Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Cyber War Rooms: Why IT Needs New Expertise To Combat Today’s Cyberattacks

I’m sure you’ve read about the recent cyber attack campaigns against financial institutions, and have probably wondered why and how they have been so successful? The reason is quite clear.

I’m sure you’ve read about the recent cyber attack campaigns against financial institutions, and have probably wondered why and how they have been so successful? The reason is quite clear. The characteristics of cyber attack campaigns have fundamentally changed, but tactics to mitigate them as well as best practices employed by IT security organizations has not.

The fundamental change is the attack length – sounds simplistic, but it really isn’t.

Cyber War RoomsAttacks have become more persistent and significantly longer than before. This requires IT security groups to have strong resistance skills and response capabilities.

As a matter of fact, if your organization has been targeted in a similar fashion to this year’s worldwide attack campaigns against stock exchanges and financial institutions in the U.S., then you are doomed to fail in protecting your site.

If your IT security department or your security service provider is without a well-trained “Cyber War Room” team to fight these attack campaigns, then your sites will more than likely break under today’s massive attack campaigns.

Evaluating or measuring the risk of each attack campaign involves the following main parameters:

Attack length – measured in hours and days

Vectors – number of different attacks, e.g., network based denial of service (DoS), application level DoS, low & slow stealthy application level attack, intrusion attack type etc. Each is considered a different attack vector.

Source – Who is behind the attack? Professionals, novice attackers, volunteers etc. We define the most professional attacker or hackers as the “inner cycle” source.

Advertisement. Scroll to continue reading.

The figure below shows some of the significant advancements that attack campaigns have made in only the last two years or so:

Advancements In Cyber Attack Campaigns

Why has a major fundamental change in attack characteristics left IT organizations unprepared?

Because for years, IT security organizations have been well-trained in only two operations:

Pre- Attack security audit operations that include application vulnerability scanning, penetration tests, security procedures reviews etc.

• Post- Attack Forensics analysis operations that include analysis of security incidents that happened in the past in order to understand the attack (or enemy) and better prepare for the next time.

As there is no question that these are two very important capabilities that IT groups should continue to do, these best practices are only effective in cases where attacks are short-lived (seconds or minutes). The figure below illustrates this:

Cyber Attack Process Diagram

Both security audits and forensics analysis operations are done under the assumption that at the same time, the network resources are not under a massive attack campaign or any attack campaign. This is a reasonable assumption while attacks are really short live as can be seen above.

But, what happens when the attack length is 20 days incorporating multiple attack vectors that are changing and evolving all the time? Eventually these persistent attacks will always find a weak or blind spot and will penetrate the network. The result will be, for example, days in which the network will not be able to serve the company’s customers (denial of service) or present a very negative customer experience.

What will the IT security group do then? Will they wait until the attack ends to begin the forensics operation? Probably not, as they need to act immediately “under fire.” This means they may experience very tough and unfamiliar constrains they are not prepared to deal with.

The figure below illustrates the new attack conditions and the new capability that a security IT group should support which I call the “Cyber War Room” capability.

Cyber War Rooms

The required “Cyber War Room” capability can be defined as follows:

• A team that is capable of reacting 24/7 and during holidays, etc.

• The team must be made up of a set of security experts who are well trained through “Cyber War Games” to work “under-fire.”

• The team should have the capability to resist attacks over long periods for more than a few days. They should be able to smoothly shift responsibilities from one to another in order to maintain their resistant power for a long time.

• The team should be equipped with advanced tools that help its members to analyse the traffic and create new protections in real-time.

• The team must have the knowledge and control over network and application security devices as well the capability to control routers and switches of the network.

• Last but not least, they should have the expertise to develop “counter-attack” operations in order to try and defeat the attackers, or in other words, make them quit. More information about counter attack operations can be read in my previous column

“War Room” is a term taken from real battlefields. Cyber attack campaigns present similar conditions and therefore must follow the same approach – either by the organization IT or by the security service provider.

“Cyber War Room” capabilities will become a new essential operation that IT should adapt very quickly. I can see how in the near future these “Cyber War Rooms” will need to cooperate between one another or even between different companies, in order to withstand the new breed of cyber attack campaigns.

Suggested Reading: Cyber Intelligence: Identifying the Threat and Understanding the Terrain in Cyberspace

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet