Connect with us

Hi, what are you looking for?


Network Security

Using Actionable Intelligence to Prevent Future Attacks

The More Details You Extract from Security Incidents, the Better You Can Architect Your Defense to Prevent Similar Attacks

Traditional approaches to security are typically “spray-and-pray”: they provide controls that block known bad activity, usually with limited follow-up or additional investigation after a breach.

The More Details You Extract from Security Incidents, the Better You Can Architect Your Defense to Prevent Similar Attacks

Traditional approaches to security are typically “spray-and-pray”: they provide controls that block known bad activity, usually with limited follow-up or additional investigation after a breach.

More sophisticated organizations are deploying technologies such as sandboxing that can detect and block unknown attacks which haven’t been seen before. In the moments after a breach, security teams will often focus on the event itself, but not draw additional insight from the attack, or analyze the events surrounding it.

These approaches can miss a fundamental truth of advanced attacks: they are not “point-in-time” activities, but sets of events that could occur over weeks, or potentially months or years. Advanced attackers will conduct a wide range of activity, such as in-depth recognizance, initial probes, small-scale infections to deliver second- or third-stage malware, and much more. The breach itself is the culmination of a continuous set of activities conducted over an extended period of time. Each and every step in this process, often referred to as the cyber attack lifecycle, represents another chance to detect and prevent the adversary.

Learning from Cyber Attacks

When you simply try to remediate the results of a successful attack, or block that specific activity from occurring in the future, you are missing a priceless opportunity to gain context around that incident, such as “who,” “how,” and “why.” To put it clearly: the more information you extract from these events, the better you can architect your security posture to prevent a similar event from occurring again.

Malicious actors can easily change the malware they use, but it is much harder for them to augment their tools, tactics and procedures (TTPs), which can be used to detect activity from that group in the future.

For example, let’s compare two scenarios:

1. You detect that an unknown piece of malware has infected one of your machines. You re-image that device, and ensure a signature exists for that malware in the future.

Advertisement. Scroll to continue reading.

2. You detect that unknown piece of malware and do additional research to piece together a series of events that led up until that infection. You discover that the methods used in this attack are similar to those used by a well-funded and persistent group operating out of a foreign county.

In the first scenario, you’ve fixed the immediate problem and added a rule to prevent the exact same activity from happening again. But in the second scenario you have not only fixed the immediate problem but also determined who is after you, how they operate, and what specific steps beyond deploying a signature you can take to protect your network. This kicks-off a series of intelligence-driven actions that could lead to identifying additional infected machines and backdoors that have been planted by the adversary. Applying the intelligence you’ve obtained, you can look for the specific RATs used by the group, or a set of indicators you would not have known to look for before.

You are also making more efficient use of the limited time your security team has to spend on analyzing events. For instance, a low-level cyber-crime group would require a vastly different response than state-sponsored cyber-espionage, as the sophistication levels will vary greatly between the two and your security team knows what to prioritize.

The good thing is you are not alone in this battle. There are a variety of public sources, information sharing organizations, vendor research releases, and analytics services to help boot-strap your adversary intelligence. The more information you gain and the better you get at analyzing it, the more you can craft your security policy to prevent the specific adversaries that are likely to go after your organizations. When a breach occurs, take it as an opportunity to step back and examine the wider context of who is attempting to breach your network and what you can do to prevent it in the future.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.