A large number of cyber crimes committed within the United States is realizing constant growth over a long duration of time with minor deviations as seen in the figure below. Organizations must understand what potentially negative threats they are faced with and how to mitigate the risks associated with them.
Courtesy of IC3.org
Although the graphic reveals startling statistics, the real question is what can organizations do to help mitigate these attacks, while protecting their critical information systems from unauthorized intruders?
“Prevention is ideal but detection is a must” The most protected network remains impenetrable because it’s unaware that it has been breached. Although there are some common characteristics, every attack is unique. With the advent of emerging technologies, Internet of Things for example, organizations can’t afford to become complacent with static security infrastructure methodologies. The need to adapt to new and emerging threats perpetuates change in IT security policy. It’s a never ending cycle that requires full cooperation between interdepartmental entities. This means that business units and security teams have to join forces and be well aligned in policy and enforcement.
“Offense Informs Defense” To defeat the enemy, one must think like the enemy. Through observation of actual attacks, network defenders can articulate better defenses comprised of practical systems design. Security controls should include current attack vectors to stop real-world attacks.
These philosophies are at the forefront of any good threat management program and vital to their success. The modern threat landscape is evolving and keeping up with rapid change in technology is difficult at best and gives the advantage to the attackers who are fully aware of this fact. An attacker has to only commit one exploit to be successful but network defenders have to stop every attack. The odds are overwhelmingly stacked against network defenders which is why it’s crucial for admins to implement sound policies.
Any good threat management program will consist of at least the following five attributes:
- Ability to manage all alerts
- Having a holistic view of all network conditions
- Reduced or eliminate false positives
- Fully integrated Security Operations Center
- Validated remediation activities
The threat landscape is vast and ever changing. Your organization should have a multi-tier approach in response to any type of threat activity. With the use of a unified management console such as a Security Incident and Event Management (SIEM) system, organizations will be better equipped to improve incident response times by way of increased situational awareness.
The basic premise of Critical Security Control Models are that they recommend sets of actions in defense to cyber attacks by providing specific and actionable methods to stopping today’s most ubiquitous and perilous attacks. The goal of security controls are to help organizations prioritize defense activity with the smallest number of actions and the highest number of pay-offs. In addition, due to the dynamic nature of attacks today, it’s particularly not a good idea to rely solely on a defense strategies checklist. Checklists are static, meaning that they don’t lend themselves well to evolving and advanced threats that are in constant flux.
For example, let’s consider an organization who included in their defense strategy checklist to have all employees adhere to a specific password implementation. Passwords must be a minimum length of 10 characters, with at least one special character, number, upper, and lower case letters. Through social engineering, a very persuasive attacker can glean that critical bit of seemingly harmless information unwittingly from an employee, which expedites subsequent brute forced password attacks. Checklists tend to instill complacency and therefore should not be relied upon wholly, but rather, in addition to other defense mechanisms.
Knowledge of successful breaches perpetuate attacker’s offenses, therefore, “offense informs defense” is a key factor in defining the value of different approaches to defensive actions. Due to budgetary limitations, you may not be able to perform many required actions to stop or prevent intrusions, as a result, your cyber defenses will be better served by relying upon effective prioritizations. Where to begin is a question easily answered by what is the attacker doing. Through research, your organization can determine what specific attack vectors are being used today and the motivations behind the use of those tactics. This will help develop your policy through prioritization.
Preparedness is critical, in that, your organization must continuously analyze attack data from leading IT security vendor’s threat reports. This will help ensure that your organization’s security controls sufficiently align with the most predominant threats of today and tomorrow, which ultimately helps increase your organization’s security posture.
The Community Attack model is based upon the principles of community policing, where everyone gets involved in the sharing of information. A model built upon the cooperation among various business entities within an organization. This includes the gathering and distribution of real-life attack events that have been put into an easily understandable defensive action plan with reliable mappings to remedial references.
A useful list of essential attributes for any security model will include:
- Open and negotiable
- Low cost (preferably community shared)
- Continuous validated defense updates
- Easily translatable attack-to-action controls
Keep in mind that this list is not comprehensive in any way but should be viewed as a guideline to aid organizations in formulating a more specific, goal based, policies with prioritization in mind.
Threats that originate from the Internet are a reality and the number of attacks continues to grow every year. Knowing that, organizations can’t sit idly by in a state of complacency, but instead, need to develop practical strategies that prevent attacks. Community policing demonstrates best practices in combating exterior and interior threats alike when interdepartmental communication channels are establish.
Device and inventory is a good starting place before security measure are put in place with the appropriation of network defenses. No matter the amount of preparation and amount of money thrown at security can deflect the absolute failure that will result in a workforce that hasn’t been properly retooled. The weakest element in any impenetrable network defense is the human factor. Besides the technical aspects related to defense in depth strategies, the human factor plays the biggest role in attack mitigation. “You Are the Firewall” is a key concept that helps engage employees in becoming a part of the solution, instead of the problem. With these key concepts in mind, your organization will be on the path to a more secure and better defended network.
FBI. (2016, 11 23). Internet Crime Complaint Center. Retrieved from IC3.gov: https://www.ic3.gov/default.aspx
Kelley, D. (2012, 10). Five tips to improve a threat and vulnerability management program. Retrieved from techtarget: http://searchsecurity.techtarget.com/tip/Five-tips-to-improve-a-threat-and-vulnerability-management-program
Milea, D. (2013, 11 29). Prevention is Ideal, but Detection is a Must. Retrieved from medium.com: https://medium.com/@demetriom/prevention-is-ideal-but-detection-is-a-must-13bcdc8e4ab9#.ab6xmh58m
Security, C. f. (2015). The CIS Critical Security Controls for Effective Cyber Defense. CIS Critical Security Controls, 1-98.