The Long Tail of Cyberthreats: Part II
In the first installment of this two-part series, we introduced the concept of tail risk, often used in financial risk management, as an approach to help organizations assess, manage and remediate cyber risk. One of the key takeaways was that a “long tail” of cyber risk is being created with the increasing frequency and potential severity of unique, or heretofore unseen, cyber risks.
The risks in this long tail are potentially so severe that they could upend an organization’s most critical business operations. And, in some instances, those risks could even disrupt an entire market segment.
We also introduced the notion that the long tail is very likely to continue to get longer, due to the stepped-up utilization of machine learning algorithms deployed by hackers and other bad actors, allowing for the customization of attacks on specific organizations and even specific applications.
It’s a scary notion, to be sure. But that doesn’t mean our hands are tied. There are things we can do about this long tail of cyber risk.
Cybersecurity Is a Team Sport
The good news is that cybersecurity is now a team sport—a big change compared to just a few short years ago. Throughout my career of running security teams, I have witnessed constantly increased collaboration when it comes to cybersecurity. And that has happened both in my professional role and in my personal experience as a consumer.
In what seemed and felt like a sudden development, professionals from IT, anti-fraud and business departments began proactively reaching out to their CISO colleagues for advice. In turn, CISO, CIOs and even CEOs began working together to launch communities to share threat intelligence among organizations and with government agencies such as Information Sharing and Analysis Centers and the Europe-based CSSA.
Even the highly competitive cybersecurity industry has accepted the fact that there is no other sustainable option but to join forces in the sharing of threat information. The Cyber Threat Alliance is a great example of this evolution.
Connecting operational telemetry of our organizations will help us build a more robust cyber immune system and reduce the long tail risk for custom threats. Distributing known threats to other organizations will automatically disrupt the threats and raise the bar against the attackers.
This call to action is not new. However, most organizations still have not established this practice. So, let’s reiterate what is required to use collaboration and shared threat intelligence to reduce the long tail risk:
- Consume threat intelligence indicators and analytics.
- Instrument all of your controls to prevent attacks based on consumed indicators.
- Share indicators and feedback of observed attacks back with community.
Most organizations might say that they do all of the above. But if you include the requirements of “automated” and “real-time,” the number of companies doing it will be significantly less.
Let’s look at it step by step. Consuming threat intelligence in a structured way is relatively easy. There is a range of operational formats such as STIX, Yara and Sigma to express and detect threats, and platforms such as MindMeld or MISP available as open source to the community.
However, most organizations fail to consume collected data across their controls. First, organizations are still using point solutions from multiple vendors, which do not integrate well or do not allow any consumption of indicators. Those are the security dinosaur technologies, which failed to evolve from the age of competition to the age of collaboration. At best, those security solutions would provide alerts on specific indicators, but not block the resultant attack. Unfortunately, as of today, not many technologies support custom indicators in a preventive way. The rest leave the security operations center (SOC) with a high volume of alerts and manual activities to follow up.
We all agree that even limited detection is better than nothing. But I can tell you from experience running all flavors of cyber defense teams that this model is not sustainable on a long-term basis.
Cybersecurity must be end-to-end, from detection to prevention. Automated orchestration solutions might be helpful. However, don’t underestimate the amount of work required to get it running. Just considering some basic integrations would require not only a strong commitment from IT departments in order to instrument your environment, but also a full control of your threat intelligence supply chain.
For example, would your SOC know which indicators it can block and which ones it should issues alerts for? Are you confident in the data quality? Addressing these issues is hard work, because it often requires a fundamental refresh of organizational architecture and processes, as well as a good portion of expertise from experts who have seen this movie already in other organizations.
Finally, if you get the privilege to get shared threat data, it is unfair not to share back. Does your security team understand which data it can share, and do your legal and data privacy teams agree with that decision?
Keep in mind, your SOC analysts always have something more important to do and sharing threat intelligence data may not be on top of their to-do list. Help them make this process as easy as possible and try to get it off the ground from day one.
What Kind of Threat Intelligence to Share?
If you are not sure what can be shared, here is a starting point:
Level I: Sharing of indicators of compromise (IOC) is the most common type of sharing. This could be a malicious IP address that performed a scan against your organization, a cryptographic hash from a malicious software, or an email address that is sending spam. Sharing of these indicators is easy, but the manual effort to collect and use them is ultra-high. At the same time, the value of the information is often low for the recipients, due to lack of context and effective ways on how those can be operationalized. Furthermore, the lifetime of those indicators is often only a few weeks or even hours, so it’s often not worth investing manual work into this process at all. This step has to be automated.
Level II: Tactics, techniques and procedures (TTP) of specific attacks represents a more valuable type of information for the recipients. Examples could include specific unique tools that the attackers are using, lateral movement approaches such as stealing Active Directory tokens, or specific command and control (C2) techniques such as utilizing e-mail as a command and control channel rather than http. TTPs can be used by consumers to perform generic hunting exercises and validate if similar attack types occurred in your own environment. Well-known standards for describing the TTPs are the ATT&CK databases as well as the Unit42 Playbooks.
Level III: One of the most valuable types of sharing is to share feedback on the effectiveness of detection and prevention controls. Such telemetry could help organizations in multiple ways. First, it could help organizations to understand their security posture and potentially make some enterprise sweeps of known indicators obsolete. To do so, the analyst would need to verify the coverage of his security controls on a regular basis, rather than checking every time again and again how the controls were bypassed. Second, it will help organizations to determine immediately if they are exposed to specific attacks or threat actors and provide them a reasonable view on investment opportunities required to secure them against certain attack types. Unfortunately, it is difficult to gather such information, hence, such information is shared only on rare occasions.
If you must reduce your tail risk and get more adaptive against cyber threats, I would advise all CISOs to think Threat Intelligence First. The concept to have a threat intelligence driven cybersecurity organization is not new, but it is still not being considered in most enterprise architectures effectively. Having a threat intelligence database, a sharing platform, or a sharing procedure within your SOC is a first small step.
What is more important, though, is to establish key principles across your security technology roadmap, your infrastructure and your processes, to enable machine-to-machine integration on a more granular level. Consumption of threat intelligence must focus on automated prevention rather than detection. And it must consider retrospective feedback on the effectiveness of your controls for internal situational awareness purposes as well as for sharing purposes.
At the end of the day, it’s important that you don’t remain isolated and try to address these issues and challenges on your own. It’s a team sport!
Sergej Epp is Chief Information Security Officer for the Central European region at Palo Alto Networks.