The Next Battleground: Cyber Security in the Private Sector
by Robert Stasio
April 11, 2018
Imagine this scenario: an expansive tactical operation center with large screen displays about enemy position and disposition. Young men and women buzz about making decisions and using analytical techniques to discover threats. Suddenly, an analyst discovers critical intelligence about the adversary, this causes the center’s director to make a decision and move a reconnaissance asset. The enemy’s attack is blocked and the offensive capability is neutered. Could this be a description of a well-coordinated intelligence-led military operation? Perhaps, but this is actually a description of a modern cyber security center, something becoming more and more common in the private sector.
In the past several years cyber threats have become so dangerous that private sector companies have actually taken a “war-fighting” approach to combating the threat. There has been a realization that the best way to manage threat is to maintain a constant operational environment, much like the military fights and wins conflicts.
This new security paradigm has led to private companies adopting the people, process, and technology from the military intelligence community in order to achieve success.
In order to understand why companies are making a shift from static security to more dynamic and military-like operations, we must first examine the changing cyber threat. Typically when experts discuss the breakdown of cyber threats, the 80/20 principle is brought up – meaning 80% of cyber actors are generally less sophisticated and the top 20% are so advanced that given enough time and resources they will break onto any network. Most companies have previously placed a vast amount of effort and resources on static security or “building a bigger firewall” - expanding the virtual moats and perimeter defenses that surround networks. Hackers in the top 20% will always follow the path of least resistance. A company can spend millions of dollars on perimeter security and be penetrated by a $300 laptop and one socially engineered phone call. Also, the vast amount of security architecture does little to detect an insider threat. In no other field is the asymmetric threat so profound.
Historically, the top 20% of actors were mainly the concern of the defense and intelligence community. Now, the emergence of commoditized malware kits has spread advanced techniques to a larger audience. For example, in 2006 the emergence of the “Web Attacker” exploit kit brought a packaged suite of tools that any user could operate.
In this new paradigm we understand three truths: you can’t prevent all attacks, your network will be compromised, and 100% security doesn’t exit. Most security practitioners understand that good hygiene and perimeter security will mitigate the bottom 80% of attackers.
What about the top 20% of attackers? How can we hope to mitigate their impact? This is the domain of the modern military-like approach. Most military environments focus on two functional pillars: operations and intelligence. Over the past decade or so there has been a surge in the creation of the Security Operation Center (SOC), a place where companies can have a real-time view of their cyber posture. This concept is very similar to the military’s Tactical Operation Center (TOC), where adversary and friendly movement are tracked in great detail. In a similar manner, cyber threats are tracked on dashboards, managed through sophisticated alerts, and precise actions can be taken to stop a threat as soon as it is noticed. Not surprisingly, many companies tend to recruit former military personnel to lead and operate an SOC due to their unique experience in such an environment.
The intelligence function of cyber operations has become one of the hottest trends in the industry today. In the military, intelligence functions are inherently predictive and seek to understand what the adversary will do before they do it. Some organizations materialize intelligence concepts by building threat intelligence programs, or perhaps threat hunting programs. A common thread across these practices is the concept of data analysis to make decisions; hence the field is sometimes known as Cyber Threat Analysis. The cyber threat analysis discipline blends aspects of intelligence analysis, information security and forensic science. Cyber analysts rely heavily on network traffic and system logs, but they must also consider external and human-generated sources of information. By using cyber threat analysis, one can detect infiltrations faster, regardless of their source. Pairing advanced platforms with a human is the most effective way to detect an infiltration.
Cyber analysts excel in finding unique patterns among massive datasets. Consider the four phases of a hacker’s attack: reconnaissance, scanning, exploitation and persistence. If an organization consolidates systems logs and network traffic, analysts can sift through the data at each phase. Analysts can link associated events among multiple sources and replay how an attack occurred. Tracing patterns over time, analysts can determine the signature of a scan and assign it to specific actors. This will help them predict when an attack will occur. Traffic from backdoor beaconing can be found quickly and blocked at the gateway. The source of data will be irrelevant; analysts can just as easily identify traffic from an insider threat as they can from Internet-based attacks.
Consider the operation center scenario described above, perhaps with a holistic intelligence analysis and information sharing approach an analyst would have been able to identify the initial pattern and prevent a second similar attack. One can see how intelligence must be tightly linked with operations to be effective. Overall security operations are divided temporally into tactical, operational, and strategic phases. In each phase of operation, analysts may produce data and intelligence, which inform decisions. There are a wide variety of use cases in cyber threat analysis enhances SOC operations.
Like many industries, cyber security moves in waves. There will be a surge of hype in a new technique and technology that organizations will implement over some years. Markets where first-adopters emerge are often the same, for example the financial sector tends to be a leader in implementing new technology. In the case of cyber security, the military and intelligence community has emerged as a leader. The main reason for this is that these secret communities have needed to protect their most sensitive information from advanced hackers for many years. This has forged a critical training pipeline of personnel to operate cyber centers against the onslaught of advanced malware.
The long process to train personnel in operations and intelligence have led to a surge of recruiting of former government employees into the private sector.
The human analyst is the crucial component to the cyber analysis process, but they also require some tooling. Just as there has been a movement of people from government to private sector in the cyber profession, there has also been an influx of the same intelligence platforms. In order to maximize an analyst’s capability and multiply their work capacity, a mature security organization must use a data analysis tool to enrich, produce, visualize, and analyze information. Private companies have started to incorporate link analysis and data analytics tools once only seen in intelligence agencies. It turns out that when the people started transitioning roles they needed the same tooling to do their work.
In order to attack the full cyber threat spectrum an organization must embrace both information security and the natural evolution of cyber analysis. Information security creates a foundation of security with a framework and builds upon that with some specialization and technology. Eventually, the security process evolves into cyber analysis with long-term research and ecosystem visibility concerning malicious actors. Many private organizations are creating this approach by studying the techniques of military and intelligence organizations.