When it comes to the threat posed by cybercriminals, we don’t have a malware problem – we have an adversary problem. The adversary is smart, cunning, and knows your vulnerabilities and will continue to exploit them in a variety of innovative ways. They are pernicious and show no signs of slowing down. In the first part of 2018, there were 4.5 billion data breaches alone, according to digital security firm, Gemalto.
One of the main reasons this is happening with such increased volume and with such velocity is because cyberattacks are a great equalizer for disempowered groups, says former Deputy Director of the Federal Bureau of Investigation (FBI) and current Chairman of the Board of Directors for Thomson Reuters Special Services (TRSS), Tim Murphy. Terrorists, nation-state actors and run-of-the-mill criminals are intent on compromising and extracting data for political, economic and national security advantages.
Murphy warns that to fight cybercrime, both private industry and government need to better understand the adversary through the use of cyberthreat intelligence. Organizations need to understand what tools the cybercriminals are using, and what bullets they could use to strike at the organization. To at least begin mitigating this risk, he says, organizations need to know how to use cyberthreat intelligence, identify their own vulnerabilities and share what they’ve learned about the cybercriminals to better arm the fight against them.
Deploying Cyberthreat Intelligence
Cyberthreat intelligence is a tried-and-true method of intel gathering about criminal actors. Instead of playing defense, analysts proactively learn by studying the cybercriminals’ patterns and providing detailed analysis back to the organizations.
Cyberattacks do not come in one shape or size — ransomware, security breaches and advanced, persistent attacks are just a few of the threats. Previous efforts at fighting cyberattacks focused more on tactical strategies, but that became a game of virtual whack-a-mole, leaving organizations often in a defensive posture, Murphy says. Sure, you can put up a firewall to protect your email systems but then, bad actors would still get in because there are numerous other vulnerabilities.
Cyber-intel companies have been able to share “indicators of compromise,” or signature actions by criminals throughout the industry to understand the technology cybercriminals use and try to shut down bad actors before they get in. “Intelligence is much more than that though,” Murphy explains. “You want to know your adversary.”
Governments and the private sector haven’t taken enough time to understand crucial details such as:
- Who would want to attack our business?
- Who are the attackers? Criminal networks? Nation-state actors?
- How can I best protect my organization with a faster, more targeted response and better resource allocation?
Once you understand your adversary and their intention in attacking you, then you can make better informed decisions to mitigate the risk. Until you know that, “simply putting up a firewall to stop anomalous activity is not going to protect you in today’s environment,” Murphy says.
Filling Intelligence & Vulnerability Gaps
Analysis requires studying the actors, their intent and capabilities, and combining that with tactics, techniques and procedures. While this sounds intimidating, Murphy believes that organizations should first start with the intelligence gap by finding out what you don’t know. “You can’t make all of these decisions without the intel up front and understanding the adversary and understanding their approach,” Murphy says. Then you can move on to more sophisticated, high-end intel gathering such as creating a “honey pot” or “tar pit,” where analysts create an attractive target within the organization, allow the adversary inside and watch their behavior.
The good news is that your organization doesn’t need to reinvent the wheel or do this alone. Many companies in 2018, such as financial institutions, spent between $1,300 to $3,000 on cybersecurity per full-time or equivalent employee or up to 14% of their budget, according to a Deloitte survey. This money is well spent, however. While your organization can create intel teams in-house, there isn’t a shortage of intel companies ready to do the hard work for you. They can provide detailed analysis reports, so your businesses can form an overall picture to inform decisions, guide your responses or provide timely warnings across industry and government.
Murphy mentions how a number of companies use a sophisticated and intimidating-sounding, eight-step process known as the “Cyber Kill Chain” methodology. Piggybacking off a military model, it is a series of steps that trace stages of a cyberattack from the early reconnaissance stages to the exfiltration of data regardless of whether it is an inside or outside threat.
The Value of Sharing Intel
The goal of comprehensively assessing the threat is to create a faster, more targeted approach for companies and governments alike to align their resources and put the right people in place to stop cyberbreaches. Wrong intel or the wrong person interpreting the data can lead to an incorrect or improper response.
Conversely, clarity of communication and having the right people interpreting the data are key. Bad intel, poor interpretation and poor results waste vital resources.
And once your company has done all of the above and stopped the worst attack in your organization’s history, you also need to share this with your peers, across industries and with the public sector. Silence on successfully stymieing cybercrime will allow that action to continue; and that is what criminals count on when committing these offenses.
That’s why Murphy doesn’t find this all terribly complicated. He describes himself as an “eternal optimist” when it comes to the future of cybersecurity, noting that the formula for success is simple. You learn about the cyberthreat, you find out who the actors are, you learn their approach and you share it across industries. That way, the successful methods to fight these threats can be known, can spread, grow and scale. Ultimately, this coordinated action will cast a net of protection that covers our infrastructure, financial markets and government, protecting everyone from a local corner grocery store to our national election systems.
“I’m encouraged by the level of information-sharing when it comes to the intel in the cyberthreat space,” Murphy says. “We do need to accelerate it, but overall we’ve been able to stop some pretty major cyberattacks at companies and the government itself by this intel function of information-sharing across the board.”