The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
Executive Summary
No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. Evaluating cyber risk in industrial control system (ICS) networks is difficult, considering their complex nature. For example, an evaluation can consider (explicitly or implicitly) up to hundreds of millions of branches of a complex attack tree modelling of cyberattacks interaction with cyber, physical, safety and protection equipment and processes. This paper was written to assist cyber professionals to understand and communicate the results of such risk assessments to non-technical business decision-makers.
This paper proposes that cyber risk be communicated as a Design Basis Threat (DBT) line drawn through a representative “Top 20” set of cyberattacks spread across a spectrum of attack sophistication. These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. Many industrial cyber risk practitioners will find the list useful as-is, while expert practitioners may choose to adapt the list to their more detailed understanding of their own sites’ circumstances.
Network security is a dynamic art, with dangers appearing as fast as black hats can exploit vulnerabilities. While there are basic “golden rules” which can make life difficult for the bad guys, it remains a challenge to keep networks secure. John Chambers, Executive Chairman of Cisco, famously said “there are two types of companies: those that have been hacked, and those who don’t know they have been hacked”. The question for most organizations isn’t if they’re going to be breached, but how quickly they can isolate and mitigate the threat. In this paper, we’ll examine best practices for effective cybersecurity – from both a proactive (access hardening) and reactive (threat isolation and mitigation) perspective. We’ll address how network automation can help minimize cyberattacks by closing vulnerability gaps and how it can improve incident response times in the event of a cyberthreat. Finally, we’ll lay a vision for continuous network security, to explore how machine-to-machine automation may deliver an auto-securing and self-healing network.
Go to www.esgjrconsultinginc.com
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
Executive Summary
No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. Evaluating cyber risk in industrial control system (ICS) networks is difficult, considering their complex nature. For example, an evaluation can consider (explicitly or implicitly) up to hundreds of millions of branches of a complex attack tree modelling of cyberattacks interaction with cyber, physical, safety and protection equipment and processes. This paper was written to assist cyber professionals to understand and communicate the results of such risk assessments to non-technical business decision-makers.
This paper proposes that cyber risk be communicated as a Design Basis Threat (DBT) line drawn through a representative “Top 20” set of cyberattacks spread across a spectrum of attack sophistication. These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. Many industrial cyber risk practitioners will find the list useful as-is, while expert practitioners may choose to adapt the list to their more detailed understanding of their own sites’ circumstances.
Network security is a dynamic art, with dangers appearing as fast as black hats can exploit vulnerabilities. While there are basic “golden rules” which can make life difficult for the bad guys, it remains a challenge to keep networks secure. John Chambers, Executive Chairman of Cisco, famously said “there are two types of companies: those that have been hacked, and those who don’t know they have been hacked”. The question for most organizations isn’t if they’re going to be breached, but how quickly they can isolate and mitigate the threat. In this paper, we’ll examine best practices for effective cybersecurity – from both a proactive (access hardening) and reactive (threat isolation and mitigation) perspective. We’ll address how network automation can help minimize cyberattacks by closing vulnerability gaps and how it can improve incident response times in the event of a cyberthreat. Finally, we’ll lay a vision for continuous network security, to explore how machine-to-machine automation may deliver an auto-securing and self-healing network.
Go to www.esgjrconsultinginc.com
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
In this security insight brief, 21CT researchers look at the malicious network behaviors that concern organizations the most, and how to use security analytics to find them before damage is done. Understanding these 12 indicators of compromise are critical to identifying a network breach.
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...Muhammad FAHAD
Dragos, Inc. was notified by the Slovak anti-virus firm ESET of an ICS tailored malware on June 8th, 2017. The Dragos team was able to use this notification to find samples of the malware, identify new functionality and impact scenarios, and confirm that this was the malware employed in the December 17th, 2016 cyber-attack on the Kiev, Ukraine transmission substation which resulted in electric grid operations impact. This report serves as an industry report to inform the electric sector and security community of the potential implications of this malware and the appropriate details to have a nuanced discussion
Despite the amazing technologies available today in cybersecurity, organizations still struggle with the most fundamental challenge that has been around for decades: understanding all the devices, users, and cloud services they’re responsible for, and whether those assets are secure.
These slides—based on the webinar hosted by leading IT research firm EMA and Axonius—explain why solving asset management for cybersecurity is becoming increasingly important, and why something so fundamental has quickly risen to the top of CISOs priority lists.
Cyber Training: Developing the Next Generation of Cyber AnalystsBooz Allen Hamilton
Part of the solution involves identifying and recruiting top thinkers into the field of cybersecurity, but the more immediate challenge is ensuring that cyber professionals have access to the training and information they need to keep their cyber intelligence analysis skills relevant and effective. Due to the rapidly evolving nature of the threat, education and training must be continuous, and this document focuses on strategies and best practices for developing a cyber force that maintains America’s position as a global leader in the information age.
The Next Generation Cognitive Security Operations Center: Network Flow Forens...Konstantinos Demertzis
A Security Operations Center (SOC) can be defined as an organized and highly skilled team that uses advanced computer forensics tools to prevent, detect and respond to cybersecurity incidents of an organization. The fundamental aspects of an effective SOC is related to the ability to examine and analyze the vast number of data flows and to correlate several other types of events from a cybersecurity perception. The supervision and categorization of network flow is an essential process not only for the scheduling, management, and regulation of the network’s services, but also for attacks identification and for the consequent forensics’ investigations. A serious potential disadvantage of the traditional software solutions used today for computer network monitoring, and specifically for the instances of effective categorization of the encrypted or obfuscated network flow, which enforces the rebuilding of messages packets in sophisticated underlying protocols, is the requirements of computational resources. In addition, an additional significant inability of these software packages is they create high false positive rates because they are deprived of accurate predicting mechanisms.
For all the reasons above, in most cases, the traditional software fails completely to recognize unidentified vulnerabilities and zero-day exploitations. This paper proposes a novel intelligence driven Network Flow Forensics Framework (NF3) which uses low utilization of computing power and resources, for the Next Generation Cognitive Computing SOC (NGC2SOC) that rely solely on advanced fully automated intelligence methods. It is an effective and accurate Ensemble Machine Learning forensics tool to Network Traffic Analysis, Demystification of Malware Traffic and Encrypted Traffic Identification.
100+ Cyber Security Interview Questions and Answers in 2022Temok IT Services
Top 100 Cyber Security Interview Questions and Answers in 2022 According to the IBM Report, data breaches cost measured businesses $4.24 million per incident on average, the highest in the 17 years of history. However, the demand for cyber security professionals exceeded and created exciting job opportunities.
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackAujas
It is given that you will be hacked, irrespective of your level of cyber security. Learn how you can detect, respond & recover from cyber attacks. Quicker.
Key Content:
1. The threat landscape and how existing monitoring and response capabilities are ineffective in detecting and responding to advanced cyber attacks
2. Lifecycle and speed of an attack and how early detection can help in responding and managing losses
3. Blueprint for an effective (and vendor agnostic) Incident Management Program
If you have been tracking the Cyber Security News lately, one thing is for sure - Cyber Attacks are imminent and it is a matter of time when you will be the next one to come under an attack, if not already.
What Robert Mueller, Former Director of FBI said in RSA Conference in March 2012 is still very relevant.
"I am convinced that there are only two types of companies: those that have been hacked and those that will be. ” and what he says further makes it worse "And even they are converging into one category: companies that have been hacked and will be hacked again."
Cyber attacks are no more a work of lone warriors or a group of hackers but involve cyber crime syndicates, collaborating and pumping large amount of money, precision, knowledge, expertise and persistence. Their capabilities are equal if not better than state sponsors.
Data says that cyber security incidents affects all kinds of organizations - small, medium or large and across all industries - financial, telecom, utility, health care, education and more. Organizations fail to detect and respond to security incidents due to weak monitoring capabilities and lack of expertise, tools and procedures.
In this webinar we will look at the cause and effect of the problem, analyze preparedness and learn how you can better prepare, detect, respond and recover from cyber attacks.
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...ijtsrd
Millions of people worldwide have Internet access today. Intrusion detection technology is a modern wave of information technology monitoring devices to deter malicious activities. Malware development malicious software is a vital problem when it comes to designing intrusion detection systems IDS . The key challenge is to recognize unknown and hidden malware, because malware writers use various evasion techniques to mask information to avoid IDS detection. Malicious attacks have become more sophisticated and Furthermore, threats to security have increased, including a zero day attack on internet users. Through the use of IT in our daily lives, computer security has become critical. Cyber threats are becoming more complex and pose growing challenges when it comes to successful intrusion detection. Failure to prevent invading information, such as data privacy, integrity and availability can undermine the credibility of security services. Specific intrusion detection approaches were proposed in the literature to combat computer security threats. This paper consists of a literature survey of the IDS that uses program algorithms to use specific data collection and forensic techniques in real time. Data mining techniques for cyber research are introduced in support of intrusion detection. Mohammed I. Alghamdi "An Assessment of Intrusion Detection System (IDS) and Data-Set Overview: A Comprehensive Review of Recent Works" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-2 , February 2021, URL: https://www.ijtsrd.com/papers/ijtsrd35730.pdf Paper Url: https://www.ijtsrd.com/computer-science/computer-security/35730/an-assessment-of-intrusion-detection-system-ids-and-dataset-overview-a-comprehensive-review-of-recent-works/mohammed-i-alghamdi
Panda Adaptive Defense 360 - Cyber Extortion GuidePanda Security
What is Cyber Extortion? How do cybercriminals use ransomware for attacks? What to do if you are a victim of cyber extortion?
Panda Security answers all these questions and gives you some recommendations and advises to prevent Cyberattacks in this Practical Security Guide to Prevent Cyber Extortion.
We, at Panda, have developed the first solution that guarantees continuous monitoring of all the active processes: Adaptive Defense 360
http://promo.pandasecurity.com/adaptive-defense/en/
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
In this security insight brief, 21CT researchers look at the malicious network behaviors that concern organizations the most, and how to use security analytics to find them before damage is done. Understanding these 12 indicators of compromise are critical to identifying a network breach.
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...Muhammad FAHAD
Dragos, Inc. was notified by the Slovak anti-virus firm ESET of an ICS tailored malware on June 8th, 2017. The Dragos team was able to use this notification to find samples of the malware, identify new functionality and impact scenarios, and confirm that this was the malware employed in the December 17th, 2016 cyber-attack on the Kiev, Ukraine transmission substation which resulted in electric grid operations impact. This report serves as an industry report to inform the electric sector and security community of the potential implications of this malware and the appropriate details to have a nuanced discussion
Despite the amazing technologies available today in cybersecurity, organizations still struggle with the most fundamental challenge that has been around for decades: understanding all the devices, users, and cloud services they’re responsible for, and whether those assets are secure.
These slides—based on the webinar hosted by leading IT research firm EMA and Axonius—explain why solving asset management for cybersecurity is becoming increasingly important, and why something so fundamental has quickly risen to the top of CISOs priority lists.
Cyber Training: Developing the Next Generation of Cyber AnalystsBooz Allen Hamilton
Part of the solution involves identifying and recruiting top thinkers into the field of cybersecurity, but the more immediate challenge is ensuring that cyber professionals have access to the training and information they need to keep their cyber intelligence analysis skills relevant and effective. Due to the rapidly evolving nature of the threat, education and training must be continuous, and this document focuses on strategies and best practices for developing a cyber force that maintains America’s position as a global leader in the information age.
The Next Generation Cognitive Security Operations Center: Network Flow Forens...Konstantinos Demertzis
A Security Operations Center (SOC) can be defined as an organized and highly skilled team that uses advanced computer forensics tools to prevent, detect and respond to cybersecurity incidents of an organization. The fundamental aspects of an effective SOC is related to the ability to examine and analyze the vast number of data flows and to correlate several other types of events from a cybersecurity perception. The supervision and categorization of network flow is an essential process not only for the scheduling, management, and regulation of the network’s services, but also for attacks identification and for the consequent forensics’ investigations. A serious potential disadvantage of the traditional software solutions used today for computer network monitoring, and specifically for the instances of effective categorization of the encrypted or obfuscated network flow, which enforces the rebuilding of messages packets in sophisticated underlying protocols, is the requirements of computational resources. In addition, an additional significant inability of these software packages is they create high false positive rates because they are deprived of accurate predicting mechanisms.
For all the reasons above, in most cases, the traditional software fails completely to recognize unidentified vulnerabilities and zero-day exploitations. This paper proposes a novel intelligence driven Network Flow Forensics Framework (NF3) which uses low utilization of computing power and resources, for the Next Generation Cognitive Computing SOC (NGC2SOC) that rely solely on advanced fully automated intelligence methods. It is an effective and accurate Ensemble Machine Learning forensics tool to Network Traffic Analysis, Demystification of Malware Traffic and Encrypted Traffic Identification.
100+ Cyber Security Interview Questions and Answers in 2022Temok IT Services
Top 100 Cyber Security Interview Questions and Answers in 2022 According to the IBM Report, data breaches cost measured businesses $4.24 million per incident on average, the highest in the 17 years of history. However, the demand for cyber security professionals exceeded and created exciting job opportunities.
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackAujas
It is given that you will be hacked, irrespective of your level of cyber security. Learn how you can detect, respond & recover from cyber attacks. Quicker.
Key Content:
1. The threat landscape and how existing monitoring and response capabilities are ineffective in detecting and responding to advanced cyber attacks
2. Lifecycle and speed of an attack and how early detection can help in responding and managing losses
3. Blueprint for an effective (and vendor agnostic) Incident Management Program
If you have been tracking the Cyber Security News lately, one thing is for sure - Cyber Attacks are imminent and it is a matter of time when you will be the next one to come under an attack, if not already.
What Robert Mueller, Former Director of FBI said in RSA Conference in March 2012 is still very relevant.
"I am convinced that there are only two types of companies: those that have been hacked and those that will be. ” and what he says further makes it worse "And even they are converging into one category: companies that have been hacked and will be hacked again."
