Securosis

Research

The CISO’s Guide to Advanced Attackers: Evolving the Security Program

The tactics we have described so far are very useful for detecting and disrupting advanced attackers – even if used only in one-off situations. But you can and should establish a more structured and repeatable process – especially if you expect to be an ongoing target of advanced attackers. So you need to evolve your existing security program, including incident response capabilities. But what exactly does that mean? It means you need to factor in the tactics you will see from advanced attackers and increase the sophistication of your intelligence gathering, active controls, and incident response. Change is hard – we get that. Unless you have just had a recent breach – then it’s easy. At that point instead of budget pressures you get a mandate to fix it no matter the cost, and you will face little resistance to changing process to ensure success with the next response. Even without a breach as catalyst you can make these kinds of changes, but you will need some budgetary kung fu with strategic use of recent high-profile attacks to make your point. But even leveraging a breach doesn’t necessarily result in sustainable change, regardless of how much money you throw at the problem. Evolving these processes involves not only figuring out what to do now, or even in the future. Those are short term band-aids. Success requires empowering your folks to rise to the challenge of advanced attackers. Pile more work on to make sure they can accept their additional responsibilities, and recognize them for stepping up. This provides an opportunity for some managers to take on more important responsibilities and ensures everyone is on the hook to get something done. Just updating processes and printing out new workflows won’t change much unless there are adequate resources and clear accountability in place to ensure change takes place. Identify Gaps Start evolving your program by identifying gaps in the status quo. That’s easiest when you are cleaning up a breach because it is usually pretty obvious what worked, what doesn’t, and what needs to change. Without a breach you can use periodic risk assessment or penetration testing to pinpoint issues. But regardless of the details of your gaps or how you find them, it is essential that you (as senior security professional) drive process changes to address those gaps. Accountability starts and ends with the senior security professional, with or without the CISO title. Be candid about what went wrong and right with senior management and your team, and couch the discussion in terms of improving your overall capability to defend against advanced attackers. Intelligence Gathering The next aspect of detecting advanced attackers is building an intelligence gathering program to provide perspective on what is happening out there. Benefit from the misfortune of others, remember? Larger organizations tend to formalize an intelligence group, while smaller entities need to add intelligence gathering and analysis to the task lists of existing staff. Of all the things that could land on a security professional, needing to do intelligence research isn’t a bad extra responsibility. It provides exposure to cutting-edge attacks and makes a difference in your defenses. That’s how you should sell it. Once you determine organizational structure and accountability for intelligence you ll need to focus on integration points with the rest of your active (defensive) and passive (monitoring) controls. Is the intelligence you receive formatted to integrate directly into your firewall, IPS, and WAF? What about integration with your SIEM or forensics tools? Don’t forget about analyzing malware – isolating and searching for malware indicators is key to detecting advanced attackers. Understand that more sophisticated and mature environments should push beyond just searching for technical indicators of compromise. Mature intelligence processes include proactive intelligence gathering about potential and active adversaries, as we described earlier. If you don’t have those capabilities internally which of your service providers can offer it, and how can you use it? Finally you will need to determine your stance on information sharing. We are big fans of sharing what you see with folks like you (same industry, similar company size, geographical neighbors, etc.) to learn from each other. The key to information sharing networks (aside from trust) is reducing the signal-to-noise ratio – it is easy for active networks to generate lots of chatter that isn’t relevant to you. As with figuring out integration points, you need accountability and structure for collecting and using information from sharing networks. Tracking Innovation Another aspect of dealing with advanced attackers is tracking industry innovation on how to manage them. We have done considerable research into evolving endpoint controls, network-based advanced malware detection, and the application of intelligence (Early Warning, Network-based Threat Intelligence, Email-based Threat Intelligence) to understand how these technologies can help. But all those technologies together cannot provide the sustainable change you need. So who in your organization will be responsible for evaluating new technologies? How often? You might not have budget to buy all the latest and greatest shiny objects to hit the market – but you still need to know what’s out there, and you might need to find the money to buy something that solves a sufficiently serious problem. We have seen organizations assemble a new technology task force, comprised of promising individual contributors within each of the key security disciplines. These folks monitor their areas of expertise, meet with innovative start-ups and other companies, go to security conferences, and leverage research services to evaluate new technologies. At periodic meetings they present what they find. Not just what the shiny object does but also it could would change what the organization does, and why that would be better. This shows not just whether they can parrot back what a vendor tells them, but how well they can apply that capability to existing control sets. Evolving DFIR As we have discussed throughout this series, a key aspect of detecting advanced attackers is digital forensics and incident response (DFIR). First you need to ensure responders have an adequate tools to determine what happened and analyze attacks. So you need to revisit your data collection infrastructure, and

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.