driven Security?

Threat Intelligence was supposed to be the great panacea that would finally allow network defenders to stay ahead of cyber adversaries. It quickly became apparent that what the industry deemed “intelligence” was largely stale data, and not worthy of being dubbed intelligence at all. More data is not what was needed, what was needed was more analysis. Intelligence is just that, a product of structured analysis, which should provide a timely, contextual and perhaps most importantly, actionable product. Such analysis provides more thoughtful consideration of the human adversary and their methods. But having “actionable” intelligence is only half of the proverbial coin.


Within the industry, we are hearing more and more about proactive defenses and “actionable” threat intelligence. But it’s imperative that organizations empower their security program to make the changes dictated by their intelligence. The evolution of the ever-increasing, advanced cyber threat dictates that while the threat adapts, so must our defensive measures. While the concepts of threat intelligence and proactive defenses are becoming industry wide “buzz” words, it’s important to realize that the implementation of threat-based defense requires a commitment to change our Techniques, Tactics and Procedures (TTPs) on a foundational level if necessary. Intelligence-driven security services (IDSS) ensure that we are keeping the latest adversary methodology and behaviors at the forefront of our cybersecurity plans, constantly operating and providing intel in concert with an adaptive threat and ensuring we are also adapting accordingly.


One of the major issues with today’s cyber intelligence is that it is less focused on the strategic mission. This is in large part because of how we posture our security infrastructure. We tend to want to implement and then, despite what the intelligence is telling us, stamp it with a “done” sticker and call it a day. We need to focus on actioning the intelligence, allowing for the guidelines and recommendations to actually have enough power and teeth to implement necessary changes. That is the entire basis behind “Intelligence-Driven Security Services”. Building in the processes to ensure that the intelligence can both inform the overall mission, but also allow it to actually correct course when necessary, within your organization, if dictated by the intelligence. If your organization has no plans or processes to put into action what the intel recommends, then what’s the point of having the intelligence at all.


This needs to be the era of the next phase of “Threat Intelligence”, in which we stop focusing on stale threat data in tactical settings and begin to focus on applying the behaviors and TTPs (Tactics, Techniques and Procedures) of the adversary to the strategic mission of our organizations. That means using the knowledge of the adversary’s methods to directly inform how to best posture our network defense strategy and then… doing it. Doing so will allow us to stay ahead the digital threat horizon to the TTPs that are emerging amongst the threat environment. Proactive countermeasures, informed directly by strategic level threat intelligence, are the key to facing the emerging threats that have already begun to develop.


III. Why does this keep happening?

By taking an introspective look at why we keep running into many of the same types of events, despite organizations as a whole taking cybersecurity more seriously, patterns begin to emerge....

 

To read the entire report, fill out the form below and receive a free PDF download!


Comments

bottom of page