Cyber attacks are no more a work of lone warriors or a group of hackers but involve cyber crime syndicates, collaborating and pumping large amount of money, precision, knowledge, expertise and persistence. Their capabilities are equal if not better than state sponsors.
Data says that cyber security incidents affects all kinds of organizations - small, medium or large and across all industries - financial, telecom, utility, health care, education and more. Organizations fail to detect and respond to security incidents due to weak monitoring capabilities and lack of expertise, tools and procedures.
In this webinar we will look at the cause and effect of the problem, analyze preparedness and learn how you can better prepare, detect, respond and recover from cyber attacks.
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...ijtsrd
Millions of people worldwide have Internet access today. Intrusion detection technology is a modern wave of information technology monitoring devices to deter malicious activities. Malware development malicious software is a vital problem when it comes to designing intrusion detection systems IDS . The key challenge is to recognize unknown and hidden malware, because malware writers use various evasion techniques to mask information to avoid IDS detection. Malicious attacks have become more sophisticated and Furthermore, threats to security have increased, including a zero day attack on internet users. Through the use of IT in our daily lives, computer security has become critical. Cyber threats are becoming more complex and pose growing challenges when it comes to successful intrusion detection. Failure to prevent invading information, such as data privacy, integrity and availability can undermine the credibility of security services. Specific intrusion detection approaches were proposed in the literature to combat computer security threats. This paper consists of a literature survey of the IDS that uses program algorithms to use specific data collection and forensic techniques in real time. Data mining techniques for cyber research are introduced in support of intrusion detection. Mohammed I. Alghamdi "An Assessment of Intrusion Detection System (IDS) and Data-Set Overview: A Comprehensive Review of Recent Works" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-2 , February 2021, URL: https://www.ijtsrd.com/papers/ijtsrd35730.pdf Paper Url: https://www.ijtsrd.com/computer-science/computer-security/35730/an-assessment-of-intrusion-detection-system-ids-and-dataset-overview-a-comprehensive-review-of-recent-works/mohammed-i-alghamdi
Panda Adaptive Defense 360 - Cyber Extortion GuidePanda Security
What is Cyber Extortion? How do cybercriminals use ransomware for attacks? What to do if you are a victim of cyber extortion?
Panda Security answers all these questions and gives you some recommendations and advises to prevent Cyberattacks in this Practical Security Guide to Prevent Cyber Extortion.
We, at Panda, have developed the first solution that guarantees continuous monitoring of all the active processes: Adaptive Defense 360
http://promo.pandasecurity.com/adaptive-defense/en/
About our beloved Palestine. Pictures showing how Palestine is a great country to live in but we and our children were deprived from our homeland and forced out by the Zionist Jews who occupied our land by force in 1947 till now.
Cortesía de tuhipismo.net, presentamos el retrospecto para las carreras del lunes 28 de marzo de 2016 en el hipódromo privado de Rancho Alegre, Estado Bolívar, Venezuela.
Information Securityfind an article online discussing defense-in-d.pdfforladies
Information Security
find an article online discussing defense-in-depth. List your source and provide a paragraph
summary of what the article stated.
Solution
Abstract
The exponential growth of the Internet interconnections has led to a significant growth of cyber
attack incidents often with disastrous and grievous consequences. Malware is the primary choice
of weapon to carry out malicious intents in the cyberspace, either by exploitation into existing
vulnerabilities or utilization of unique characteristics of emerging technologies. The
development of more innovative and effective malware defense mechanisms has been regarded
as an urgent requirement in the cybersecurity community. To assist in achieving this goal, we
first present an overview of the most exploited vulnerabilities in existing hardware, software, and
network layers. This is followed by critiques of existing state-of-the-art mitigation techniques as
why they do or don\'t work. We then discuss new attack patterns in emerging technologies such
as social media, cloud computing, smartphone technology, and critical infrastructure. Finally, we
describe our speculative observations on future research directions.
A multi-layered approach to cyber security utilising machine learning and advanced analytics is
essential to defend against sophisticated multi-stage attacks including:
Insider Threats | Advanced Human Attacks | Supply Chain Infection | Ransomware |
Compromised User Accounts | Data Loss
Prepare for a cyber security incident or attack and how to adequately manage the aftermath with
an organised approach to Incident Response – coordinating resources, people, information,
technology and complying with regulations.
INSIDER THREATS
Insider threat can originate from employees, contractors, third party services or anyone with
access rights to your network, corporate data or business premises.
The challenge is to identify attacks and understand how they develop in real-time by analysing
and correlating the subtle signs of compromise that an insider makes when they infiltrate the
network.
