How security collaboration will prove vital in 2017
The escalation of high-profile hacking and data dumps recently has underscored the increasing boldness of digital threat actors, culminating in July’s Democratic National Committee email leak and its ripple effect through American politics. The group behind the hack and its attack patterns were known, and yet the attack was not thwarted, leaving many questions as to the overall state of the Internet’s security.
The dangers in cyberspace in 2017 will only increase – most likely with even more sophisticated attacks such as advanced IoT DDoS invasions and ransomware campaigns, not to mention sensitive data hacks with a variety of end goals – from stealing our most critical corporate and personal data to stealing elections.
Standard security solutions don’t seem to be working. What, if anything, can be done?
State sponsored actors as well as criminal bodies seem to have unlimited resources and extremely high levels of coordination at their disposal to carry out their pernicious attacks. But defense against cyberattacks has been characterized by a lack of collaboration within the cybersecurity community.
Moving forward, this will have to change. Cyber defenders should take a page out of the enemy’s playbook. Crowd intelligence will need to be organized and harnessed as a major tactic to improve security strategies against growing threats. Just as cyber attackers collaborate and share their attack techniques and latest methods with each other, cyber defenders should do the same with best defense practices. Cyber criminals are actually generous with each other – they welcome collaboration within their community, symbiotically enhancing each other’s methods and techniques. Shouldn’t we ‘good guys’ be doing the same?
Sure, some info-sharing databases for cybersecurity experts do exist, such as open virus databases allowing for searching and sharing of malware samples to facilitate the detection of viruses, and updated reputation sources which share information about sites associated with malware infection, phishing campaigns, and the like. But almost all of these collaborative projects focus on sharing attack-side information like specific vulnerabilities, attack techniques, or specific intrusion patterns. Sharing this kind of information is basically useless, as it takes too long for security experts to analyze the threat information, plan a defense strategy, and then deploy it.
What could be quite effective in meeting these kill chains head-on are detection solutions in the form of security orchestration models – but currently, there is no forum within the security community for creating and sharing these models. The lack of preventative collaboration is a gaping hole in the security industry which must be rectified. State actors and organized crime are just that – organized. We, the protectors, are not.
Multiple security technologies are involved in protecting against advanced attack campaigns – network security, endpoint security, threat intelligence, etc. All of these must work in synch and must be activated in the correct sequence to provide maximum protection against increasingly sophisticated threats. We need our own “generals” coordinating our security arsenal, orchestrating our battles and rallying the cyber troops.
The industry must learn to pool its resources better and develop the ability to share preemptive avenues of detection, investigation, and mitigation of advanced attack campaigns. No existing forum allows security experts to write orchestration models (which define the defense strategies) and share them with each other for collaboration and communal enhancement.
What’s needed is a platform through which the cybersecurity community can create and share vendor-neutral security orchestration models (defense strategies) which can then be internally rated by community members and updated as needed, rendering them ready for adaptation by organizations – no matter which security products they use.
If an organization is lacking a security function that the model requires, the organization can be alerted and the gap filled. Orchestration models can also be created for specific verticals and tailored to the needs of specific organization types such as banks, retail, healthcare, or critical infrastructure, for example, or developed to specifically combat known hacker groups and their attack patterns, or both.
Hacking organizations have been alarmingly successful in the scope of their attacks over the last couple of years, and they are becoming bolder, more technically proficient, and better organized, creating an air of cyber unease which has left much of the Western world unsettled. But we are far from raising the white flag to the black hats. Taking the right steps to form expert communities and impart our accumulated knowledge and innovations to preemptively combat the cyber scourge could eventually put them out of business – we just need to learn to share more effectively than they do.