Covering Scientific & Technical AI | Saturday, November 30, 2024

The New Cyber Security Minefield: A Proactive, Not Reactive, Approach 

(Source: Duncan Andison)

In 2016, the cyber landscape shifted dramatically – at least on the adversary side. In the last few months alone, we’ve seen hackers penetrate organizations from the DNC to WADA and gain access to sensitive documents, which were weaponized through strategic leaks aimed at embarrassing specific individuals.

While some may believe this trend starts and ends with a contentious presidential election, this type of attack will not fade away. The implications of weaponizing data to target corporations and individuals are far-reaching.

As we approach 2017, many businesses wonder how they can protect themselves. Unfortunately, the long-trusted methods in cybersecurity are no longer enough to keep up with more technically astute and well-funded adversaries seeking intellectual property, emails or private information. Whether part of criminal groups or nation-state operations, adversaries can move faster than ever, mutate malware and actively change tactics or IP addresses, making reactive cybersecurity methods obsolete.

Next-gen Security

Most of today’s security methods rely on detecting known signatures, or Indicators of Compromise (IoCs). But these are constantly changing, making proactive defense virtually impossible. Signatures are effective when trying to detect what is previously known. IoCs are effective when trying to look for evidence of an intrusion and when trying to quantify the extent of an intrusion. By the time a threat such as malware or a breach is detected, the probability that the organization has already been compromised is high. This poses an enormous threat to enterprises that may have hackers running freely within their network and collecting data without IT teams ever being alerted.

CrowdStrike's Mike Sentonas

CrowdStrike's Mike Sentonos

The businesses ahead of the curve are shifting from a reactive to a proactive approach to cybersecurity detection and response. Instead of IoCs, enterprises should focus on Indicators of Attack (IoAs), which identify adversarial behavior by tracking a series of actions or behaviors – such as code execution or lateral movement – that indicate malicious activity is about to occur. Combining a proactive, IoA-approach with other sophisticated methods, such as advanced threat intelligence and managed hunting, organizations not only understand where the adversary is today, but where it has been and what its objectives are. Is economic espionage the goal? Are geopolitical objectives in play?

For these types of solutions to run effectively, they need to put the threat intelligence into action through machine learning, which can identify and block known and unknown threats across a network. By analyzing threat intelligence, enterprises are more capable of detecting an anomaly that needs to be addressed.

Managed Hunting

To defeat a sophisticated adversary, enterprises need a combination of technology, professional expertise and high-grade threat intelligence based on machine learning. Any of these three elements can pose a challenge to security teams. Deep adversary-hunting expertise and the ability to assess and respond to new and unknown threats can strain the limits of most security operations. Few, if any, cybersecurity professionals will tell you that technology alone — even the very best of breed — is 100 percent effective. That’s because the most sophisticated attacks are typically orchestrated by highly skilled people, and in some cases it takes the efforts of equally skilled people to defend against and ultimately repel those attacks.

But it’s important for organizations to use their security professional s in the most effective way. Valuable human capital is misspent in passively reviewing an overwhelming amount of alert data, much of which ends up being confirmed as false positives. This is the major contributor to “alert fatigue,” resulting in security teams missing actual threat alerts. Organizations should use human threat hunters to extend, augment and enhance the impact of automated detection capabilities. This enables teams to gain a better understanding of adversaries’ tactics and collects more threat intelligence to strengthen machine learning threat detection algorithms.

Looking Forward to 2017

If 2016 is any indication, 2017 will bring us more embarrassing leaks meant to damage an individual or enterprise’s reputation. Weaponizing data will become the new norm, and the attack methods used to obtain it will become more advanced and hard to detect. As this shift continues to play out on the adversary side, enterprises must also change their tactics to ensure the safety of sensitive data. Through the use of sophisticated prevention technology and tactics such as threat intelligence, machine learning and managed hunting, enterprises will be able to predict and prevent these damaging intrusions.

Mike Sentonas is Vice President of Technology Strategy at CrowdStrike.

AIwire