There doesn't seem to be a week that goes by where headlines are not reporting on the latest cyber-attack to befall an organisation. In recent months, we have seen news of an attack on Parliament and Petya ransomware spreading across Europe. And all too often, the mainstream news narrative focuses on the number of breaches but rarely on its length, complexity, who was behind it and what the motives may have been for attacking the organisation.
A backwards looking approach is often taken by the businesses and organisations themselves too. Focusing on the Indicators of Compromise (IoC) is indeed an important part of any cyber-defence strategy. However, it can lead to more questions than answers around how an attack happened, why it happened and where data that has been lifted is now being kept.
It is important to remember that IoC's evolve very quickly, whereas the actor behind them does not. This is also true for their tactics, techniques and procedures (TTPs), which are becoming increasingly sophisticated. Pausing to think about the actor behind malicious activity may seem like a luxury. However, it is important that businesses look at cyber-attacks from the perspective of the antagonist if they are to protect themselves effectively.
Revealing the IoCs around an attack would be impossible without intelligence. Threat intelligence can highlight if the actor was using a shared infrastructure, if outsourced labour was being used or if the attack was launched from a particular platform for example. Domain names and IP addresses may change very quickly but the perpetrators motive does not. Identifying and understanding the Indicators of Attack (IoAs) rather than just the IoCs is the first step for organisations in changing their approach to security.
The types of actors perpetuating these attacks will differ, whether they are hacktivists looking to instigate change, state-sponsored hackers carrying out operations on behalf of a country, or cyber-criminals simply looking to make a profit. Understanding these various actors, their motives and opportunities will better place organisations to protect themselves from potential attack, wherever it may be originating from. This information can provide businesses with enough awareness to influence a breach but also stop it completely and ready themselves for similar attacks in the future.
It is also important that any information about a threat is shared amongst the industry. STIX, the standardised language to represent structured information about cyber-threats, helps to store and share information on actors and TTPs. It has become the industry standard for information sharing in cyber-threat intelligence as it facilitates automation and human assisted analysis.
While intelligence is a critical part of this defence strategy, it is not the single defining answer to dealing with these changing threats. Security needs to be regarded as an architecture woven into the core of an organisation. End user training and patch management also need to be a high priority for ongoing cyber-security.
Understanding the bigger picture beyond the implications of the attack itself is imperative if the good guys are going to win. By delving into the ecosystem and lifecycle of hackers, threat analysts can connect the dots and build a much more accurate picture of an attack revealing what is most attractive to the actor, helping to create an agile and proactive approach to the threat landscape.
Just as businesses need to consider the human entity behind the threat, the defence of advanced attacks requires human analysts supported by increased automation. Only with both elements working in tandem, do we stand a chance of staying one-step ahead of the bad guys.
Contributed by Joep Gommers, CEO, EclecticIQ,
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.