An attacker's eye view is worth 1,000 words

Cyber situational awareness can help protect against cyber-attacks, loss of intellectual property and loss of brand and reputational integrity, says Alastair Paterson.

Alastair Paterson, CEO Digital Shadows
Alastair Paterson, CEO Digital Shadows

We all know the phrase “a picture is worth a thousand words.” What if you could get a picture of what cyber-criminals see about your organisation? What would that look like and, more importantly, how could you use what you see to your advantage?

It helps to start by understanding how attackers go about painting that picture which begins with a reconnaissance process. Threat actors conduct open source searches on the web for information related to a target organisation or a person of interest. Depending on the information they find, they can understand what an enterprise does, how it makes money, who is involved, where they do business, and how they do business.

Attackers also conduct technical reconnaissance to search for information related to a target organisation's IT infrastructure. This includes mapping an organisation's network for enumeration of web servers, domains, specific IP addresses and address ranges, and IT and security infrastructure in use. Based on the information that is visible and accessible they can run exploit scans to identify vulnerabilities that are exploitable and gain entry into the network.

Although time consuming to conduct, these combined reconnaissance efforts can yield significant information about the organisation's structure and digital footprint – the information that is projected, shared, and managed by an organisation. While digital footprints are unavoidable in a digital economy, the challenge is that information can be inadvertently exposed through this footprint, and thereby used maliciously.  That's what attackers work diligently to uncover.  I've recently been using the term “digital shadow” to refer to the part of a digital footprint that might reveal a weakness or give an organisation insights into the threats they face.

If security professionals can see that same picture of their own organisations they can use it to better secure their business, mitigating risk associated with the attack surface, which includes people. To gain an attacker's eye view security professionals need to think like an attacker. They need to approach themselves from the outside using the same techniques as attackers – social engineering, long-term reconnaissance, and data mining over time to discover information relative to the organisation from a business, personal and asset perspective. With a picture of what the organisation looks like digitally to the outside world, they can conduct threat mitigation which often starts with basic patching and reconfiguration.

But gathering all of this data and executing real-world scenarios against yourself is time consuming and leaves the organisation exposed if a known vulnerability is left unaddressed for purposes of the exercise. Consequently, to gain information about potential threats, most organisations have relied on other tools including traditional packaged threat intelligence. While this information is a step in the right direction, it requires an organisation to manually sift through huge volumes of data to glean useful insights since the intelligence isn't tailored to the organisation.  Having a “bucket of bad stuff” and then checking to see if there is any reference to your organisation in it, is potentially very challenging, since it's very difficult to collect enough “bad” to be sure that you have good coverage.

Cyber situational awareness addresses these gaps, by providing an organisation with an attacker's eye view into information about themselves that is available online, and then using that information to prevent, detect and contain cyber-related incidents. When looking to extend threat intelligence with cyber situational awareness, security professionals should ask providers the following questions:

What level of customisation of data do you provide? To be most useful data should be company-specific and include information that also pertains to the industry, company size and geography. For example, this data might include confidential documents posted on websites, employee credentials, and even information about key suppliers that could be used to infiltrate an organisation's network.

How do you go about delivering relevant and contextual insight? Data should be gathered across both the visible and deep, dark web, including examining millions of social sites, cloud-based file sharing sites, underground forums and other points of compromise across a multi-lingual, global environment.

Once I have this data, how do I use it?  Capabilities and expert assistance should be provided to make the information readily accessible, easily digestible and actionable so that organisations can prioritise threat protection and policies and administer takedowns in order to mitigate harmful events.

When done right, cyber situational awareness can help protect against cyber-attacks, loss of intellectual property and loss of brand and reputational integrity. For example:

  • A large financial institution learned of an impending DDoS attack being announced against five financial institutions and was able to obtain a list of indications and a warning to ensure they were prepared in the event they were added to the target list.
  • A network-attached storage (NAS) device was publishing a company's sensitive documents to the Internet. The documents were signed by the CTO of the organisation as were 50 other documents discovered within the same file path on the NAS device. The CTO was made aware of the situation so that the device could be remediated.
  • A bank learned of a cyber-criminal claiming to be an employee providing access to high value accounts, personal details from account numbers belonging to bank customers, as well as full details of customer logins to the online banking portal. The bank quickly reset credentials, shutting down access and mitigating damage.

Gaining an attacker's eye view is the next and necessary step in thwarting increasingly sophisticated attackers who take advantage of an increasingly digital economy. With an attacker's eye view security professionals have a clear picture of their online exposure and a better understanding of how to defend against targeted cyber-attacks.

Contributed by Alastair Paterson, CEO Digital Shadows.

Sign up to our newsletters