The enterprise landscape of protecting the network is continuously changing and advisories are constantly evolving to meet the changing landscape. Hackers have become more sophisticated, both in their methods and in the data they target. “The days of the ‘drive-by’ hacking where the bad guys make one incursion and then brag about it are long gone,” said Barry Lyons, director of government cybersecurity services at KPMG. “Now their goal is to exploit as much data as they can while being as quiet as possible so they can remain in the enterprise, continually and quietly removing data undetected.” Known as ‘dwell time’hackers have been reported to be hidden for as long as 101 days. It doesn’t matter if it is 101 days or 101 minutes, if they’re in there, and you don’t know it, you’re in trouble.”
“There are still many organizations that don’t believe that the bad guys are sitting inside their enterprise,” added Lyons. “It’s no longer a question of if we’re going to be attacked, or even when we’re going to be attacked. It’s a matter of we’ve already been attacked; they are living in here, and we need to find them. More importantly, we should be proactive in not letting them into the network in the first place, hence, moving from a reactionary position to a proactive cyber stance.”
So what can an organization do to overcome the threats from every angle, including from within? While every enterprise is different, following these steps can help you build a roadmap to achieving what Lyons calls “Prosilience,” which is cyber resilience with consciousness of environment, self-awareness and the capacity to evolve automatically.
Step 1: Defining the Baseline
“An organization needs to have an assessment of where they are right now in relationship to proactive security,” explained Lyons. “For example, if they look at their current situational awareness, do they understand how their devices relate to one another? Many times organizations will know where their devices are, what their devices are, as well as those devices’ individual vulnerabilities, but not how they relate to one another. ”
Knowing both current and potential vulnerabilities is essential for an organization to define a real time situational awareness baseline. “Often the organization will look for their Category One and Category Two vulnerabilities – the vulnerability categories that can cause the most damage if they are exploited – and they will fix those,” said Lyons. “The attackers, however, look for the Category Threes and Fours that weren’t fixed and these crafty adversaries will very cleverly and stealthily create an attack path across those lower category vulnerabilities. Suddenly that attack path becomes a hidden Category One vulnerability, an attack path vulnerability missed time and again by standard scanning tools.”
Step 2: Intelligent Hunting
Training staff in what is called “intelligent hunting” is crucial to achieving Prosilience. “This is different than just going in and doing a search for where the bad guys have hidden themselves,” explained Lyons. “What the cunning adversary does is leave little hidden breadcrumbs in the ‘uncontested space’ so they can come back to exploit more information, returning time and again undetected. You need to give your staff the ability to hunt in ‘the uncontested space,’ that is, active memory in your devices (which is not found using standard hunt tools), to discover where the bad guys have left those well-hidden breadcrumbs, and then eliminate the breadcrumbs.”
This task takes a certain kind of mindset. “The hunters not only need to be astute, but be able to think outside-the-box, as well as be trainable in the specific skills of intelligent hunting,” added Lyons.
Step 3: Protect the Servers
Malware, which is any unauthorized executable code, can wreak havoc on a network. In order to be proactive, you need to be able to stop it before it has a chance to run. “There are tools now that sit deep in the CPU’s memory, and will immediately stop any and all malware from executing,” stated Lyons.
These tools have the added benefit of protecting a server that may not have up-to-date patches. “Since government enterprises are so huge,” said Lyons, “it is virtually impossible to keep up with application patches.Since un-patched applications present a target rich environment for the adversary, this tiny piece of code in the CPU memory acts as the applications’ ‘guard’. It sees the behavior of all executable code and instantly stops any type of malware, as well as take a forensic snapshot of the malware.”
Step 4: Find Out Their Plans
“While the bad guys don’t announce that they just wrote some code and are now going to launch it, they do have a space – some people refer to it as the Dark Web – where they start testing and work amongst themselves,” Lyons explained. “There are tools now that can go out and watch what they are doing and give a warning ahead of any attack. The government has been doing this for years, and now there are commercial solutions that will allow you to pull that information, which is on average about 51 days ahead of an attack. This allows you to build defenses to a specific threat ahead of time.”
Step 5: Sifting Through Reports
There is actionable threat data available through various commercial and government threat reports. Unfortunately, there are an excess of 5,800 reports generated per month in 195 unique formats.
“An analyst can’t sit there and read all of those reports – it’s physically impossible,” Lyons explained. “These analysts would spend about 85% of their time just trying to amass all of that information, and then only have 15% of their time left to decide how to best act on it.”
Instead, Lyons said that government analysts should tap into new software that can import the reports, digest them, weed out redundant or irrelevant information and pass along pertinent threat data. By letting computers do that kind of deep analytical work which a computer can do much faster than a human being, frees analysts to use their best skillsets namely decide and act on how to best protect their enterprises. Now the 85% time digesting reports and 15% acting is inverted to 15% digesting, 85% acting.
Step 6: Automating Alert Response
Lyons explained that every security operations center gets thousands of alerts, more than any size team of humans could process. The final step is tuning specific software, called SOAR – Security Orchestration, Automation and Response platforms, to automatically react and remediate far faster than any human can, to the most dangerous, real threats. When done right, SOAR can reduce the detection and remediation time of an attack from hours to seconds.
“When you put all of these tools together,” explained Lyons, “now you’ve built a foundation for Prosilience. This is when your system is so smart, it will automatically reconfigure itself when it hears that a threat is coming, and thus proactively protect the enterprise from a dangerous exploit. The steps above are the building blocks to achieving true Prosilience.”
The threats to most organization’s networks are real and immediate, necessitating a rethinking of how cybersecurity is traditionally handled. Following these six steps can support Prosilience, giving defenders a highly needed advantage. “We have to move from being reactive to proactive,” concluded Lyons. “Being reactive in today’s environment is just too late.”