17th November, 2016 8:45PM GMT+3. The date and time may not seem significant, but it was a portent about the future of cybersecurity in the Persian Gulf.
This was the time the Shamoon 2 malware waited until before launching a data destruction payload that spread through the networks of Saudi Arabia's civil aviation agency and other Gulf State organizations, wreaking havoc. The fact that it moved laterally with stolen credentials only underscored the precision with which it had been targeted.
It was a story that we’d seen before in 2012 – a simple modus-operandi executed with exceptionally brutal effect. Coupled with regionally targeted ransomware, attacks against SWIFT and card-holder data in banking, and SCADA/ICS in oil and gas, it's clear that the region's cybersecurity defenses are consistently and often successfully being attacked. Why then is nobody who has been reading the tea-leaves surprised?
Middle Eastern organizations experience more incidents like these than the rest of the world, and suffer larger losses (PWC - Global State of Information Security® Survey, 2016). These statistics come with the sobering realization that our existing investments in protection capabilities have abjectly failed to deliver.
A casual chat with leading CISOs in the region confirms what incident responders have been saying for years – proactive detection and rapid response is no longer a 'good to have'. For most, it's their only real hope. It's no coincidence that next-generation SOCs, threat-hunting, and incident response are key planned initiatives for 2017.
So, what's to be done? The current state-of-the-art detection and response is opaque, with capabilities that range from off-the-shelf solutions to tools built in-house by experienced blue-teams and incident handlers. So, while there's no universal approach, here are 7 capabilities that are solid pillars for the proactive approach to detection and response:
- Data-science and machine-learning
With open-source and commercial log centralization, it's easier than ever to gather endpoint telemetry, network flow data, and security events. Anomaly detection, basic statistical approaches and machine learning can be layered on top to identify indicators of interest that may normally be lost in the noise. Companies must focus on turning security data into information.
Today's blue-team requires effective communication between disparate stakeholders and systems. ChatOps based approaches let teams collaborate and take action in a single space with shared context, leading to faster incident resolution.
- Threat intelligence
While the phrase may sound tired, good threat intelligence (towards the top of the Pyramid of Pain) is invaluable in informing future defenses. However, most organizations will have to work hard to develop this capability in-house.
- Deception technology
Honeypots are dead. Long live honeypots. Modern deception platforms use machine learning and advances in virtualization to detect threats at scale. Where do they fit in the next-gen SOC? Real-time detection with low false positives makes them the first alert on which the SOC identifies an incident.
While tooling for threat-hunting continues to improve, it is still largely a manual process, informed by experience. This won't change anytime soon, but it's essential that organizations move from being alerted about malicious activity, to seeking out unknown evil proactively. Simply counting attacks has never been an effective model in security. Just ask traditional A/V or a default allow firewall!
- Orchestration and automation
The famous Prussian general Clausewitz wrote that, "Everything is very simple in war, but the simplest thing is difficult". He could well have been talking about incident response. Skilled attackers are agile, while IR teams face the very definition of Clausewitzian friction. Many of the challenges of incident response can be solved by inter-machine orchestration and automation of response actions. If you know what your response to an alert would be, it should be automatic.
- Adversarial thinking
Ultimately, no technology can replace the ability to think like the hacker. I've long advocated for adversarial thinking to be the foundation of all blue-teams. Without it, the defense team just has snazzy toys and hope. This is not about learning how to pen-test, it's about understanding the least-cost-path approach that an adversary takes when breaking into networks.
Walk the exhibition floor at a regional cybersecurity conference like RSA Conference Abu Dhabi, and it's clear that this is the direction the industry is heading in. However, while it's one thing for solution providers to tout these capabilities, it's another altogether for the buying community to adopt them, and most importantly -- start seeing results.
A year from now if we're still losing sleep over ransomware and SMB enabled data destruction, (no matter how well targeted), it'll be time for some very serious reflection.