Traditional security measures are no longer sufficient to combat insider threat. A more
sophisticated, intelligence-based approach is required. Cyberseer uses machine-learning
technology to form a behavioural baseline for every user to determine normal activity and spot
new, previously unidentified threat behaviours. The move to a more proactive approach towards
security will enable companies to take action to thwart developing situations escalating into
exfiltrated information or damaging incidents.
ADVANCED HUMAN ATTACKS
Advanced threats use a set of stealthy and continuous processes to target an organisation, which
is often orchestrated for business or political motives by individuals (or groups). The “advanced”
process signifies sophisticated techniques using malware to exploit vulnerabilities in
organisations systems. They are considered persistent because an external command and control
system .
Why managed detection and response is more important now than everG’SECURE LABS
MDR is an organised defence and neutralising system, that not only protects in case of attacks but also actively projects and pursues intended or unintended activities that is detrimental to the intended flow of data.
Internet, Cyber-attacks and threats are becoming more prevalent. This Infographic explains the current state, and things to consider for yourself and your business.
Safeguarding the Digital Realm Understanding CyberAttacks and Their Vital Cou...cyberprosocial
With the digital world becoming an essential aspect of our connected environment, there is always a risk of cyberattacks. The phrase "CyberAttacks" refers to a broad category of malevolent actions directed towards computer networks
Threat intelligence provides information across a wide range of sources to assist associations with safeguarding their resources by working with a designated network safety procedure. Call Us: +1 (978)-923-0040
Safeguarding the Digital Realm: Understanding CyberAttacks and Their Vital Co...cyberprosocial
With the digital world becoming an essential aspect of our connected environment, there is always a risk of cyberattacks. The phrase “CyberAttacks” refers to a broad category of malevolent actions directed towards computer networks, systems, and data. As technology develops, cybercriminals’ strategies also advance with it.
This Solution Overview approaches the threat landscape from a holistic viewpoint and identifies strategies and techniques to establish a good defense. It discusses the concept of a "kill chain" and identifies key indictors for attack events with a focus on network analysis.
The intelligence lifecycle entails transforming raw data into final intelligence for decision-making. Deconstruct this domain to boost your organization's cyber defenses.
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
A Time of Great Risk: The Time Between Compromise and Mitigation
In most organizations today, threat detection is based on various security sensors that attempt to look for anomalous behavior or for known signatures of malicious activity. These sensors include firewalls, intrusion detection/prevention systems (IDS/IPS), application gateways, anti- virus/anti-malware, endpoint protection, and more. They operate at and provide visibility into all layers of the IT stack.
AI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTIONChristopherTHyatt
Artificial Intelligence (AI) fortifies cybersecurity by dynamically identifying and neutralizing cyber threats. With machine learning algorithms, AI analyzes patterns in real-time data, swiftly detecting anomalies and potential security breaches. This proactive approach enhances the overall defense mechanism, ensuring robust protection against evolving cyber threats in the ever-changing digital landscape.
The Unconventional Guide to Cyber Threat IntelligenceAhad
As time is running at the speed of light developments are taking place in the world with the speed of a bullet train. All while building unconventional methods to counter security breaches. click- https://ahad-me.com/
The Unconventional Guide to Cyber Threat Intelligence
Darktrace_WhitePaper_Needle_final
1. Finding a needle in a haystack:
The continuous approach to cyber defence
WHITE PAPER
2. 2
Executive Summary
The innumerable different ways and forms in which a potential cyber threat may present itself makes the task of foiling
cyber-attackers extremely difficult, and all the more so, given the sheer noise and complexity of today’s computer
networks.
How do you find a needle in a haystack, when the haystack is growing incrementally every day? And how do you define
the needle? With millions of versions of sophisticated malware circulating, thousands of users accessing data, hundreds
of supply chain companies and partners walking in and out of your digital premises every day, knowing what to look for
is not obvious.
Indeed, we are faced with the challenge of finding the needle – the first signs of a compromise or a breach – without really
knowing how to characterise it. We know it is there, but we don’t know where it is, how it is behaving or what its objective
is. This unknowable nature requires a detection approach that is radically different to traditional methods, which may
spot behaviours that have been strictly defined in advance, but are incapable of spotting fast-moving, intelligent and
human-driven threats.
The old, rules-based security stack has inevitably led many companies to spend far too much time chasing after pre-
identified threat vectors, in a continual game of catch-up. No sooner is one vulnerability patched than another one raises
its ugly head, and resources are invested in reactive damage control. The reality is that it is nearly impossible to second-
guess how a cyber-attack will start and finish, at the more advanced (and most dangerous) end of the threat spectrum,
as ongoing cyber-attacks continue to demonstrate.
Our inherent vulnerability to sophisticated attackers today requires a company-wide response, uniting all business units
in a continual process of informed investigation and action, based on evolving evidence of the real potential threats that
an organisation faces at any one time.
