After reading Vick Vaishnavi’s article, “The Top Three Cybersecurity Threats You Aren’t Considering,” I can’t help but point out that there are some holes. I agree with Vaishnavi, that it is important we take a close look at the current threat landscape before heading into 2014 – therefore we should take an even closer look at what his story is missing.
Assessing Intruder Threat
Vaishnavi describes two groups of attackers. The first he describes as “The Malicious,” which includes hactivists like Anonymous and state-sponsored attackers. The second group he refers to as “Fraudsters,” which includes less lethal financially motivated attackers.
The criminal cyber underground cannot be reduced to these two groups and “Fraudsters” are not necessarily less lethal than “The Malicious.”
The most sophisticated attackers are well-funded, organized groups and can also be categorized based on their motivation: either intelligence factors or money. The level of sophistication in capability among the two distinct groups fluctuates as to who is more advanced, but together they significantly usurp the capabilities of hacktivists and individuals associated with Anonymous. The higher sophisticated attackers use advanced malware and advanced persistence compared to the attack methodologies leveraged by hacktivists or lesser sophisticated attackers.
To truly understand who is attacking, incident response organizations, such as my own, perform intruder threat assessments. We look at composition, skill level, intruder infrastructures, origin of attacks, and targeting characteristics. Small, medium, and even large businesses who do not work in the incident response world cannot keep-up with this type of information on their own and they should partner with trusted third parties to keep them informed of the threat landscape that may target them or their IT chain.
It is incomplete to group threat actors into “The Malicious” and “Fraudsters” unless you understand the complete threat landscape. First, divide attackers into their skill level; then evaluate motivating factors; and lastly resources available to the attackers.
IAM as a Proactive Method?
Vaishnavi goes on to talk about Identity and Access Management (IAM) platforms as one proactive solution for businesses. I think that in ten years, IAM platforms may become commoditized in a way that makes them easier to incorporate into existing infrastructures, but that is not the reality today. Small businesses must rely on outsourced IT solutions at the lowest cost while they build their revenue streams and cannot afford an IAM platform. Large businesses have such high turnover in software, integrated suites, and infrastructure through mission shifts and M&A’s that a successful IAM platform cannot be leveraged as a primary tool. IAM platforms can serve as one tool in an organization’s cybersecurity toolbox, but it is not the most important nor is it the front line. In addition, orphaned accounts are not typically the front-line method of ingress into breached organizations. They are often used in the attack chain, but not as the point of initial breach. Vulnerable endpoint systems, vulnerable web interfaces, and vulnerable communication channels are the primary points of initial breach for attackers. Once initial entrenchment occurs, then privileged access is gained through several means, one of which could be orphaned accounts. Therefore, if you are spending significant dollars on an IAM platform and use it as a chief means of proactive detection, then you may be missing an initial penetration into your infrastructure.
Detect, Identify, and Deter
Organizations need to pay attention to the most important three areas of proactive cybersecurity today: detect, identify, and deter. Detection must look to the outside (for external attacks) and inside (in the case of insider threats). Only with full visibility can an organization come close to answering the question “are you detecting attacks. Full visibility used to mean five years ago that an organization could see all of the packets moving into and out of their networks (as well as within their network), but today simply being able to see the packets is not enough. An organization must be able to understand the content of the packets. Therefore, in today’s cybersecurity world, full visibility includes being able to see all content (encrypted and unencrypted) moving within, into, and out of an organizations networks. With deep-packet inspection, content-driven signature analysis, and threat-based awareness, organizations can increase the maturity of their cybersecurity from detection capability into a “detect-identify” model. To properly identify the attacks occurring, a level of sophistication must be built into the detection capability. There are a few tools and appliances on the market today that offer behavior-based attack detection. This capability coupled with sound knowledge of an organization’s network, common system baselines, application structures, and complete IT documentation (at the hardware level and software level) can enable Security Operation Centers and cybersecurity professionals to be proactive all the time and efficiently reactive when necessary. Lastly, deterrence comes with the ability to detect and identify attacks, vulnerability and patch management, cyber risk management, training, security processes, complete documentation, and full visibility.
Every organization with which I have engaged during a breach did not apply the basic proactive fundamentals of detect, identify, and deter. However, they all had fancy and expensive tools to prevent intrusions – one such tool being IAM. However, because a cybersecurity plan was not in place, the tools became useless and ineffective. The organizations relied on what the latest “fad” was for cybersecurity tools instead of looking at the basic proactive fundamentals of detect, identify, and deter. It is not surprising that when they did realize they were breached, they were unable to respond effective with the basic reactive fundamentals of cybersecurity: respond, repair, and recover.
In the past ten years, the attackers became more sophisticated; the hobbyists “grew up” to become professionals. Today the professionals are creating criminal enterprises akin to businesses in model and operation. The next ten years will see these criminal enterprises mature and become more efficient, more effective, and as a result, more dangerous.