Chasing Invisible Adversaries

Chief technologist at CyberRes, a Micro Focus line of business, and emerging tech enthusiast who enables growth through digital strategy

As new technologies emerge and threats become increasingly complex and unpredictable, senior security executives recognize the need to merge security functions throughout the entire enterprise. Gone are the days when security was managed in siloes, including application security; platform strengthening; perimeter security; data privacy and protection; and identity and access management, among others.

Many rightly argue that we need an approach that involves people, processes and technology. We must integrate these pillars into a system of insights to better view cyber performance, risk exposure and countermeasures and secure the business. Failure to adopt a unified approach to cybersecurity and resilience can result in catastrophic consequences.

Typical cybersecurity incidents involve the malicious loss of information confidentiality, integrity or availability by means of manipulation, disruption, theft and espionage. These incidents can result in loss of productivity of business and technology staff, unavailability of critical business functions, breach of contractual and service level agreements, disclosure of trade secrets, loss of reputation, third-party damage and negligence of care versus contributory negligence. The business interruption risk is far larger than organizations typically believe it is because there is a convoluted understanding of risk.

Business interruption risk refers to the revenues at risk when an organization is not performing the business function beyond the maximum acceptable outage. The elements that make up this risk are quantitative — including technology recovery cost, lost customer revenues and loss of productivity and operations —as well as qualitative, involving legal/statutory and brand damage.

Taxonomy Of Attackers

While we can estimate to a high degree of confidence the observable components, it is overly complex to estimate the hidden costs. For example, while we can estimate the recovery of 5,000 laptops from a computer virus and the impact of their downtime in operations, it is impossible to calculate the loss when an adversary breaks into a production system and steals customer, operational or intellectual property data. Furthermore, the longer the adversaries have stayed hidden and manipulated data, the harder it becomes to assess the impact of the incident.

Understanding the adversaries is an important exercise for the assessment. The offenders may come from varying backgrounds. They may be script kiddies, as in the case of the Lapsus$ hacking group; leisure hackers; underground specialists, such as Anonymous; insiders, such as the theft of trade secrets by Elliott Greenleaf employees to gain an advantage; competitors; organized crime; and government agencies.

Their motives are varied and include joyriding, vandalism, scorekeeping, frustration, profit, espionage and even demonstrating their skills, whether basic techniques or material expert knowledge. Finally, let’s not forget plain foolishness, carelessness, negligence and accidents.

Recent experience and articles indicate that most security incidents come from areas where we have no obvious signs of origin, and we shouldn’t expect collaboration from governmental agencies to catch the adversaries. As attacks are becoming increasingly intelligent, catching the invisible adversaries is almost impossible. However, an organization should be able to identify and contain such attacks by defining understanding indicators of an attack and building a complete cybersecurity program.

Indicators For Invisible Incidents

How do you know when “it” happens? To begin, look for the typical indicators, such as high system loads, an unusual amount of network traffic, unexpected slowdowns of systems or connections, unusual system messages or log entries or services or applications that abort or fail to start.

Then look for more ambiguous indicators. These may include valid requests from employees but from remote locations or during times other than business hours. Others may include unusual activity by users or systems, such as data movement and downloads. More sophisticated ones may include hiding traffic and malicious requests inside normal system messages, such as DNS queries, making them look normal.

Things that produce more definite indications of incidents include security monitoring of critical systems and applications, restricted data and important services, traffic in sensitive networks and administrative activities. When you have exhausted all your security expertise, employ intuition and extend that to the greater ecosystem. Security incidents may also be reported by way of employee observations, notices from customers or business partners and third-party warnings by security organizations or vendors.

The Time For Hybrid Security Operations Centers (HSOC)

The multifaceted threat landscape requires a new SOC. Building a robust SOC requires resources, continuous upskilling and technology investments, and that has proven to be a challenging task for many organizations. This SOC must be defined and developed based on the resilience strategy, against advanced threats, set by the organization. No two organizations will ever have the same SOC solution.

The HSOC model provides the right balance between cost and effectiveness based on the organization's profile. The HSOC leverages the cybersecurity capabilities and functions of an organization in-house, together with specialty cybersecurity teams of third-party vendors and/or a managed security service provider (MSSP), to develop a virtual and unified SOC. Within the hybrid SOC, the functions of the SOC are distributed across the involved parties based on their skills and expertise under the baton of the CISO of the organization.

Maintaining core capabilities in-house and outsourcing others to third-party vendors allows you to build an effective model as it suits the needs. The benefits are extended coverage beyond out-of-hours and out-of-band systems. Many third parties and MSSPs collect, triage and curate data from multiple vendors and use them according to the organizational, business and technology requirements. They offer extended or other supplementary detection and response technologies, as well as intelligence, which are usually very pricey to develop and adopt if done independently by the organization.

An HSOC will only be as successful as its metrics. This means ensuring that the appropriate KPIs and SLAs are set by the organization and reported by the CISO. Finally, it is important to establish appropriate governance, with roles, responsibilities and accountability defined to the highest detail.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Spiros Liolis Chief technologist at CyberRes, a Micro Focus line of business, and emerging tech enthusiast who enables growth through digital strategy. Read Spiros Liolis' full executive profile here.