In a cyber security environment, hindsight is 20/20, especially after your network has been breached. However, these days foresight can often be almost as clear, as there are ways to see what’s happening in cyberspace outside the realm of your network. With threat intelligence, you can have advanced knowledge of impending and current threats targeted at your network, as well as those targeted at your staff or board members. Threat intelligence also gives you information on any indications that your organization may become a target of advanced persistent threats (APTs) and provides advice on the best ways to block those threats. In addition, threat intelligence can provide you with the motivation of the threat actors, so you can know what information the attackers are looking for; this enables you to either move the information off premises or to an area that’s superbly guarded.
Threat intelligence collects and analyzes information from around the world, and can reveal information that shows threat actors may be targeting your organization, as well as the date the attack is planned to launch and the reason why they’re attacking you. With threat intelligence, instead of waiting until the threat is inside your network, you can often know in advance what types of threats are headed your way, who in your organization is being targeted and where the attacks are coming from. Threat intelligence is like having the opposing team’s playbook; it gives you a sneak peek into how your opponent is going to strike so you can decide how best to defend yourself.
Many times attackers use grassroots marketing campaigns to attack companies. For example, an attacker might be mad at a retail chain for one of many reasons, whether it’s the wages it pays employees or that it’s moving stores into cities and towns where big chains are unwanted. This one actor can go to social media sites and underground hacking websites to enlist other people to join in on the attack. Together, an attack group can plan a specific type of attack on the store’s network, the types of threats they’re going to send and the date they plan to attack. With threat intelligence, cyber security specialists who consistently monitor the web for information on these types of actions can let the store know in advance what the attackers’ strategy is and what the store should do to block the attacks.
Attacks have become so complex that no matter how many anti-virus software products, firewalls and intrusion protection systems/intrusion detection systems (IPSes/IDSes) and other threat detection devices you have, none alone or combined with thousands of others will be able to stop all attacks. At some point, your network will likely be penetrated because there’s no way you, your devices or any security team could block all malware. Ideally, if your network is being monitored 24x7, your security operations center will detect threat activity early in the kill chain and will guide you on how to disrupt the activity and stop the attack before the attackers have run off with your intellectual property. If your security team didn’t see the threat activity, threats could be lurking in your network.
Today’s attackers rapidly change the IP addresses from which their attacks are launched and create malware that’s polymorphic, meaning the code can change in a variety of ways; i.e., the filename can change as can the code itself. In one enterprise, the exact same malware could be on thousands of machines, but the malware you find on machine A will have a different name, hash value and size than it does on machine B. So you have to know the common indicators, such as they all communicate to the same machine for command-and-control traffic. In one network alone, malware could be named STG.exe on one computer and SBX.exe on another. Attacks these days are stealthy and barely make a peep, so organizations usually have no idea their network has been breached. In Ponemon Institute’s “Post Breach Boom” report (published in February 2013), malicious breaches weren’t discovered for an average of 80 days.
Turn and Face the Strain
If your network has already been compromised, a threat intelligence team working in unison with an incident response (IR) team can help ensure the threats are totally removed. Often, an IR team believes it has removed a threat, but it has only removed the threat it has seen. Threat intelligence provides much more knowledge about threats and can guide an IR team to search for other threats that have been connected to those it has found in a network. The threat intelligence team has maps of data that connect threats to other data, such as additional threats the attackers may have hidden in a network, the places in a network where those threats are likely to be found and the communication patterns made to other compromised computers. This type of information helps the IR team scope out the network to find other signs of threat activity.
You will need an experienced IR team to analyze, contain and remove the threat. Often, companies will try this on their own and will only get part of the malware out, or will leave backdoors open, making it easy for the threat actors to re-enter. The mean number of days to resolve cyber attacks is 32 with an average cost of $32,469 per day, or a total cost of $1,035,769 over the 32-day remediation period, according to the Ponemon “2013 Cost of Cyber Crime Study: United States.” When companies employed certified/expert security personnel, they saved more than $2 million.
In addition to the cost of remediating a security incident and notifying customers, a security incident could cost you the opportunity to earn money, as your website may be shut down and staff may be pulled away from normal duties, causing a loss in sales and other revenue-driven opportunities. A security incident can damage your brand’s reputation, especially when customer data has been compromised. According to Ponemon’s 2013 “Post Breach Boom” study, in the case of non-malicious breaches, lost reputation, brand value and market place image were the most serious consequences.
You can’t change or be effective at that which you don’t know about. If you aren’t monitoring your network 24x7 and don’t know that a predator has entered it, you can’t do anything about it. If you wait to call in an IR team until you’re absolutely sure you’ve been breached, you could be putting your organization at risk. After one organization contacted us regarding a suspected incident, we discovered its network had been compromised a year earlier. It took us a total of 11 days to identify the root source and all the malware, contain the threat, close all the backdoors and complete all reports. That’s far less than the 32 mean number of days it takes for most companies that handle remediation on their own.
A full-service managed security service provider (MSSP) that partners with you every day can manage or co-manage as much or as little of your security as needed. Security should be managed in a holistic way, not spliced up into parts to be delivered at random. When you have one organization overseeing everything, you have a team that’s managing your security with you, making sure all the i’s are dotted and all the t’s are crossed, helping you with your entire security program, including compliance and consulting on cloud and mobility. No matter what fancy security devices an organization owns, they only work properly if they’re configured and deployed correctly and are consistently updated. Few organizations have the skills and resources necessary to do that.
An FBI agent for 20 years, Shawn Henry told The Wall Street Journal that FBI agents are increasingly coming across data stolen from companies whose executives had no idea their systems had been accessed. In cases handled by one computer security firm, where intrusions were traced back to China, 94 percent of the targeted companies didn’t realize they had been breached until someone else told them. Forrester says more chief information security officers (CISOs) are realizing they will need to outsource at least portions of their security program to providers to meet business demands. An MSSP can work with you every step of the way, so that when board members ask about your security status, you can assure them that security is being taken care of around the clock by people who can see clearly far across the horizon of your own network.