Disrupting the Criminal Economic Model Can be Achieved by Tightly Integrating Security Systems into a Cohesive Framework
The perpetual cat and mouse game between cybercriminals and security professionals has been escalating for decades. But as our global economy becomes increasingly reliant on our digital infrastructures, weaving them into business, government, and critical infrastrctures, the stakes in this game keep getting higher. The potential for profiting from stolen or ransomed data is higher than ever, while the cost of failure increasingly includes the potential for both economic and even physical disaster.
Plan Now for Emerging Threats
New threat trends on the horizon look to raise the stakes even higher. Here are just two of the vast number of emerging threats that some security professionals are predicting.
• Swarmbots—semi-autonomous botnets comprised of clusters of devices with specialized skillsets that can work collectively to solve problems—will significantly increase the speed and efficiency of network breaches.
• The commoditization of fuzzing—a highly technical process for discovering vulnerabilities in hardware and software interfaces and applications by injecting invalid, unexpected, or semi-random data into an interface or program and then monitoring for crashes, undocumented jumps to debug routines, failing code assertions, and potential memory leaks—through the application of AI and machine learning will lead to an increase in zero-day attacks targeting different programs and platforms.
Defending against these threats will require two things. The first is understanding the economic drivers of the criminal community, and the second is to adopt strategies and solutions that address and disrupt those drivers.
For many criminal organizations, attack techniques are evaluated not only in terms of their effectiveness, but also in the overhead required to develop, modify, and implement them. In short, in many ways they function like legitimate businesses. To maximize revenue, for example, they have been responding to digital transformation by adopting mainstream strategies, such as agile development to more efficiently produce and refine their attack software, and reducing risk and exposure to increase profitability.
Knowing this, one defensive response is to make changes to people, processes, and technologies that impact the economic model of the attacker. For example, adopting new technologies and strategies such as machine learning and automation to harden the attack surface or identify threats can force criminals to shift attack methods and accelerate their own development efforts, which can be expensive, or simply go elsewhere where the cost per compromise is lower.
To address the challenges we see on the horizon, the cybersecurity community is going to have to change their usual approach to security. The most effective strategy going forwards is likely to be one that impacts cybercriminals directly in their pocketbook by taking aim at their economic model.
What You Can Do
Here are three strategies that show real promise for defending against tomorrow’s threats.
1. Deploy Deception
One of the most serious challenges facing security teams is the accelerating attack chain. The time between exploit and breach, for example, has dropped from days to hours and is moving toward minutes and seconds. However, the time needed to detect a breach is often measured in days and even weeks. Solving this challenge requires a twofold strategy. The first is to improve your ability to detect anomalous behaviors in your network in as close to real-time as possible. The second is to find a way to slow down attacks.
Deception is a security strategy that accomplishes that very thing. The idea is to create too many choices, most of which are dead ends, to force attackers to slow down and potentially give away their position. By generating false yet enticing traffic from a large number of databases, only one of which is real, attackers will have to evaluate each data source and potentially even chase down each option. By extending the time they need to find and retrieve data, defenders have more time to detect and respond to an attack.
But even more effective is to ensure that any dead-end option not only contains information that looks legitimate, but that also inclide tripwires where unexpected traffic is immediately identified and automatically triggers a response to evict criminals from the network. Multiply that efficacy across several equally enticing dead-end attack paths, and the game suddenly changes dramatically.
2. Leverage Threat Intelligence
One of the easiest ways for a cybercriminal to maximize their investment in an existing attack solution is to simply make minor changes to their malware. Even something as basic as changing an IP address can enable malware to evade detection by many traditional security tools. The continued success of known exploits is testament to the effectiveness of this strategy.
One of the most common ways to keep up with such changes is through the active sharing of threat intelligence. New data provided by threat intelligence feeds allow security vendors and consumers to stay abreast of the latest changes in the threat landscape. It follows, therefore, that as threat intelligence becomes more detailed, the harder—and more expensive—it becomes for cybercriminals to adjust their attack tools and strategies to evade detection.
New open collaboration efforts underway between threat research organizations, security manufacturers, and even law enforcement and other government agencies are aimed at increasing the efficacy, timeliness, and sophistication of threat intelligence. Subscribing to these threat feeds and leveraging playbooks on cyber tactics helps organizations uncover higher-order patterns and processes for more effective detection. As that intelligence becomes more detailed, often through the use of advanced analytics only available to large research teams and governmental agencies, the more likely that entire families of malware can be detected and prevented. It is then just a short hop toward applying behavioral analytics to live data feeds to predict the future behavior of malware, forcing cybercriminals back to the drawing board.
3. Think Proactively
The final approach is to shift your security paradigm from being reactive to proactive. This starts by engineering as much risk as possible out of your current network. A good way to start is to imagine you hav
e already been compromised and then considering what you would do differently as a result. What devices are on your network? What policies have been applied to them? Have any of them been compromised, and how would you know? Moving from an implied trust toward a zero trust model may be your best option. This will include such things as implementing multi-factor authentication, deploying network access control, and setting up segmentation and microsegmentation.
The next step is to integrate your traditionally isolated security devices into a single, integrated architecture—including those security devices deployed in remote locations or even in your multi-cloud environments. Tools that can actively see, share, and correlate threat intelligence, combined with advanced behavioral analytics, will be much more effective at identifying even the most advanced threats. As threats patterns and trends emerge you can combine them with real-time telemetry on your networked devices to even begin to anticipate and proactively stop threats before they even start.
Getting in front of the cyberthreat paradigm requires organizations to rethink their security strategies. Traditionally, the odds have been stacked against defenders since they only need to make a single mistake to be compromised, while attackers generally have the luxury to make repeated attempts before successfully achieving their target.
Rather than engaging in a perpetual arms race, however, organizations need to anticipate threats and target the economic motivations of cybercriminals in order to force them back to the drawing board. Disrupting the criminal economic model, however, can only be achieved by tightly integrating security systems into a cohesive framework that freely shares information, performs logistical and behavioral analysis to identify attack patterns, and then incorporates that intelligence into an automated system that can not only see but actually begin to anticipate criminal intent and attack vectors.