The key to understanding how to deal with a modern security threat is to stop thinking about it as an attack. An attack is a short-lived event with a clear beginning and end. Threats are more like war —ongoing conflict without a fixed timeline or known endpoint. During war, front-line defenses are imperative to repel assaults because not only will your enemy attack, they will be employing intelligence, communications, and logistics to do so. Many wars have been won by intercepting enemy intelligence, disrupting enemy communications, and destroying the enemy’s logistics capabilities.
If you want to win a cyber war, just like if you wanted to win a physical war, there are several important factors. Planning is your first priority, but also important is flexibility. You must be able to adapt as quickly as your enemy. It’s no secret that many wars have been lost due to an inability to adapt. When you begin thinking about modern network security threats as a war and not an attack, you will find that it requires a continuous, ongoing process – not an individual defensive action – to be successful in dealing with them. There are three phases to mitigate your way through a war of this nature: Discovery, Investigation, and Remediation. Your speed and efficiency in moving through this “Integrated Threat Management Cycle” will decide your fate.
When you don’t know what you don’t know, you are in the discovery phase. In a sense, you should always maintain a discovery posture because you will never know everything about the enemy’s tactics or the nature or state of the threat. In some cases, there will be no specific intelligence to apply to the discovery process and in other cases, you may have external indications. For example, you may be able to obtain intelligence about the tactics and techniques that your enemy has used against organizations in your industry segment from industry trade groups, peer organizations, or government agencies. And in some cases you may have specific, directly applicable intelligence. You may have information about the command and control communications behavior of endpoints that have been compromised by a threat that successfully targeted your organization on the past.
Once you feel you can accurately identify threats using threat intelligence, you are ready to move into the investigation phase. Your main focus here is to capture, store, and analyze information about the threat. If you do not have threat identification rules set in place to monitor your networks, this will be your first objective in the investigation phase. Once you can detect a network session violating threat identification rules, a huge amount of information about that violating session is stored and can be displayed, analyzed. Advanced threats leave what I like to call trails on your network. This phase is where you will need to “follow the trails”.
Once you are confident you can identify the threat’s network behavior with high accuracy, you are ready to launch a coordinated remediation campaign. Prevention is your goal here and you must learn to block any target behaviors with the same accuracy with which you detected it. This enables you to change from a monitoring posture to a prevention posture.
Now that you are approaching security threats like a war, you are sure to be more prepared and ultimately, better able to deal with anything that comes your way.
By Kurt Bertone, Vice President and Security Strategist at Fidelis Security Systems