The state of cyber-attacks today requires us to go beyond simply finding the needle in the haystack, and get a grasp on all
the unknowable yet ‘strange’ things that are happening beneath the surface of our busy organisations. Companies must
consider cyber security as an on-going process of self-evaluation and informed actions - not as a state of perfection to
be achieved and maintained.
The threats that exist today to your company’s reputation, financials and operations must be kept in constant check to
stop them spiralling out of control and into the headlines. To do this, it is critical to separate out the threats that we can
live with, from the ones that have the potential to inflict existential harm. So a real challenge at the heart of our imperative
for ‘good cyber security’ is one of discovery – of knowing, ahead of time, about the threats that you are going to really
care about.
A continuous approach to cyber security accepts that ongoing cyber threat is an inevitable part of doing business. But
it can be managed by continually assessing your digital landscape for emerging risks and taking remedial action when
necessary. A constantly vigilant approach is only useful, however, if you have the technology and means to be able to parse
the haystack intelligently and at speed. Applying a self-learning methodology to filtering and prioritising the informational
leads that exist within each organisation, companies are empowered to find all forms of inconspicuous threats hiding in
the haystack – and dealing with them in a way appropriate to their specific environment, before they become a problem.
3. White Paper
3
Block them… or clean up afterwards
A large part of the security market today is centred
around the function of blocking threat from the outset.
Anti-virus, firewalls and signature-based tools try to stop
the bad guy getting in. The heyday of such preventative
solutions has now passed, as cyber-attackers continue
to demonstrate their capability of getting round these
perimeter controls.
Guarding the perimeter is a necessary and a valid
defence against many threats, but it is only the first
step in any organisation’s modern security strategy.
Most corporate networks are compromised already to
some degree, with threats that have sidestepped rule-
based controls at the door.
The other major component of traditional defence
consists of reacting to a breach or attack, through
incident event management. Skilled cyber practitioners
with experience of how cyber-attacks work are
mobilised in the wake of an attack, and perform high-
value investigation work, deconstructing the attack,
understanding methods used and sharing their insights
with the wider community for threat intelligence feeds
and rule updates.
Mind the gap and investigate
Blocking tools and clean-up services are important
parts to any security strategy, but a conspicuous gap
exists between these two functions of prevention (of
infiltration) on the one hand, and reaction (to breaches
and attacks) on the other. This gap spans from the point
of network infiltration, to the point of data exfiltration
or damage done. This critical window of opportunity,
where the threat is propagated and does its most
high-value work, is a no man’s land in terms of cyber
defence.
Our collective failure to detect in-progress attacks is
evident. The average time it takes to detect a malicious
cyber-crime is 170 days, while attacks involving
malicious insiders with access to the network take an
average of 259 days to uncover. The planning and
execution of cyber-attacks is happening within the
network, without anyone being aware until far too late.
Given this deficiency, efforts are now focused on
shifting the emphasis from the prevention mechanisms
that have failed to live up to all their promises, and
onto ‘continuous monitoring’ or ‘situational awareness’.
A constantly evolving environment
There are two moving components that challenge
us as information security professionals: the digital
environment that we strive to protect, and the threats
that jeopardise this goal.
The inside of our organisations are rarely pretty.
The modern enterprise must be open to the world,
and hyper-connected to customers, supply chain
and partners, as well as to their own employees or
contractors. The sheer volume of data being passed
around amongst these parties and to the outside
world has made for extremely noisy and complex
environments. Added to this, technology is constantly
being revised and replaced, people come and go, and
network architectures are in constant flux.
This increasing connectivity has allowed us to be
efficient and competitive, but has also made the
network a dark and unknowable place for many.
The theory of the network architecture is typically
undermined by the reality of what is actually going on
– a large haystack has been created over time, tweaked
and changed by different operators and has become
difficult to navigate and easy to get lost in.
Threat actors take advantage of this complexity in order
to hide within your systems. Threats are often changing
as fast, and often faster, than your own environment,
driven by a combination of skilled humans and smart
tools. While many lower-level threats may be stopped
on entry, the reality is that an ‘advanced threat’ or
someone with a degree of knowledge and skill, is able
to bypass these perimeter blockers, and infiltrate the
network with relative ease.
Such threats with real potential to do damage
are constantly adapting themselves – the most
sophisticated attackers learn how to navigate your
environment, understand where interesting data
resides, and tailor their methods accordingly. A human
attacker has a whole range of creative tactics at their
disposal, and only needs to be lucky once.
A constantly-changing environment coupled with
constantly-changing threats has rendered traditional
security solutions inefficient. Guarding the gate has
not stopped the recent major attacks against large
media companies, banks, airlines, retailers etc., instead
propelling them directly into rushed and reactive
incident event management, and damage control. We
cannot find the needle, because we don’t know how to
effectively explore the haystack.
