As cyber-attacks increase in both volume and complexity, corporate security teams are struggling to keep pace with even the simplest and best understood threats.
In the past two years Verizon has found that 99.9 percent of exploited vulnerabilities were compromised more than 12 months after the CVE was published, while 63 percent of confirmed data breaches involved leveraging weak, default or stolen passwords. That means most businesses still aren't doing the basics right, in a hostile environment where every week exposes them to million new malware variants and thousands security alerts. Meanwhile, government cyber-war spending is creating a deep reservoir of advanced tools and skills that will eventually bleed into the private sector, presenting the average business with security challenges it has little chance of overcoming. However, some cyber-specialists believe there are glimmers of hope in this gloomy picture.
A new generation of cyber-professionals is rethinking how businesses look at security, determined to shift the odds back into their favour. A new philosophy of ‘defensive hacking' is emerging that believes security engineering can outsmart the bad guys by iterating defences based on real-world attacks, improving the odds of detecting a compromise and ultimately raising the cost to attackers. So what do these thought-leaders have up their sleeves?
1. Use the home-field advantage
We're used to hearing that cyber-security is an asymmetrical battle. Attackers only need to succeed once; defenders must stop them every single time. However, this truism ignores the reality that attackers are strangers inside your network, while defenders are at home and can control the environment to their advantage. Of course, leveraging this advantage means defenders must understand their environments better than attackers.
Today's security thought-leaders believe organisations should “grow their own timber”, engineering bespoke platforms to ensure they know their own environments inside out. Equally, security should be built-in, not bolted on – for instance, with fraud, anomaly detection and event logging directly embedded inside in-house applications.
Defenders can also take a leaf from the hacker's book to understand their environments better. For instance, 'footprinting' takes a hackers-eye-view of your entire internet attack surface, highlighting the hard-to-find details that attackers typically target and allowing defences to be strengthened proactively.
2. Be smart with Intelligence
If knowing yourself is half the battle, knowing the enemy certainly comes next. While obsessing over the latest high-profile threat to hit the headlines isn't helpful, a reliable feed of actionable, relevant Threat Intelligence most certainly is. Equally, a solid understanding of the Cyber Kill Chain and how adversaries behave will allow you to organise and validate defences before an attacker strikes.
If harnessing this information sounds like an overwhelming challenge, machine learning offers a way forwards. Machine learning isn't a new trend in security – it's been around since the earliest SPAM filters – but the ability to collect, store and process unprecedented volumes of big data has prompted a new wave of enthusiasm for applying it to today's security challenges.
With widely available tools, security devices producing a deluge of data, and plenty of publicly accessible information on threats and vulnerabilities, smart enterprises should be using these capabilities to detect anomalies inside their networks and applications.
3. Set traps
Today's ‘defensive hacking' philosophy is also causing businesses to use an attacker's own desires against them. Honeypots and other traps can be placed just about anywhere – from networks and databases, to email accounts and websites – to lure in unwary attackers.
By positioning these pitfalls in places where no legitimate user would trigger them, organisations can ensure a very low signal-to-noise-ratio on alerts. If a trap is activated, it's almost certain something malicious is happening and defenders can take appropriate steps, without putting the business at risk.
4. Work together
Besides taking a ‘hackers-eye-view' of their businesses, defenders can learn something else from cyber-criminals: cooperation.
Traditionally, the cyber-security industry has been reluctant to follow suit, preferring to keep information on vulnerabilities and compromises under wraps.
Fortunately, this attitude is starting to change. Facebook's ThreatExchange programme is a prime example: an open, free information sharing platform where more than 80 companies, including Yahoo, Microsoft and Dropbox, upload data on security incidents. For enterprises that are reluctant to reveal their dirty laundry publicly, Managed Security Service Providers (MSSPs) can also offer access to large scale threat insights, without directly exposing corporate vulnerabilities.
Meanwhile, so-called ‘bug bounties' – such as Google's Vulnerability Reward Programme – are being used to incentivise users to find and report software vulnerabilities. While this crowdsourced approach to security can be helpful, other businesses are going even further – bringing in white hat hackers to conduct professional ‘attack simulations'. These skilled actors use the same tools and techniques as genuine cyber-criminals to carry out specific goals, such as accessing crucial applications, systems or data, so that these insights can be used to improve detection and prevention mechanisms.
The cyber-security industry has become used to the idea that attackers are always a step ahead, so it's fantastic that a new wave of thinkers is challenging old habits. After all, both attackers and defenders are simply people. Organisations can and should tap into their employees for the same creative thinking and technical sleight of hand that has made cyber-criminals so feared. Combined with the home field advantage, this new enthusiasm to solve today's cyber-challenges might be just what's needed to take the fight to the bad guys.
Contributed by Charl van der Walt, chief security strategy office, SecureData & SensePost