If you want to win a cyber war, just like if you wanted to win a physical war, there are several important factors. Planning is your first priority, but also important is flexibility. You must be able to adapt as quickly as your enemy. It’s no secret that many wars have been lost due to an inability to adapt. When you begin thinking about modern network security threats as a war and not an attack, you will find that it requires a continuous, ongoing process – not an individual defensive action – to be successful in dealing with them. There are three phases to mitigate your way through a war of this nature: Discovery, Investigation, and Remediation. Your speed and efficiency in moving through this “Integrated Threat Management Cycle” will decide your fate.
When you don’t know what you don’t know, you are in the discovery phase. In a sense, you should always maintain a discovery posture because you will never know everything about the enemy’s tactics or the nature or state of the threat. In some cases, there will be no specific intelligence to apply to the discovery process and in other cases, you may have external indications. For example, you may be able to obtain intelligence about the tactics and techniques that your enemy has used against organizations in your industry segment from industry trade groups, peer organizations, or government agencies. And in some cases you may have specific, directly applicable intelligence. You may have information about the command and control communications behavior of endpoints that have been compromised by a threat that successfully targeted your organization on the past.
Once you feel you can accurately identify threats using threat intelligence, you are ready to move into the investigation phase. Your main focus here is to capture, store, and analyze information about the threat. If you do not have threat identification rules set in place to monitor your networks, this will be your first objective in the investigation phase. Once you can detect a network session violating threat identification rules, a huge amount of information about that violating session is stored and can be displayed, analyzed. Advanced threats leave what I like to call trails on your network. This phase is where you will need to “follow the trails”.
Once you are confident you can identify the threat’s network behavior with high accuracy, you are ready to launch a coordinated remediation campaign. Prevention is your goal here and you must learn to block any target behaviors with the same accuracy with which you detected it. This enables you to change from a monitoring posture to a prevention posture.
Now that you are approaching security threats like a war, you are sure to be more prepared and ultimately, better able to deal with anything that comes your way.
By Kurt Bertone, Vice President and Security Strategist at Fidelis Security Systems]]>
The information shared in the letter is concerning for customers, but what is even more concerning at this point is what is not being shared. RSA has been scarce on details–basically just saying that it is “confident” there is no immediate threat of an exploit resulting from the hack, and that it has “no evidence” that any other products are impacted. But, other than that, RSA just wants customers to not panic, and have faith that RSA has everything under control.
Art Coviello’s letter states, “As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat.”
The problem is deciding who gets to define “as appropriate”. Many customers feel it would be “appropriate” for RSA to be much more forthcoming with details about what information, specifically, was compromised by the hack so customers can better understand the threat and be armed with information necessary to determine the scope and impact of the potential threat, and take proactive steps to guard against any potential SecurID hacks.
Perhaps, RSA is unsure whether the attackers even really realize what they have, and they fear that divulging too many details could exacerbate the problem by pointing would-be attackers in the right direction. That seems like a reasonable possibility. But, for now RSA is just being vague about the details of the SecurID hack, and what RSA isn’t saying seems to be more revealing than what RSA is saying.]]>