4. 4
Ultimately this means acquiring a good understanding
of what is going on inside our organisations (not just
on the border), in order to assess and prevent specific
events or behaviours that may be ‘of concern’ to us.
Amongst all that hay, what looks like it might be a
needle?
Embracing uncertainty must be central within this
goal of gaining visibility and finding abnormalities.
Businesses and threats move too fast for us to pre-
define beyond doubt what ‘dangerous’ looks like, and
abnormality presents itself in a thousand different
forms. The key characteristic that we can be fairly sure
of is that the so-called ‘threat’ will not be the same as
anything else surrounding it. There is a delta of change,
however subtle, which makes the behaviour of a would-
be attacker stick out as ‘weird’, in contrast to everything
else.
Anomaly Spotlight: Advanced Persistent Attack
Darktracedetectedanomalousbehavioronthenetwork
of a large mobile network provider, with over tens of
thousands of employees and many million subscribers,
which indicated a targeted spear-phish attack on the
server. This type of compromise is prevalent on servers
where the crux of customers’ sensitive data is found,
such as resalable information or billing references.
Telephone providers hold large numbers of extremely
confidential information about location and personal
details, so a breach to their systems has the potential to
cause major reputational damage and loss of integrity.
The goal of this advanced attack however was arguably
more complex than merely acquiring customers’
financial information. The objective would have been
to survey specific customers of the mobile phone
provider in detail. The hackers were attempting to
extract data in a repeatable process in order to track
people’s phone calls, the time and place that calls were
being made, and possibly even the current location of
the mobile device.
Darktrace successfully averted a crisis for this
organization by alerting their security analysts of the
anomalous behavior before any sensitive information
was lost. By catching this threat early, Darktrace
ensured that the established reputation and economy
of the business remained safe.
Intelligence agencies the world over face a challenge
that is comparable in many ways to the cyber security
challenge that businesses are today grappling
with. Tasked with protecting national security, and
concentrating on specific areas of threats deemed to
be of greatest importance, an intelligence agency relies
entirely on intelligence – strands of information from
a variety of difference sources and of differing quality
or reliability. This intelligence points them to areas and
actions that could be considered ‘strange’ – a crime
report, a sighting of someone in an unusual place, an
overheard conversation that contains certain terms, or
an unexpected purchase of certain chemicals.
These snippets of information, or ‘leads’, are monitored
and correlated, allowing agents to piece together a
compelling picture that helps them decide where
to focus their efforts and dedicate resources. Some
snippets will not amount to much on their own, others
will combine to provide critical intelligence that feeds
a deeper investigation. The process of sifting through
and parsing segments of information is a continual
process, which is constantly informing and re-informing
how their time is spent and where to look.
Digital environments – whether a corporate network
or industrial computer system – are similarly full with
different snippets of information, which are necessarily
of varying degrees of interest to the security officer,
depending on his or her business goals and risk
appetite. Some leads may be straightforward policy
breaches, others are behaviours that could be
considered suspicious in some way.
This mass of leads must be looked at and sorted, in
order to form patterns and draw conclusions that
may in turn inform appropriate courses of actions.
Intelligence agencies employ leading cyber analysts
to perform this skilled task, people who apply their
experience of threat patterns and technical know-how
to investigate and determine the strength of differing
pieces of intelligence, based on the available evidence.
For companies tasked with the same challenge,
employing large teams of skilled cyber analysts is rarely
either possible or justifiable. The volume of data and
speed of its travel around the network and across the
wider internet necessitates technology to do the heavy
lifting. New technological advances in cyber security
are capable of intelligently making sense of all this
information, providing a comprehensible oversight
of an organisation’s activities and directly pointing
people to where the problem is. This frees people up
to focus on taking action appropriate to their specific
5. White Paper
5
set of circumstances and empowers them to change
the course of threats, mitigating risky situations before
they need to call in the incident response team.
Automated cyber intelligence
Automation of the filtering process is then therefore
indispensable, if we are to understand where to
spend our time and how to bring about a meaningful
reduction to the risk our enterprises face. Automated
Lead Intelligence is the technology process by which
individual snippets of information are monitored,
correlated and pieced together, to form strong
anomalies that require investigation.
A requirement of this process is technology that can see
the entirety of your network – down to which machine
is talking to which, what files are being accessed by
who, how much data is being transferred, etc. – and
performs advanced analysis on that data in real time.
This smart analysis must be capable of working out
the organisation’s ‘pattern of life’ and, critically, revising
its assessment of normality continually, based on the
evolving evidence that it sees. This perpetual evaluation
cycle allows for the dynamic prioritisation of potential
threats, which may escalate or diminish in seriousness
dependent on the behaviours manifested.
