In this week's blog post, we're sharing insights on our latest interview with Alex Tarter, CTO and Chief Cyber Consultant of Thales UK Branch and director of TurgenSec, which is an innovative London based InfoSec startup. TurgenSec made a bit of a splash in the information security space with the responsible disclosures including Virgin Media, Gates Foundation, many law firms, and most recently that Philippines government. Our topic for today is information security strategy and concepts around it.
Enabling A Robust Threat Intelligence Strategy
Threat intelligence has become more important than ever and companies should focus on enabling a robust strategy intelligence strategy. Cyber risk is one of the biggest risks sitting on any board's agenda nowadays, generally because so much of a company's business has been automated in some way, shape or form. It relies on computers and it is all very connected. As we saw recently with the colonial pipeline incidents, any impact to your business systems, even if it is a small incident, will actually impact your entire operation. Accordingly, there have been significant impacts to large industrial companies due to cyber incidents.
The first thing that any company needs to understand is to think the steps further ahead, rather than focusing on after any cyber security threat occurs. They need to ask themselves if their system is providing solid protection against cyber threats, how can somebody attack them, and if they do, what could go wrong. So the companies must understand the mindset of the attacker. Understanding how people are going to come after you, how cyber instances are going to occur is a big part of threat intelligence. This will allow you to make the decisions about where to deploy your resources and work out on how you can best deploy my defenses to mitigate those most obvious, most highly likely risks and impacts which could have a catastrophic business continuity issue.
Misconceptions About Threat Intelligence
One of the biggest misconceptions is to not separate different types of threat intelligence and think it as the same thing. For example, one of these types is strategic threat intelligence which essentially is the understanding of threat intelligence in a broader perspective such as consideration of different nations' state's threat actors or how an industry is being attacked. These are very high level threat intelligences, and won't change much beyond once a quarter or every six months, before you need to make a consideration again. Another type is tactical threat intelligence, which is really understanding in your specific area and potentially down to your type of company, and how you're being targeted. This one, in comparison, is quite personalised however it also could be for other businesses similar to you. There's also the operational threat intelligence, and that's all about the signatures, the IP addresses, and so on, essentially what we call the indicators of compromise.
Another big misconception is not being proactive when it comes to your threat strategy. Reacting to a variety of threat indicators, for example blocking the attack, is only one aspect of the threat strategy as a whole, as you're only reacting to threats when they arise. However, being tactical and using your defenses proactively to prevent any potential attack rather than just relying on the indicators of compromise and operating reactively plays a big role.
Becoming Proactive on Your Threat Strategy
For companies to start becoming proactive one of the first things they should focus on is to gather a lot of strategic and tactical threat intelligence. There's so much open source intelligence out there where you can go to a lot of different cybersecurity, a website's groups analysis, and you can download or get ahold of material. And that's just a few examples of a broad network of intelligence. Next step to take is understanding the threat intelligence you've gathered and how the attacker might attack you or what you're presenting to the attacker. If an attacker wants to target your business, they're first going to take a look at your business and find out where you are weak on, rather than trying to make an attempt and brute force where you're most heavily guarded. They're going to find a back door in your infrastructure where you're not paying a lot of attention to. This includes every part of your infrastructure, for example it could be a legacy VPN connection. In that sense, you need to look at everything, and see what attack surfaces you might have and take precautions on strengthening those areas.
Another aspect that can help out with becoming proactive is the use of AI and machine learning. Having good cyber security and threat intelligence will require both human collaboration and new technologies. Especially considering that the use of machine learning is one of the key trends, you should be including it in some way, shape or form in your business functions. However, there's a tendency to try and use machine learning to solve every single problem due to not having enough cyber security experts to fulfill the demand businesses have. Even though machine learning is particularly good at detecting slight variations in a data pattern which the human eye might miss, it is not that great at understanding the context, or what a particular signal it detected. This also puts pressure on the experts and the company to figure out which problem to tackle first, when you're looking at hundreds or even thousands of results. Nevertheless, the merge of both machine and human still creates the best approach to ensure things are not looked over and to know what to prioritise first. Using the machine learning approach to generate signals to find those important needles in a haystack, and then passing it over to a human analyst to actually look at them, to evaluate them and provide some context is currently the best strategy to go for.
Keep an Eye Out On Forgotten Areas
A vast amount of company assets exposed to the internet. Typically, a medium to large enterprise would have anywhere from 500 to 500,000 connection points or assets facing the internet. Some of those could be just your company website, which obviously needs to be exposed but then there are also things such as your emails or VPN connections which might be exposed allowing you to leave an attack surface. In most instances, a company has a good handle on one third to two thirds of exposed attack surfaces. This will only make the company take a proactive step in one area, and they will be only falling into the routine of protecting those because that's what they are used to and that's what's in front of their mind.
However, rather than following the same routine each day, companies should be looking at their infrastructure from another perspective and figure out what are the things they are not paying attention to. These are probably going to be the legacy systems that they are no longer being used and hence forgotten about, where somebody else has put it on the system and connected up in order to gain access to that, to fulfill a business function which normally was not authorized by the CSO.
Another example is orphaned assets which at some point was created by the marketing team to do a marketing campaign and at some point forgotten to be taken out after its purpose has been fulfilled. As a result, you will end up with all of this sort of digital detritus sitting out there. For good cyber hygiene, start asking yourself what you do not know or paying attention to start becoming proactive on the remaining part of your infrastructure.
It is also important to remember that we live in a hyper connected world where a business typically does not have complete control over all of its data or its customer data as it will be shared with third parties. This is a risk discipline also handled within vendor (or third party) risk management. A lot of data is particularly shared in the supply chain system and some of these data will be critical. If the third party has a breach or data loss, this might also put you in a cyber security problem. In that sense, you should be taking care of the data you already have before handing it over to a third party and see whether a breach in their system can put you or your clients under threat as well. That is especially the case in GDPR related information.
Risk Management of Complex Cyber Systems
Risk management, especially when it comes to handling a cyber attack is not only about looking for the vulnerabilities. A cyber system is very complex, however risk management experts are already quite used to complexity due to what their responsibilities entail, especially in the old school information assurance risk management. The idea behind component-based risk assessments is to take any system, divide it up into individual assets and then assess the impact due to a loss of confidentiality, integrity, availability. This helps you figure out the potential risks. What we tend to lose in that analysis is the interdependencies and the emergent properties and any large complex system. You might actually lose data if you divide it up and forget the fact that the system is inter-operating. This might lead to unforeseen impacts.
For example, a loss of information in one piece of a division might not be a big issue to the primary system but a tertiary or a fourth party down the line might actually rely on that in order to perform a function - and you may not know about it. Typically, the systems have been built up with such complexity that is almost impossible to really understand. In that sense, risk experts need to do a better job by augmenting its existing risk assessment methodologies from just doing component based analysis to starting to look at system-based interdependencies within a critical infrastructure.
You also need to look up some systemic weaknesses. You also want to look at what are the ways you've architected a system where you've handled your data off of the interdependencies for that data, and how do those larger system requirements come into play. This will allow you to have a better understanding of impactful events, which you almost never see if you just divide up and just look at the individual assets.
For now, this sums up the key points of our interview. As the Global Risk Community team, we once again thank Alex Tarter for his insight on information security space and threat intelligence. More information about this topic is available in our original interview, which is accessible here.
#risk #cybersecurity #intelligence #threat #strategy #management