Playing the infinite game with threat intelligence and cyber fusion
“We can know only that we know nothing. And that is the highest degree of human wisdom.” ― Leo Tolstoy, War and Peace.
True wisdom, as Leo Tolstoy remarked, lies in acknowledging the fact that there will always be forces beyond our control and anticipation. As humans, we need to plan and respond to both what we know and what we don’t know. Unfortunately, the basic human tendency is to focus on what we know and discount the unknown. It is easy to be proactive and plan for the known, but for the unknown we are typically left to react and hope that the capabilities we have in place are adequate.
Interestingly, and particularly for the cybersecurity space, what tends to be most damaging is what comes from the unknown. Therefore, to best prepare for cyber incidents, it is critical to minimize the unknowns.
The infinite game
Many security professionals consider cybersecurity a game of cat and mouse between the good guys and the bad actors. However, security, unlike traditional sports, is not a finite game bound by a certain set of rules and a game clock.
From the defender’s point of view, security is an infinite game with an unknown number of attackers where rules change so fast that they virtually do not exist. From an attacker’s point of view, security is a series of finite games with each game having its own set of rules as defined by the attacker.
The attackers get to decide the who, what, where, when, why, and how of the target. For security teams, there is no choice. To not play is to automatically forfeit. In reality, they are not even playing to win but merely to keep the game going, maintaining the status quo of not being compromised by the attacker.
With their singular focus on working their way into organizations, attackers always have the upper hand in this game. Attackers set the rules and decide whether to target humans, unpatched vulnerabilities, purchase hacking tools on the dark web, and more. Given the inability of organizations to deal with the unknowns, security teams need to tilt the game in their favor by joining forces with other organizations in their sector, geography and implementing a strategy of simplifying and expanding intelligence sharing to gain greater visibility into the game before the attacker makes a move.
Level the playing field with threat intelligence
At any moment, there are an infinite number of finite games being played – each having its own set of rules. The rules of the game that you are not playing today could be the rules of the game that you might play tomorrow as the bad actor that is attacking your peer today might attack you tomorrow using the same tactics, techniques, and procedures (TTPs).
The only way to level the playing field and proactively gain visibility into such a convoluted threat landscape is through collaboration via threat intelligence sharing with your peers, vendors, clients, and ISACs, etc. The mapping of TTPs to real-time incidents is critical to help you identify what sort of game is being played by the adversary.
Additionally, TTP mapping assists in auditing existing controls to identify gaps in security and enabling security teams to proactively thwart adversaries based on organization-specific threat observations. Connecting the dots between the different threat elements will improve the ability to deduce the bad actors’ actions in advance and help you understand and get better control of the game.
Breaking down silos with cyber fusion
Integral to this expanded intelligence base is the ability to adequately use it within your organization. All too often there is a disconnect within security operations, intelligence, and threat response teams due to a lack of effective collaboration, use of disparate security platforms, and substantially differing vision across teams. This results in siloed teams and leads to the trapping of relevant threat intelligence in security controls and experiential knowledge and context held by security professionals.
To overcome these silos of response operations, organizations must adopt a cyber fusion-based approach, enabling all security teams to collaborate through a common, shared platform, develop mutual learnings, and assist each other with both the peripheral and vital threat information critical for a 360-degree response.
In a cyber fusion-led security strategy, threat response is tightly orchestrated with real-time strategic, tactical, technical, and operational threat intelligence to ensure that they remain aware of the changing game rules in real-time. The control granted through automation is complemented with the capabilities of the speed of response, human-judgment, and decision-making to ensure the vagaries of the attacker’s thought process are duly captured and neutralized without making the system inefficient.
The crux of the cyber fusion approach is to create a shared conscience, converge different goals of disparate teams to create a common vision, ensure effective battle rhythm, and enhance collaboration against all threats affecting enterprises.
The cyber fusion approach transforms the unknown into known and enables organizations to better understand and analyze the complete threat picture. This continuous understanding of the security threat landscape in real-time enables them to move beyond just knowledge and towards enlightenment by providing greater visibility and advanced awareness of adversary behavior and tactics in a collaborative environment.