Self-learning, ‘immune system’ technologies are
performing this fundamental function of adaptive,
intelligent monitoring of highly-complex data
environments. Using advanced machine learning and
mathematical techniques, this school of technology
is capable of understanding ‘normality’ and surfacing
statistically anomalous events that are worthy of an
organisation’s investigation.
Knowing if, where and when to take action, and selecting
the appropriate level of intervention or surveillance is
an age-old problem for intelligence agencies – and will
never be a perfect system. But all good decision-making
is dependent on good intelligence. By automating
lead intelligence, companies are empowered with the
visibility of their specific threat landscape that lets
them take action against developing anomalies.
6. 6
Interoperability: an integrated security
stack
With various different security products readily
available, deciphering the marketplace can be a
daunting task. At the forefront of a good security
procurement strategy must be the effective integration
of different components together to deliver a cohesive
model of prevention, investigation and response.
Immune system defensive technology fills the widest
gap in the security stack today, because it sits at the
heart of the organisation, where all the interesting
behaviours happen and where small changes to the
‘norm’ can point to the beginning stages of an attack
lifecycle. Even the most advanced attackers cannot
ultimately hide from the wire – they must move, take
action, change something. The Enterprise Immune
System picks up immediately on those small deltas of
change, amid all the day-to-day noise of the network.
It is critical too that immune system technology is
designed to integrate with the full range of other
traditional security tools, such as log readers, endpoint
security products and anti-virus, allowing the value
that these other solutions may deliver to be enhanced.
The interoperability of the Enterprise Immune System
means that it becomes a central hub of intelligence
that complements other parts of the security
infrastructure, bringing together all forms of leads to
better understand potential threats and help inform
security practitioners.
Anomaly Spotlight: Insider Threat
Through an oversight in the security lockdown, an employee of a large retail company found that they were
able to read all of their colleagues’ emails. Had they immediately reported this mistake, there would not have
been a problem. However, Darktrace detected that the employee proceeded to access company emails in
the same way from their laptop and read all their CEO’s private messages on two separate occasions. In a
surreptitious attempt to remain concealed, the employee then accessed the CEO’s emails on two further
occasions from two separate devices.
As a result of the complete network visibility that Darktrace provides, the company were alerted to this
anomalous behavior and were able to pin point exactly where the inadvertent breach first took place and
each subsequent location, enabling them to identify the employee and take action. In this case, what started
as an accidental oversight, turned into an insider exploiting their own organization with the potential to gain
and take advantage of sensitive information.
Joining the dots
Effective cyber security is ultimately about good people,
technology and process.
Technology is critical to automate lead intelligence,
analysing at speed the vast swathes of data that flow
through the organisation all the time. It does the heavy
lifting, getting through all the noise and distractions of
an organisation’s systems and producing actionable
intelligence about genuine network anomalies.
Empowered by technology, people can focus on the
high-value job of investigating specific events and
taking key decisions, based on their unique knowledge
of their business environment and risk appetite. This
investigative role requires an analytical mind and
technical skill set.
Processes must support the goal of preventing
intrusions where possible, but also fundamentally
enable the perpetual monitoring and reassessment
of the inside of the network, as part of an integrated
continuous approach.
7. White Paper
7
Conclusion
As cyber security is now firmly on the company board’s agenda, we have seen its status escalate and begin to affect all
business units. ‘Cyber’ is no longer simply an IT issue, but a consideration for all parts of the business that interact with
the lifeblood of the organisation – its data.
Boards further recognise that cyber security is not a topic that can be addressed once and for all. Processes must be
implemented so the business is continually assessing the threats that it faces, and readjusting its assumptions, in order
to proactively address issues as they arise, at any moment.
Recent data breaches that have affected major corporations, across the complete range of industry sectors – from energy
to media, transportation to banking, healthcare to legal – demonstrate that investment in traditional, security controls
is not sufficient to protect them, because they fail to adapt to an ever-evolving environment. The advanced persistent
attacker will always find a way in – not to mention the people that are already on the inside.
Today’s leading enterprises view cyber security as a mainstay in their risk management agendas. In order to convert this
attention to a meaningful reduction in risk, companies need to consider whether they have the right technology that
can intelligently monitor the organisation’s activity on a continual basis – without disrupting the business or IT functions.
Critically, this capability must be sensitive to the most dynamic and wily of attackers – ones that do not come up in any
‘threat intelligence’ feed, ones that breach network borders, ones that bypass endpoint controls.
Threats that you do not know exist must nevertheless be found. This is only possible by moving on from rules, and
embracing a continuous and more subtle approach that blends self-learning machine learning with skilled people and
good process. Doing this, we give ourselves the best possible advantage in the perpetual battle against the sharp end of
the cyber-threat spectrum.