Towards a new defence doctrine
Towards a new defence doctrine

The threat landscape today is more advanced than ever before, and shows no signs of slowing down. Malware has proliferated and increased in complexity, while hackers have become more cooperative with each other.

If businesses are to effectively take on the cyber attackers, they need to mirror this level of cooperation. Putting aside natural rivalries and competitive instincts, businesses need to share information on attack vectors with each other, to build as wide a picture as possible of the threat landscape.

This cooperation should run between the private and public sectors, and see organisations work more closely to overcome the challenges of cyber crime.

Benjamin Franklin once said ‘If we do not hang together, we will all hang separately'. While Franklin predates the cyber security industry by a good 200 years, his words of wisdom sum up the situation it faces today.

As the range of online threats facing businesses and consumers grow in both volume and complexity, it is becoming increasingly apparent that the security industry must cooperate more fully if they are to effectively and rapidly overcome them.

The stark fact of the matter is that traditional approaches to corporate security are not up to the task of protecting against advanced persistent threats (APTs). In fact, the Verizon 2012 data breach investigations report said that 92 per cent of breaches are not detected by the organisation under attack but instead are reported to them by an unrelated third party. This is a staggering number. To put this into context, it is the equivalent of a home owner sleeping through all but eight of one hundred burglaries.

To solve this, a new defence doctrine is essential - one which calls for a layered security approach and puts information sharing at its heart.

Organisations must understand that there is no one technology or ‘silver bullet' to defeat threats such as APTs. Instead, a layered approach must be considered with each layer – the perimeter, the internal network and the computer systems – equipped to monitor and provide a comprehensive picture of its current status. It is only with this approach that the next APT can be detected.

But the real question is what are we monitoring for? How can we prepare for the next attack? Oddly enough the answer lies in the way the underground operates.

A notable characteristic of the criminal underground that operates online, is that it is highly adept at sharing information. Cyber criminals are communicative, work together to solve problems and are happy to team up with strangers to commit fraud on a grand scale. Forums and discussion rooms are the digital glue that bind fraudsters together enabling this collaboration to take place.

A visitor to these forums may be shocked by the level of collaboration that takes place. Criminals are provided with accessible ‘how to' guides for committing their cyber attacks: they can buy tutorials on specific attack vectors, receive technical support for a Trojan and even browse descriptions of how successful attacks were orchestrated.

The security industry should take a leaf out of the fraudsters' book and apply similar methods to the detection and forensic examination of attack vectors. However for this to occur, businesses will need to be much more open about attacks that have happened to them.

Historically organisations have been understandably reticent about discussing breaches for fear of bad publicity or leaking intellectual property. This needs to change. The threat landscape is now sufficiently evolved to require that the sharing of information takes precedence over the natural inclination of businesses to keep such information private.

The financial sector is repeatedly cited as the most advanced in collaborating over security incidents. This is only natural as the sector has been forced to weather the majority of financially-motivated cyber crime. Due to this they have become the early adopters of many forms of security best practice. Of particular note is how willing governmental authorities have become in sharing data on cyber threats with financial organisations.

In Europe, a great deal of work has been done in this regard by the European Network and Information Security Agency (ENISA). The organisation has been set up to facilitate the exchange of security information between member states, as well as to promote public/private cooperation.

This is a sea-change from the ways in which governments used to treat intelligence. They operated closed shops and kept any discoveries within their own organisations. The new approach has come about largely as a result of the realisation that the integrity of a country's business is a vital component of overall national security.  

Collaboration between security firms and banks is also advanced, more so than in most other sectors. For example, the RSA eFraudNetwork provides a shared repository of fraud profiles gathered from a range of sources around the globe: customers, end-users, internet service providers (ISPs), the RSA anti-fraud command center, and third-party contributors. This resource enables collaboration across organisations, and provides access to a large network of fraudulent identifiers. There are similar projects out there and all are responsible for helping to identify and shut down financial fraud in real-time.

As technology continues to evolve at pace, so too will the methods of the different attackers that target businesses. These criminals are highly organised and cooperate with each other freely.

To give the security industry and businesses in general the best possible chance to mitigate the threats posed by such groups, similar levels of cooperation are critical. This needs to run throughout the private and public sectors as well as between normally competing organisations. Through a united front, the detection and prevention of cyber crime can become exponentially easier.

Daniel T. Cohen is head of business development and knowledge delivery in the online threats managed service at RSA