"Build a network to defend a network"
By Craig Rice, CSO for BACS and FPS
In many respects cyber security is an unusual discipline, having grown around information technology gradually over the years rather than developing in any pre-planned way. As a result of this organic evolution cyber security strategies have long borrowed from techniques used for defending physical assets from threats. Most strategies revolve around the goal of creating a high enough opportunity cost so that attackers will be put off and go after softer targets.
This ethos is best seen in the high CCTV presence in town centres today, designed to displace criminal threats with the rational opportunity cost that any criminal perpetrator will be identified and prosecuted. Although often effective, the approach falls short against adversaries who either have no fear of the consequences, such as extremist terrorists, or those who strongly believe they will not be caught.
Unfortunately, the majority of cyber attackers fall into this second group, as the average threat actor is well aware that there is very little chance of their activity being traced back to them. Even the lowest level threat actor can easily access a variety of tools that will mask their identity and protect them from most investigators. This means career hackers are able to attack time and time again with impunity. Limiting the damage an attacker can deliver requires a network of collaboration within and between multiple organisations and external agencies.
Network hardening is no longer enough
As part of the opportunity cost approach, security strategies are usually reliant on hardening the organisation’s technology to the extent that an attacker will abandon their attempt and move to another organisation that presents less of a challenge.
Many organisations attempt to achieve this by hardening their entire operation to try and make their entire tech impenetrable. However, this is simply not achievable, and attackers navigate the defences like the Maginot Line; instead of trying to break through they will just go around and find another route of attack.
Similarly, the whole point of technology is to facilitate the interconnectedness and cooperation that helps businesses to grow and thrive. While this interlinked nature makes perfect sense from a business perspective, it means that trying to fully secure a modern network can sometimes feel as futile as trying to fortify a spaghetti junction.
Many of the attacks today are initiated through social engineering, with attackers tricking their victim into opening a file containing malware and unintentionally helping the attacker bypass even the best external defences.
Know your enemy
If simply hardening our tech to deflect attackers doesn’t work in isolation, how do we realign ourselves? The answer is a threat-centric, intelligence led approach.
We need to think strategically about what the bad guys will be targeting and how it will impact the business. We know the adversaries will eventually find a way into even the most secure network, so we need to limit what they can achieve once they are inside and keep them away from the mission critical systems and data. Security and Threat intelligence are the key to understanding this. We need to know how this data can be accessed, how an adversary is likely to set about this, and secure those routes.
There are three main actions needed for a business to start acquiring and using this intelligence:
It’s impossible for the security team to protect the business alone. They need to work closely with the rest of the organisation to understand the key business processes. This will help them identify the essential operational technology and data that should receive the majority of the security resources.
Businesses need to understand that their security does not exist in isolation and that their entire supply chain comes together to form a complex ecosystem. A security incident anywhere within the ecosystem can impact all of the connected organisations, so all businesses need to have a thorough, central understanding of how these relationships work.
There is likely to be at least some suspicious behaviour on almost every enterprise network, particularly with the increased use of automated bots to search out and breach potential targets. Organisations not only need to be aware of what is happening in their networks on a daily basis but must also integrate this data into set processes, so it can be acted on. This includes both internal security activity and passing information on to law enforcement or intelligence agencies whenever it’s appropriate.
All of these actions demonstrate you have to build a network to defend a network. The bad guys are not just working alone in a basement somewhere; they have a network of resources and intelligence including the dark web and wider organised criminal networks at their disposal. Organisations need to establish their own network if they are to keep up and protect themselves from attack.
By Craig Rice, CSO for BACS and FPS
This approach is closely connected with other aspects of security strategy which will be discussed in future blogs from Cyber Security Connect.